Securing XML documents on a ASP.net site....

Discussion in 'ASP .Net' started by Johan Pingree, Apr 26, 2004.

  1. HOW in the world is this accomplished! I have an internet site I am
    prototyping and I need to be able to prevent "casual" browsing of XML
    documents. Using the web.config forms based authentication does nothing to
    prevent XML documents from being browsed. We obviously are not interested in
    turning on digest or basic authentication for this project. Every attempt to
    use ACL's has resulted in aspx pages having issues in reading and writing to
    the XML files. I have read NUMEROUS documents and publications over the
    weekend and have yet to find anyone that addresses this issue specifically!!
    Are we the only ones attempting to do this? Can anyone point me to a
    document the spells this out for this lame-brain programmer!

    We are on WinXP Pro as the developement plaform running Framework 1.1 and VS
    2003.

    Thanks,
    Johan.
    Johan Pingree, Apr 26, 2004
    #1
    1. Advertising

  2. Johan Pingree

    Chris Botha Guest

    > We obviously are not interested in turning on digest or basic
    authentication for this project.
    > Every attempt to use ACL's has resulted in aspx pages having issues in

    reading and writing to
    > the XML files.


    The above takes you half way, if you then use impersonation, the issues with
    reading and writing will be solved.
    There is also integrated windows authentication, which may be better than
    basic authentication, as with basic the password is sent in clear text. For
    impersonation to work, switch off anonymous access to the virtual directory
    and see the following for the impersonate syntax entry in the web.config
    file
    http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp

    "Johan Pingree" <> wrote in message
    news:...
    > HOW in the world is this accomplished! I have an internet site I am
    > prototyping and I need to be able to prevent "casual" browsing of XML
    > documents. Using the web.config forms based authentication does nothing to
    > prevent XML documents from being browsed. We obviously are not interested

    in
    > turning on digest or basic authentication for this project. Every attempt

    to
    > use ACL's has resulted in aspx pages having issues in reading and writing

    to
    > the XML files. I have read NUMEROUS documents and publications over the
    > weekend and have yet to find anyone that addresses this issue

    specifically!!
    > Are we the only ones attempting to do this? Can anyone point me to a
    > document the spells this out for this lame-brain programmer!
    >
    > We are on WinXP Pro as the developement plaform running Framework 1.1 and

    VS
    > 2003.
    >
    > Thanks,
    > Johan.
    >
    >
    Chris Botha, Apr 26, 2004
    #2
    1. Advertising

  3. You could use a http-handler for xml-files that either redirects the
    user to the page that is supposed to be generated from the data that
    the user tries browse, or presents the user with an access denied
    screen.

    Then you can make the reaction conditional. Show xml source if
    debugging or local host or specific IP, and so on.

    Hugo


    On Sun, 25 Apr 2004 19:40:45 -0700, "Johan Pingree"
    <> wrote:

    >HOW in the world is this accomplished! I have an internet site I am
    >prototyping and I need to be able to prevent "casual" browsing of XML
    >documents. Using the web.config forms based authentication does nothing to
    >prevent XML documents from being browsed. We obviously are not interested in
    >turning on digest or basic authentication for this project. Every attempt to
    >use ACL's has resulted in aspx pages having issues in reading and writing to
    >the XML files. I have read NUMEROUS documents and publications over the
    >weekend and have yet to find anyone that addresses this issue specifically!!
    >Are we the only ones attempting to do this? Can anyone point me to a
    >document the spells this out for this lame-brain programmer!
    >
    >We are on WinXP Pro as the developement plaform running Framework 1.1 and VS
    >2003.
    >
    >Thanks,
    > Johan.
    >
    Hugo Wetterberg, Apr 26, 2004
    #3
  4. Johan Pingree

    Rick Spiewak Guest

    See:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh19.asp

    "Johan Pingree" <> wrote in message
    news:...
    > HOW in the world is this accomplished! I have an internet site I am
    > prototyping and I need to be able to prevent "casual" browsing of XML
    > documents. Using the web.config forms based authentication does nothing to
    > prevent XML documents from being browsed. We obviously are not interested

    in
    > turning on digest or basic authentication for this project. Every attempt

    to
    > use ACL's has resulted in aspx pages having issues in reading and writing

    to
    > the XML files. I have read NUMEROUS documents and publications over the
    > weekend and have yet to find anyone that addresses this issue

    specifically!!
    > Are we the only ones attempting to do this? Can anyone point me to a
    > document the spells this out for this lame-brain programmer!
    >
    > We are on WinXP Pro as the developement plaform running Framework 1.1 and

    VS
    > 2003.
    >
    > Thanks,
    > Johan.
    >
    >
    Rick Spiewak, Apr 26, 2004
    #4
  5. Johan Pingree

    Patrice Guest

    You could also store these docs outside your web site so that the user can
    only browse them through an apsx page that streams them to the navigator...

    Patrice

    "Johan Pingree" <> a écrit dans le message de
    news:...
    > HOW in the world is this accomplished! I have an internet site I am
    > prototyping and I need to be able to prevent "casual" browsing of XML
    > documents. Using the web.config forms based authentication does nothing to
    > prevent XML documents from being browsed. We obviously are not interested

    in
    > turning on digest or basic authentication for this project. Every attempt

    to
    > use ACL's has resulted in aspx pages having issues in reading and writing

    to
    > the XML files. I have read NUMEROUS documents and publications over the
    > weekend and have yet to find anyone that addresses this issue

    specifically!!
    > Are we the only ones attempting to do this? Can anyone point me to a
    > document the spells this out for this lame-brain programmer!
    >
    > We are on WinXP Pro as the developement plaform running Framework 1.1 and

    VS
    > 2003.
    >
    > Thanks,
    > Johan.
    >
    >
    Patrice, Apr 26, 2004
    #5
  6. Thanks all for the quick responses and directions.
    IMHO:
    I now truly understand why many developers complain about the security
    features in dot net. I have seen spaghetti code, however, this is my first
    experience with spaghetti security. I personally think that MS made things
    much more difficult than was necessary. Such a simple task of not allowing
    browsers to have access to the XML files took me the several hours of
    research and testing to find a decent solution.
    It looks like I will need to write an IHttpHandler class (which I admit I
    will most likely take advantage of for other purposes) in order to
    accomplish my requirement. I personally believe that this kind of security
    should not need the type of "surgery" that I will be implementing!

    I wish I had time to put together a little article on this experience.

    BTW, for a really good article and sample code see:

    http://msdn.microsoft.com/asp.net/u...l=/library/en-us/dnaspp/html/URLRewriting.asp


    Regards,
    Johan.


    "Johan Pingree" <> wrote in message
    news:...
    > HOW in the world is this accomplished! I have an internet site I am
    > prototyping and I need to be able to prevent "casual" browsing of XML
    > documents. Using the web.config forms based authentication does nothing to
    > prevent XML documents from being browsed. We obviously are not interested

    in
    > turning on digest or basic authentication for this project. Every attempt

    to
    > use ACL's has resulted in aspx pages having issues in reading and writing

    to
    > the XML files. I have read NUMEROUS documents and publications over the
    > weekend and have yet to find anyone that addresses this issue

    specifically!!
    > Are we the only ones attempting to do this? Can anyone point me to a
    > document the spells this out for this lame-brain programmer!
    >
    > We are on WinXP Pro as the developement plaform running Framework 1.1 and

    VS
    > 2003.
    >
    > Thanks,
    > Johan.
    >
    >
    Johan Pingree, Apr 26, 2004
    #6
  7. Please explain "outside your web site"....
    Thank you.

    "Patrice" <> wrote in message
    news:...
    > You could also store these docs outside your web site so that the user can
    > only browse them through an apsx page that streams them to the

    navigator...
    >
    > Patrice
    >
    > "Johan Pingree" <> a écrit dans le message de
    > news:...
    > > HOW in the world is this accomplished! I have an internet site I am
    > > prototyping and I need to be able to prevent "casual" browsing of XML
    > > documents. Using the web.config forms based authentication does nothing

    to
    > > prevent XML documents from being browsed. We obviously are not

    interested
    > in
    > > turning on digest or basic authentication for this project. Every

    attempt
    > to
    > > use ACL's has resulted in aspx pages having issues in reading and

    writing
    > to
    > > the XML files. I have read NUMEROUS documents and publications over the
    > > weekend and have yet to find anyone that addresses this issue

    > specifically!!
    > > Are we the only ones attempting to do this? Can anyone point me to a
    > > document the spells this out for this lame-brain programmer!
    > >
    > > We are on WinXP Pro as the developement plaform running Framework 1.1

    and
    > VS
    > > 2003.
    > >
    > > Thanks,
    > > Johan.
    > >
    > >

    >
    >
    Johan Pingree, Apr 26, 2004
    #7
  8. Johan Pingree

    Patrice Guest

    I meant not below your web site root ie. those documents are not accessible
    using a URL. As they can't be accessed directly, there is an APSX page whose
    goal is to read these documents to stream them to the navigaotr.

    Of course, it depends upon your exact requirements (from yourr first post,
    it looks like you just want to prevent direct browsing and are not
    interested directly in authenticating/authorizing users bu t just as a
    possible mean to prevent this ?)

    Patrice


    "Johan Pingree" <> a écrit dans le message de
    news:...
    > Please explain "outside your web site"....
    > Thank you.
    >
    > "Patrice" <> wrote in message
    > news:...
    > > You could also store these docs outside your web site so that the user

    can
    > > only browse them through an apsx page that streams them to the

    > navigator...
    > >
    > > Patrice
    > >
    > > "Johan Pingree" <> a écrit dans le message de
    > > news:...
    > > > HOW in the world is this accomplished! I have an internet site I am
    > > > prototyping and I need to be able to prevent "casual" browsing of XML
    > > > documents. Using the web.config forms based authentication does

    nothing
    > to
    > > > prevent XML documents from being browsed. We obviously are not

    > interested
    > > in
    > > > turning on digest or basic authentication for this project. Every

    > attempt
    > > to
    > > > use ACL's has resulted in aspx pages having issues in reading and

    > writing
    > > to
    > > > the XML files. I have read NUMEROUS documents and publications over

    the
    > > > weekend and have yet to find anyone that addresses this issue

    > > specifically!!
    > > > Are we the only ones attempting to do this? Can anyone point me to a
    > > > document the spells this out for this lame-brain programmer!
    > > >
    > > > We are on WinXP Pro as the developement plaform running Framework 1.1

    > and
    > > VS
    > > > 2003.
    > > >
    > > > Thanks,
    > > > Johan.
    > > >
    > > >

    > >
    > >

    >
    >
    Patrice, Apr 26, 2004
    #8
  9. Your on the right track. I need my aspx pages to work with these XML
    documents (read & write). There will be some information in these XML
    documents that I do not want someone to be able to "glean" by browsing. So,
    I need to prevent direct access via a browser to the XML documents. I do
    plan on using forms authentication, however in my testing this does not
    prevent someone from directly accessing the XML files (to bad, as I think it
    should!). So, I next tried authorization settings with a web.config file in
    the folder with the XML docuemtns. This however lead to other problems such
    as corruption of the XML files when attempting to write to them.
    Impersonation did nothing to solve my problem and besides impersonation has
    scalablility issues when dealing with database access (which we will have).
    I need this to be simple and most of all easy to manage. I need to deploy
    this web application to remote servers. I do not want to have to jump
    outside of the development enviroment to manage special permission issues or
    incure other IT management costs, if at all possible.

    All-in-all this has been a very fustrating experience.

    Something so simple turing out to be so riddled with complexity. What a
    shame!


    "Patrice" <> wrote in message
    news:...
    > I meant not below your web site root ie. those documents are not

    accessible
    > using a URL. As they can't be accessed directly, there is an APSX page

    whose
    > goal is to read these documents to stream them to the navigaotr.
    >
    > Of course, it depends upon your exact requirements (from yourr first post,
    > it looks like you just want to prevent direct browsing and are not
    > interested directly in authenticating/authorizing users bu t just as a
    > possible mean to prevent this ?)
    >
    > Patrice
    >
    >
    > "Johan Pingree" <> a écrit dans le message de
    > news:...
    > > Please explain "outside your web site"....
    > > Thank you.
    > >
    > > "Patrice" <> wrote in message
    > > news:...
    > > > You could also store these docs outside your web site so that the user

    > can
    > > > only browse them through an apsx page that streams them to the

    > > navigator...
    > > >
    > > > Patrice
    > > >
    > > > "Johan Pingree" <> a écrit dans le message

    de
    > > > news:...
    > > > > HOW in the world is this accomplished! I have an internet site I am
    > > > > prototyping and I need to be able to prevent "casual" browsing of

    XML
    > > > > documents. Using the web.config forms based authentication does

    > nothing
    > > to
    > > > > prevent XML documents from being browsed. We obviously are not

    > > interested
    > > > in
    > > > > turning on digest or basic authentication for this project. Every

    > > attempt
    > > > to
    > > > > use ACL's has resulted in aspx pages having issues in reading and

    > > writing
    > > > to
    > > > > the XML files. I have read NUMEROUS documents and publications over

    > the
    > > > > weekend and have yet to find anyone that addresses this issue
    > > > specifically!!
    > > > > Are we the only ones attempting to do this? Can anyone point me to a
    > > > > document the spells this out for this lame-brain programmer!
    > > > >
    > > > > We are on WinXP Pro as the developement plaform running Framework

    1.1
    > > and
    > > > VS
    > > > > 2003.
    > > > >
    > > > > Thanks,
    > > > > Johan.
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    Johan Pingree, Apr 26, 2004
    #9
  10. Have you protected the XML documents by adding them to the ISAPI filter

    In your Web site, chose PROPERTIES|DIRECTORY|CONFIGURATION.... This should give you the IASPI Filters screen. Chose ADD, use the C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll as the executable and XML as the extension. Note: v1.1.4322 is my framework version, yours may be different if you are using the 1.0 .NET Framework. More explanation is provided by MSDN: http://msdn.microsoft.com/library/d...dEditApplicationExtensionMappingDialogBox.asp

    I think that this must be done BEFORE the ASP.NET framework will handle the requests based on security. You can read more about this also in "IIS 6.0 Administrator Guide" under the Configuring Applications|Setting Application Mappings. By default, XML is not a type of file handled by the ASP.NET framework

    Respectfully

    Andrew Corley, MCSD, MCDB

    ----- Johan Pingree wrote: ----

    HOW in the world is this accomplished! I have an internet site I a
    prototyping and I need to be able to prevent "casual" browsing of XM
    documents. Using the web.config forms based authentication does nothing t
    prevent XML documents from being browsed. We obviously are not interested i
    turning on digest or basic authentication for this project. Every attempt t
    use ACL's has resulted in aspx pages having issues in reading and writing t
    the XML files. I have read NUMEROUS documents and publications over th
    weekend and have yet to find anyone that addresses this issue specifically!
    Are we the only ones attempting to do this? Can anyone point me to
    document the spells this out for this lame-brain programmer

    We are on WinXP Pro as the developement plaform running Framework 1.1 and V
    2003

    Thanks
    Johan
    =?Utf-8?B?QW5kcmV3IENvcmxleSwgTUNTRCwgTUNEQkE=?=, Apr 26, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TK
    Replies:
    1
    Views:
    421
    Hans Kesting
    Jun 24, 2004
  2. Replies:
    1
    Views:
    477
    Juan T. Llibre
    Oct 18, 2006
  3. steven scaife

    securing an intranet site

    steven scaife, May 31, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    133
    Dominick Baier [DevelopMentor]
    May 31, 2006
  4. vinod

    Securing word documents

    vinod, Jul 18, 2005, in forum: ASP General
    Replies:
    3
    Views:
    161
    Jeff Cochran
    Jul 21, 2005
  5. Dean g

    Securing uploaded documents

    Dean g, Apr 28, 2010, in forum: ASP General
    Replies:
    35
    Views:
    1,061
Loading...

Share This Page