Security issue with .htm pages in folders

Discussion in 'ASP .Net' started by Magnus Blomberg, Sep 9, 2004.

  1. Hi there!

    I am using VS 2005 beta for developing my new web application.
    I have a security issue, that I don't know if it is wrong by me, an IIS6 problem or an VS beta problem.

    I have a web application where the first page is public and IIS is set up with Anonymous login enabled and Integrated Windows authentication.
    All other pages is placed under a folder called Protected created from VS.
    My web.config looks like this (shrinked):

    <system.web>
    <authentication mode="Windows"/>
    </system.web>
    <location path="Protected">
    <system.web>
    <authorization>
    <allow users="projdev\prospects"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    The problem is that I CAN browse all .htm pages under the folder Protected. The pages named .aspx is protected as they should.

    Is it not "allowed" to use .htm pages in my app, or am I doing something wrong?

    Regards Magnus
    Magnus Blomberg, Sep 9, 2004
    #1
    1. Advertising

  2. Magnus Blomberg

    Rutger Smit Guest

    Magnus Blomberg wrote:

    > Hi there!
    >
    > I am using VS 2005 beta for developing my new web application.
    > I have a security issue, that I don't know if it is wrong by me, an IIS6
    > problem or an VS beta problem.
    >
    > I have a web application where the first page is public and IIS is set
    > up with Anonymous login enabled and Integrated Windows authentication.
    > All other pages is placed under a folder called Protected created from VS.
    > My web.config looks like this (shrinked):
    >
    > <system.web>
    > <authentication mode="Windows"/>
    > </system.web>
    > <location path="Protected">
    > <system.web>
    > <authorization>
    > <allow users="projdev\prospects"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > The problem is that I CAN browse all .htm pages under the folder
    > Protected. The pages named .aspx is protected as they should.
    >
    > Is it not "allowed" to use .htm pages in my app, or am I doing something
    > wrong?
    >
    > Regards Magnus
    >


    ..htm and .html files are not handles by the asp(.net) parser so you can
    request them without a problem.

    To change this: rename the files to .aspx or let the htm(l) files being
    parsed.

    --

    //Rutger

    DoDotNet@KICKTHIS_Gmail.com
    www.RutgerSmit.com
    Rutger Smit, Sep 9, 2004
    #2
    1. Advertising

  3. Ok, then I know. I will rename them.
    Thanks

    Regards Magnus


    "Rutger Smit" <DoDotNet@KICKTHIS_Gmail.com> wrote in message
    news:#...
    > Magnus Blomberg wrote:
    >
    > > Hi there!
    > >
    > > I am using VS 2005 beta for developing my new web application.
    > > I have a security issue, that I don't know if it is wrong by me, an IIS6
    > > problem or an VS beta problem.
    > >
    > > I have a web application where the first page is public and IIS is set
    > > up with Anonymous login enabled and Integrated Windows authentication.
    > > All other pages is placed under a folder called Protected created from

    VS.
    > > My web.config looks like this (shrinked):
    > >
    > > <system.web>
    > > <authentication mode="Windows"/>
    > > </system.web>
    > > <location path="Protected">
    > > <system.web>
    > > <authorization>
    > > <allow users="projdev\prospects"/>
    > > <deny users="*"/>
    > > </authorization>
    > > </system.web>
    > > </location>
    > >
    > > The problem is that I CAN browse all .htm pages under the folder
    > > Protected. The pages named .aspx is protected as they should.
    > >
    > > Is it not "allowed" to use .htm pages in my app, or am I doing something
    > > wrong?
    > >
    > > Regards Magnus
    > >

    >
    > .htm and .html files are not handles by the asp(.net) parser so you can
    > request them without a problem.
    >
    > To change this: rename the files to .aspx or let the htm(l) files being
    > parsed.
    >
    > --
    >
    > //Rutger
    >
    > DoDotNet@KICKTHIS_Gmail.com
    > www.RutgerSmit.com
    Magnus Blomberg, Sep 9, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frankie
    Replies:
    3
    Views:
    4,716
    Frankie
    Jul 15, 2005
  2. Chris  Ashley

    Application_Error and HTM/ASP pages?

    Chris Ashley, Oct 3, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    426
    Patrice
    Oct 3, 2005
  3. moondaddy

    Convert htm pages to aspx pages

    moondaddy, Dec 15, 2005, in forum: ASP .Net
    Replies:
    5
    Views:
    3,096
    moondaddy
    Dec 15, 2005
  4. Brian Muth

    Debugging htm pages....

    Brian Muth, May 10, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    366
    Brian Muth
    May 10, 2006
  5. Replies:
    6
    Views:
    161
    Dr.Ruud
    Feb 6, 2007
Loading...

Share This Page