ASP.Net Web.config security question

[ASP.Net programmer]

I have a weird problem securing my ASP.Net application. I know it's
probably my fault, but I just don't get it to work.

- Anonymous access is disabled on the IIS Server.
- Integrated Windows security is enabled on the IIS Server.

Web.config (excerpt, slightly edited):
<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<location path="admin">
<system.web>
<authorization>
<allow users="Domain\admin_account"/>
<deny users="*" />
</authorization>
</system.web>
</location>

<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="Domain\Domain Users" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

The problem is: I (as a normal user) can access the normal pages as
expected, but also the admin directory.

I enabled trace and the only status-code for a request is 200. I know
there also should be a 400 (or 401) for the authentication, but it just
isn't there.
The LOGON_USER property of the trace shows my account.

My question is: what did I forget?

 

[ASP.Net programmer]

For some *very* annoying reason reason the security settings only work when
an aspx page is requested. The security settings are completely ignored
when an HTML file is requested. Even when I applied the security settings
specifically to the html file!

 

[Patrice]

AFAIK this is expected as HTML files are not handled by ASP.NET. A possible
solution could be to rename those files...

Patrice

--

 

[ASP.Net programmer]

AFAIK this is expected as HTML files are not handled by ASP.NET. A
possible solution could be to rename those files...

Patrice

I did that and it works properly now. I just think it's weird that the HTML
file isn't handled by the security system when I put it in a *directory* I
secured...

 

[Lee]

Hi

The reason for this is that IIS passes files to ASP.Net by file extension.
What's probably happening is that IIS is serving the HTML files itself;
ASP.Net isn't involved at all, hence your security settings aren't applied.

You can configure the way this works in the IIS snap-in:

\WINDOWS\system32\inetsrv\iis.msc

Right-click the website in the tree, choose properties, choose the home
directory tab then press the configuration button.

One way to solve your problem would be to create/modify an entry
associating the HTML file extension with ASP.Net. Double-click the line
with .aspx in the extension column, note all the settings within the
dialog, then create/modify the HTML entry and ensure the settings are the
same.

Voila!

 

[Patrice]

The key point to keep in mind is that the web.config has nothing to do with
the web server. This is just something used by ASP.NET and applies only to
requests serviced by ASP.NET.

Patrice

--

 

[ASP.Net programmer]

Hi

The reason for this is that IIS passes files to ASP.Net by file
extension. What's probably happening is that IIS is serving the HTML
files itself; ASP.Net isn't involved at all, hence your security
settings aren't applied.

You can configure the way this works in the IIS snap-in:

\WINDOWS\system32\inetsrv\iis.msc

Right-click the website in the tree, choose properties, choose the
home directory tab then press the configuration button.

One way to solve your problem would be to create/modify an entry
associating the HTML file extension with ASP.Net. Double-click the
line with .aspx in the extension column, note all the settings within
the dialog, then create/modify the HTML entry and ensure the settings
are the same.

Voila!

Thanks.

 

[ASP.Net programmer]

The key point to keep in mind is that the web.config has nothing to do
with the web server. This is just something used by ASP.NET and
applies only to requests serviced by ASP.NET.

Patrice

Thanks, I obviously found that out the hard way.