aspnet_isapi.dll security limit access to folders

Discussion in 'ASP .Net Security' started by Scanner2001, Nov 11, 2006.

  1. Scanner2001

    Scanner2001 Guest

    I am trying to limit access to folders in the web per user. I have tried two
    different approaches, neither of which I can get to work correctly. I have a
    windows 2003 r2 server, 2.0, front page extensions installed.
    My setup looks like this:
    etc.. where the webvirtualdirectory is an application.

    I am using forms authentication, using sql 2005. I want tom to be able to
    access files such as html, pdf, jpg, etc that he dynamically creates or
    upload to his folder, but not be able to access anything in bobs folder,
    including html files. Likewise for bob. The users are created dynamically,
    so I do not who they are ahead of time, nor could I manage them

    Attempt 1:
    I have tried adding an additional application extension mapping in the web
    site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in the
    users folder (i.e. users/bob), a web.config is dynamically created when the
    user is created that gives the user rights to everything in that folder.
    This does not work, no pdf's (or other files such as html) are served by the
    server. I receive a
    a.. Error Code 64: Host not available
    a.. Background: The connection to the Web server was lost.

    Attempt 2:
    I have tried the web configuration tool, supplied with visual studio, to
    limit access to the folder for the user, such as bob. This appears to have
    no impact on limiting access to files that are not mapped to the
    aspnet_isapi.dll. So basically no security on files or folders.

    Now I also have some static content at the root level that I do want to
    allow anonymous access to, such as 1 pdf file and 1 html file. I believe the
    site wide security is set properly for the remainder of the pages because if
    I try to go an aspx page that is not explicitly allowed in the web.config,
    the anonymous user is automatically redirected to a login page, and the page
    is not shown.

    Not sure what I am missing here, any help is greatly appreciated, or if you
    think I should post to a different group.

    Scanner2001, Nov 11, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.