Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Forms Authentication to specific folders (http://www.velocityreviews.com/forums/t765670-forms-authentication-to-specific-folders.html)

Michael Tissington 01-19-2004 10:24 PM

Forms Authentication to specific folders
 
I have a web application that is using Forms Authentication (with
users/passwords stored in a database) and for the most part it is working.

I have a web page with links on it to files of different types (exe, zip,
pdf)

When the user clicks on one of these links I'd like them to have to log on
and then they can download the file (or any file in the same folder)

How can I set this up ?

Thanks.

--
Michael Tissington
http://www.oaklodge.com
http://www.tabtag.com



MSFT 01-20-2004 03:04 AM

RE: Forms Authentication to specific folders
 
Hi Michael ,

Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
currently. As I understand, you have an ASP.NET application with form
authentication. When user request an ASPX file, he will be redirected to
logon form first. When user request a different file (exe, zip, pdf), you
also need this behavior.

To achieve this, we need change the virtual folder's configaration so that
ASP.NET also manage the request for these kind of request ( I use IIS 6.0
as demo):

1. Open IIS Manager in Administrator Tools, browse to the virtual folder,
right click it and select Properties.
2. On Directory tab, click button "Configration..." and you will see the
Application extensions list.
3. Click Add button, add a application extension for .exe. Set 'Executabel'
to C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_isapi.dll; Set
'Extension' to .exe; set 'Verbs' to All verbs.
4. Repeat step 3 for .zip and .pdf
5. restart your IIS

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


Michael Tissington 01-20-2004 06:26 AM

Re: Forms Authentication to specific folders
 
Thanks, and what do I need to put into my web.config file also ?

--
Michael Tissington
http://www.oaklodge.com
http://www.tabtag.com

"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:g1VjgIw3DHA.1992@cpmsftngxa07.phx.gbl...
> Hi Michael ,
>
> Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
> currently. As I understand, you have an ASP.NET application with form
> authentication. When user request an ASPX file, he will be redirected to
> logon form first. When user request a different file (exe, zip, pdf), you
> also need this behavior.
>
> To achieve this, we need change the virtual folder's configaration so that
> ASP.NET also manage the request for these kind of request ( I use IIS 6.0
> as demo):
>
> 1. Open IIS Manager in Administrator Tools, browse to the virtual folder,
> right click it and select Properties.
> 2. On Directory tab, click button "Configration..." and you will see the
> Application extensions list.
> 3. Click Add button, add a application extension for .exe. Set

'Executabel'
> to C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_isapi.dll; Set
> 'Extension' to .exe; set 'Verbs' to All verbs.
> 4. Repeat step 3 for .zip and .pdf
> 5. restart your IIS
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>




Michael Tissington 01-20-2004 06:31 AM

Re: Forms Authentication to specific folders
 
I have placed an entry in my web.config file and when I click on the link I
now get the login page, have after entering the name and password, the
redirection back to the exe is not working (it stays on the login page)

What am I missing?

--
Michael Tissington
http://www.oaklodge.com
http://www.tabtag.com


"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:g1VjgIw3DHA.1992@cpmsftngxa07.phx.gbl...
> Hi Michael ,
>
> Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
> currently. As I understand, you have an ASP.NET application with form
> authentication. When user request an ASPX file, he will be redirected to
> logon form first. When user request a different file (exe, zip, pdf), you
> also need this behavior.
>
> To achieve this, we need change the virtual folder's configaration so that
> ASP.NET also manage the request for these kind of request ( I use IIS 6.0
> as demo):
>
> 1. Open IIS Manager in Administrator Tools, browse to the virtual folder,
> right click it and select Properties.
> 2. On Directory tab, click button "Configration..." and you will see the
> Application extensions list.
> 3. Click Add button, add a application extension for .exe. Set

'Executabel'
> to C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_isapi.dll; Set
> 'Extension' to .exe; set 'Verbs' to All verbs.
> 4. Repeat step 3 for .zip and .pdf
> 5. restart your IIS
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>




MSFT 01-20-2004 09:29 AM

Re: Forms Authentication to specific folders
 
Hi Michael,

How did you code in the Login page? Generally, we only need one line simple
code after authentication like:

FormsAuthentication.RedirectFromLoginPage("", False)

and there is no any special in the web.config:

<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
protection="All" path="/" timeout="30" />
</authentication>

<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


Michael Tissington 01-20-2004 04:12 PM

Re: Forms Authentication to specific folders
 
Luke,

Strange, very strange this is what I have .... both exe and pdf have the
same problem .... after logon the page does not get redirected.

In the same session, if I then try to go to another page that requires
logon, I go straight to it and am not prompted to logon again - which is
what I would expect. However if I go to the link for the exe or pdf, I'm
still prompted to logon.

--
Michael Tissington
http://www.oaklodge.com
http://www.tabtag.com

"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:E9SzCgz3DHA.1992@cpmsftngxa07.phx.gbl...
> Hi Michael,
>
> How did you code in the Login page? Generally, we only need one line

simple
> code after authentication like:
>
> FormsAuthentication.RedirectFromLoginPage("", False)
>
> and there is no any special in the web.config:
>
> <authentication mode="Forms">
> <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
> protection="All" path="/" timeout="30" />
> </authentication>
>
> <authorization>
> <deny users ="?" />
> <allow users = "*" />
> </authorization>
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>




Michael Tissington 01-20-2004 04:13 PM

Re: Forms Authentication to specific folders
 
Just as a thought, do I need to set any permissions on the folder it self ?

--
Michael Tissington
http://www.oaklodge.com
http://www.tabtag.com

"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:E9SzCgz3DHA.1992@cpmsftngxa07.phx.gbl...
> Hi Michael,
>
> How did you code in the Login page? Generally, we only need one line

simple
> code after authentication like:
>
> FormsAuthentication.RedirectFromLoginPage("", False)
>
> and there is no any special in the web.config:
>
> <authentication mode="Forms">
> <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
> protection="All" path="/" timeout="30" />
> </authentication>
>
> <authorization>
> <deny users ="?" />
> <allow users = "*" />
> </authorization>
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>




MSFT 01-21-2004 05:18 AM

Re: Forms Authentication to specific folders
 
Hi Michael,

DId you use the persisted cookies? I suggest you create a new asp.net
project and only add one logon form and add code as I suggest in my
previous message. Will this help for a exe or pdf file?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


Michael Tissington 01-21-2004 05:52 AM

Re: Forms Authentication to specific folders
 
Luke,

I have tried this (going back to basics) and I get the same problem.

I'm running Windows 2003.

--
Michael Tissington
http://www.oaklodge.com
http://www.tabtag.com

"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:0LvJI493DHA.1992@cpmsftngxa07.phx.gbl...
> Hi Michael,
>
> DId you use the persisted cookies? I suggest you create a new asp.net
> project and only add one logon form and add code as I suggest in my
> previous message. Will this help for a exe or pdf file?
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>




Mike Moore [MSFT] 01-23-2004 02:30 AM

Re: Forms Authentication to specific folders
 
Hi Michael,

I'm sorry we've been delayed in getting back to you. The ASP.NET process
needs to have read access to the files to be donwloaded. This can be set on
the individual files or on the folder. The account that needs read
permissions is typically either the "Network Service" or "ASPNET" account.

We are still researching this issue and will post more information as soon
as we can.

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computerís security.

This posting is provided "AS IS", with no warranties, and confers no rights.


--------------------
> From: "Michael Tissington" <michael@nospam.com>
> References: <OzZX4rt3DHA.1908@TK2MSFTNGP10.phx.gbl>

<g1VjgIw3DHA.1992@cpmsftngxa07.phx.gbl>
<Omds#7x3DHA.4060@TK2MSFTNGP11.phx.gbl>
<E9SzCgz3DHA.1992@cpmsftngxa07.phx.gbl>
> Subject: Re: Forms Authentication to specific folders
> Date: Tue, 20 Jan 2004 08:13:30 -0800
> Lines: 38
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> Message-ID: <u$oOZB33DHA.3360@tk2msftngp13.phx.gbl>
> Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> NNTP-Posting-Host: antelope.oaklodge.com 63.67.71.5
> Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!tk2msftngp13.
phx.gbl
> Xref: cpmsftngxa07.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 8293
> X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
> Just as a thought, do I need to set any permissions on the folder it self

?
>
> --
> Michael Tissington
> http://www.oaklodge.com
> http://www.tabtag.com
>
> "MSFT" <lukezhan@online.microsoft.com> wrote in message
> news:E9SzCgz3DHA.1992@cpmsftngxa07.phx.gbl...
> > Hi Michael,
> >
> > How did you code in the Login page? Generally, we only need one line

> simple
> > code after authentication like:
> >
> > FormsAuthentication.RedirectFromLoginPage("", False)
> >
> > and there is no any special in the web.config:
> >
> > <authentication mode="Forms">
> > <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
> > protection="All" path="/" timeout="30" />
> > </authentication>
> >
> > <authorization>
> > <deny users ="?" />
> > <allow users = "*" />
> > </authorization>
> >
> > Luke
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >

>
>
>




All times are GMT. The time now is 12:16 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.