Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Forms Authentication to protect a cgi application (http://www.velocityreviews.com/forums/t766988-forms-authentication-to-protect-a-cgi-application.html)

Stephen Davies 12-30-2004 10:11 AM

Forms Authentication to protect a cgi application
 
I have enabled forms authentication on an IIS 6 W2k3 server to protect access
to the application files until authenticated.

The actual application apart from the login/logout files is .cgi based so I
have added a “Wildcard Application Map” entry

site properties
home directory tab
Configuration
Application Configuration

to point to the “aspnet_isapi.dll” so that .cgi application files must be
authenticated before they can run.

So far all seems to be working well, direct invocation of the .cgi
application is trapped and redirected to the login screen but after logging
in I am prompted with a download dialog (as if there were no mime type)

1. If I remove the Wildcard Application Mapping the .cgi application runs
2. If I allow users=”*” in the authorization section of the web config (with
the wildcard application mapping in place) it also works perfectly.

On top of this I also have an httphandler routine to perform a URLRewrite to
catch the application logout command, although the symptoms above are exactly
the same when its removed from the web config.

Any help on this would be greatly appreciated.

Regards
Stephen Davies


[MSFT] 12-31-2004 02:41 AM

RE: Forms Authentication to protect a cgi application
 
Hello Stephen,

How did you redirect from the logon form to the CGI file? If you code like:

Response.Redirect

or

Server.Transfer

Will it get work?

Luke


Stephen Davies 12-31-2004 05:11 AM

RE: Forms Authentication to protect a cgi application
 
Hi Luke

I am using Response.Redirect and example would be

Response.Redirect("urchin/session.cgi?action=login&user=" + tbUserName.Text);

The next dialog is asking me where to save “session.cgi” seems IIS does not
know what to do with it. The saved file (as expected) is the session.cgi
executable.

As soon as I remove the Wildcard application mapping the cgi is executed
perfectly. I have tried specific .cgi application mapping rather than the
wildcard, same problem!

-----------------------------------------------------------------
In response to your question I tried Server.Transfer with the same URL as
the Response.Redirect and get the following

Error executing child request for urchin/session.cgi.
[HttpException (0x80004005): Error executing child request for
urchin/session.cgi.]
System.Web.HttpServerUtility.ExecuteInternal(Strin g path, TextWriter
writer, Boolean preserveForm) +1773
System.Web.HttpServerUtility.Transfer(String path, Boolean preserveForm)
+24
_dayUrchin.loginAdmin.Login_Click(Object sender, EventArgs e) in
d:\development\urchin\loginadmin.aspx.cs:60
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPo stBackEventHandler.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEve ntHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCol lection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1262

I let the second parameter default as well as testing true and false, all
with exactly the same response. Server Transfer produces this exception with
and without the wildcard application mapping.

Steve

"[MSFT]" wrote:

> Hello Stephen,
>
> How did you redirect from the logon form to the CGI file? If you code like:
>
> Response.Redirect
>
> or
>
> Server.Transfer
>
> Will it get work?
>
> Luke
>
>


Patrick Olurotimi Ige 12-31-2004 11:27 PM

Re: Forms Authentication to protect a cgi application
 
Try going through this article at:-
http://www.microsoft.com/india/msdn/articles/57.aspx
Can u try posting some more code since u are using some string.
*Guess there must be a workaround!



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Stephen Davies 01-01-2005 01:47 AM

Re: Forms Authentication to protect a cgi application
 
Patrick

I had already seen the httpmodules document thanks, I used these to create
the http module originally, it has no bearing on the problem at hand. Same
symptoms installed and uninstalled.

Don't think posting the code would help as its simply constructing a URL for
the Response.Redirect i.e. "urchin/session.cgi?action=login&user=steve".

On top of that I don't think its the response redirect that's the issue here
it's the passing of the .cgi through the IIS "Wildcard Appplication Mapping"
to the dotnet ISAPI "aspnet_isapi.dll" so that the .cgi can partisipate in
the forms authentication process that’s the issue. Same problem is
experienced by deleting the wildcard mapping and pointing to the dot net
isapi via the .cgi extension.

Steve

"Patrick Olurotimi Ige" wrote:

> Try going through this article at:-
> http://www.microsoft.com/india/msdn/articles/57.aspx
> Can u try posting some more code since u are using some string.
> *Guess there must be a workaround!
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!
>


[MSFT] 01-04-2005 06:08 AM

RE: Forms Authentication to protect a cgi application
 
Hi Steve,

It seems ASP.NET's default HttpHandler didn't recognize the CGI extension,
You may need to add a httphandler for CGI like:

<httpHandlers>

<add verb="*" path="*.cgi"
type="System.Web.HttpForbiddenHandler"/>


Luke


Stephen Davies 01-04-2005 09:05 PM

RE: Forms Authentication to protect a cgi application
 
Hi Luke

I don't want to block .cgi, I want to RUN them (once Forms Authenticated).

I have removed any reference to my "httpModules" entry for URL rewriting to
eliminate it completly from the problem.

Simply the issue is when I add the “aspnet_isapi.dll” to the "Wildcard
application mapping" front ending all requests (including .cgi) then it seems
the mime type is NOT honoured and I am requested with a prompt to save the
cgi executable locally (rather than run it and present me with the output).

Instructions outlined in the section "Edit Script Mappings in Internet
Services Manager" on this page:
http://support.microsoft.com/kb/815152/EN-US

I am not adding additional httpModules, httpHandlers
I have Forms Authentication ON
Same problem with auth set to Allow users=”*” as with Deny users=”?”

If I remove the “Wildcard Application Mapping” (or an Application Mapping”
on .cgi) the problem goes away and the .cgi Mime is honoured and executed.

Regards
Stephen Davies

"[MSFT]" wrote:

> Hi Steve,
>
> It seems ASP.NET's default HttpHandler didn't recognize the CGI extension,
> You may need to add a httphandler for CGI like:
>
> <httpHandlers>
>
> <add verb="*" path="*.cgi"
> type="System.Web.HttpForbiddenHandler"/>
>
>
> Luke
>
>


[MSFT] 01-05-2005 03:11 AM

RE: Forms Authentication to protect a cgi application
 
Hi Steve,

HttpForbiddenHandler just block the downloading, not executing. For
example, .ASP aslo used this handler and be executed by asp.exe. In your
system, what is the program that will use .cgi file on web server?

Luke


Stephen Davies 01-05-2005 07:53 AM

RE: Forms Authentication to protect a cgi application
 
Hi Luke

That wasn't how I read it, but I tried it as you suggested. The program I am
trying to use is Urchin web reporting which is implemented using .cgi
programs.

Server Error in '/' Application
--------------------------------------------------------------------------------
This type of page is not served.
Description: The type of page you have requested is not served because it
has been explicitly forbidden. The extension '.cgi' may be incorrect. Please
review the URL below and make sure that it is spelled correctly.

Requested Url: /urchin/report.cg
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET
Version:1.1.4322.2032


Exactly the same message if I change the extension to .aspx like you
referred to

Server Error in '/' Application
--------------------------------------------------------------------------------
This type of page is not served.
Description: The type of page you have requested is not served because it
has been explicitly forbidden. The extension '.aspx' may be incorrect. Please
review the URL below and make sure that it is spelled correctly.

Requested Url: /default.asp
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET
Version:1.1.4322.2032

You might want to re research this. As I said before the http
modules/handlers are not the issue here, in fact I don't have any implemented
when the problem is present.

Regards
Stephen Davies

"[MSFT]" wrote:

> Hi Steve,
>
> HttpForbiddenHandler just block the downloading, not executing. For
> example, .ASP aslo used this handler and be executed by asp.exe. In your
> system, what is the program that will use .cgi file on web server?
>
> Luke
>
>


Steve Schuler 01-05-2005 07:46 PM

Re: Forms Authentication to protect a cgi application
 
Unfortunately, I believe you are probably SOL with your preferred approach.
Here's a link to a thread I was researching a while back on a different
Wildcard usage (URL Authorization), but it has a bearing on this issue:
http://groups-beta.google.com/group/...com%26rnum%3D1

Note the first response from Wade Hilmo of MS.

It's a lot more work than what you wanted, and adds layers of ASP.NET
overhead on top of the CGI processing, but you could probably still use
ASP.NET forms authentication if you created your own handler that used
Platform Invoke to launch the CGI via CreateProcess.

Probably not the answer you were after... :-(

"Stephen Davies" <steve@newsgroup.nospam> wrote in message
news:57B82DC9-A8E5-4F4F-B168-F9E985B2A734@microsoft.com...
> I have enabled forms authentication on an IIS 6 W2k3 server to protect

access
> to the application files until authenticated.
>
> The actual application apart from the login/logout files is .cgi based so

I
> have added a "Wildcard Application Map" entry
>
> site properties
> home directory tab
> Configuration
> Application Configuration
>
> to point to the "aspnet_isapi.dll" so that .cgi application files must be
> authenticated before they can run.
>
> So far all seems to be working well, direct invocation of the .cgi
> application is trapped and redirected to the login screen but after

logging
> in I am prompted with a download dialog (as if there were no mime type)
>
> 1. If I remove the Wildcard Application Mapping the .cgi application runs
> 2. If I allow users="*" in the authorization section of the web config

(with
> the wildcard application mapping in place) it also works perfectly.
>
> On top of this I also have an httphandler routine to perform a URLRewrite

to
> catch the application logout command, although the symptoms above are

exactly
> the same when its removed from the web config.
>
> Any help on this would be greatly appreciated.
>
> Regards
> Stephen Davies
>





All times are GMT. The time now is 10:58 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.