Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > File Types not protected by Forms Authentication

Reply
Thread Tools

File Types not protected by Forms Authentication

 
 
MatthewRoberts
Guest
Posts: n/a
 
      06-17-2005
Howdy All,

We have an ASP.NET web application that uses Forms Authentication and
has worked without problems for some time.

However, we recently added a Shockwave SWF file to the mix for flash
and interactivity.

All ASPX, HTML, and other web files are protected by security. If you
are not properly authenticated but try to access an ASPX or HTML file,
you will be redirected to the Login page.

However, if you try to access the SWF file directly, it allows you to
view the animation without ever authenticating the user.

Why is this? Are only certain file types protected for Forms
Authentication? How can you add to that list of file types? Is it a
MIME type or file extension we should be securing through IIS in some
way?

We even tried adding the following to the web.config file:


<location path="OurAnimation.swf">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>


such that it should explicitly deny all anonymous, or unauthenticated
users. But still, this did not work, and direct access to the file is
allowed by anyone.

Can anyone shed some light on this issue?

Thank you in advance for whatever help you can provide.

Matthew Roberts
SOURCECORP
Framework Architect

 
Reply With Quote
 
 
 
 
Brock Allen
Guest
Posts: n/a
 
      06-17-2005
The reason is that IIS handles the requests for those files, not ASP.NET,
and IIS knows nothing about your intent from web.config. You'd have to route
that file extension through the aspnet_isapi.dll in IIS to have ASP.NET serve
it up.

-Brock
DevelopMentor
http://staff.develop.com/ballen



> Howdy All,
>
> We have an ASP.NET web application that uses Forms Authentication and
> has worked without problems for some time.
>
> However, we recently added a Shockwave SWF file to the mix for flash
> and interactivity.
>
> All ASPX, HTML, and other web files are protected by security. If you
> are not properly authenticated but try to access an ASPX or HTML file,
> you will be redirected to the Login page.
>
> However, if you try to access the SWF file directly, it allows you to
> view the animation without ever authenticating the user.
>
> Why is this? Are only certain file types protected for Forms
> Authentication? How can you add to that list of file types? Is it a
> MIME type or file extension we should be securing through IIS in some
> way?
>
> We even tried adding the following to the web.config file:
>
> <location path="OurAnimation.swf">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
> such that it should explicitly deny all anonymous, or unauthenticated
> users. But still, this did not work, and direct access to the file is
> allowed by anyone.
>
> Can anyone shed some light on this issue?
>
> Thank you in advance for whatever help you can provide.
>
> Matthew Roberts
> SOURCECORP
> Framework Architect




 
Reply With Quote
 
 
 
 
John Timney \(ASP.NET MVP\)
Guest
Posts: n/a
 
      06-17-2005
The asp.net handlers only kick in for files mapped to it in IIS, so it
suggests extensions for swf are not handled by the asp.net dll and need to
be. Go to IIS setup and check the file types.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"MatthewRoberts" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Howdy All,
>
> We have an ASP.NET web application that uses Forms Authentication and
> has worked without problems for some time.
>
> However, we recently added a Shockwave SWF file to the mix for flash
> and interactivity.
>
> All ASPX, HTML, and other web files are protected by security. If you
> are not properly authenticated but try to access an ASPX or HTML file,
> you will be redirected to the Login page.
>
> However, if you try to access the SWF file directly, it allows you to
> view the animation without ever authenticating the user.
>
> Why is this? Are only certain file types protected for Forms
> Authentication? How can you add to that list of file types? Is it a
> MIME type or file extension we should be securing through IIS in some
> way?
>
> We even tried adding the following to the web.config file:
>
>
> <location path="OurAnimation.swf">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
>
>
> such that it should explicitly deny all anonymous, or unauthenticated
> users. But still, this did not work, and direct access to the file is
> allowed by anyone.
>
> Can anyone shed some light on this issue?
>
> Thank you in advance for whatever help you can provide.
>
> Matthew Roberts
> SOURCECORP
> Framework Architect
>



 
Reply With Quote
 
Karl Seguin
Guest
Posts: n/a
 
      06-17-2005
There's a pipeline. A request comes into IIS, IIS figures out how to handle
the request. when the page is an aspx, asmx, adx (various others) IIS
passes the request to ASP.Net. When the page is a swf, IIS simply streams
the contents back to the browser and let's it figure out what to do.

In other words, ASP.Net isn't in play when a request happens for a swf
file....so obviously forms authentication can't do anything. Two solutions
frequently recommended are to (a) make asp.net process requests for swf
files
(http://www.dotnetjunkies.com/Article...4B6D130C7.dcik)
or (b) store the .swf file out of your web path and use an aspx file to
stream it, ala showFile.aspx?fileName=someFile.swf which would take the
fileName, and stream the binary file to the user...

Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"MatthewRoberts" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Howdy All,
>
> We have an ASP.NET web application that uses Forms Authentication and
> has worked without problems for some time.
>
> However, we recently added a Shockwave SWF file to the mix for flash
> and interactivity.
>
> All ASPX, HTML, and other web files are protected by security. If you
> are not properly authenticated but try to access an ASPX or HTML file,
> you will be redirected to the Login page.
>
> However, if you try to access the SWF file directly, it allows you to
> view the animation without ever authenticating the user.
>
> Why is this? Are only certain file types protected for Forms
> Authentication? How can you add to that list of file types? Is it a
> MIME type or file extension we should be securing through IIS in some
> way?
>
> We even tried adding the following to the web.config file:
>
>
> <location path="OurAnimation.swf">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
>
>
> such that it should explicitly deny all anonymous, or unauthenticated
> users. But still, this did not work, and direct access to the file is
> allowed by anyone.
>
> Can anyone shed some light on this issue?
>
> Thank you in advance for whatever help you can provide.
>
> Matthew Roberts
> SOURCECORP
> Framework Architect
>



 
Reply With Quote
 
MatthewRoberts
Guest
Posts: n/a
 
      06-17-2005
Thank you for the quick response. Works like a charm.

Matthew

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
rss feed protected with forms authentication RMA ASP .Net 4 05-15-2007 09:17 AM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
File Types not protected by Forms Authentication MatthewRoberts ASP .Net Security 4 06-17-2005 04:50 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments