Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms Authentication to protect a cgi application

Reply
Thread Tools

Forms Authentication to protect a cgi application

 
 
Stephen Davies
Guest
Posts: n/a
 
      12-30-2004
I have enabled forms authentication on an IIS 6 W2k3 server to protect access
to the application files until authenticated.

The actual application apart from the login/logout files is .cgi based so I
have added a “Wildcard Application Map” entry

site properties
home directory tab
Configuration
Application Configuration

to point to the “aspnet_isapi.dll” so that .cgi application files must be
authenticated before they can run.

So far all seems to be working well, direct invocation of the .cgi
application is trapped and redirected to the login screen but after logging
in I am prompted with a download dialog (as if there were no mime type)

1. If I remove the Wildcard Application Mapping the .cgi application runs
2. If I allow users=”*” in the authorization section of the web config (with
the wildcard application mapping in place) it also works perfectly.

On top of this I also have an httphandler routine to perform a URLRewrite to
catch the application logout command, although the symptoms above are exactly
the same when its removed from the web config.

Any help on this would be greatly appreciated.

Regards
Stephen Davies

 
Reply With Quote
 
 
 
 
[MSFT]
Guest
Posts: n/a
 
      12-31-2004
Hello Stephen,

How did you redirect from the logon form to the CGI file? If you code like:

Response.Redirect

or

Server.Transfer

Will it get work?

Luke

 
Reply With Quote
 
 
 
 
Stephen Davies
Guest
Posts: n/a
 
      12-31-2004
Hi Luke

I am using Response.Redirect and example would be

Response.Redirect("urchin/session.cgi?action=login&user=" + tbUserName.Text);

The next dialog is asking me where to save “session.cgi” seems IIS does not
know what to do with it. The saved file (as expected) is the session.cgi
executable.

As soon as I remove the Wildcard application mapping the cgi is executed
perfectly. I have tried specific .cgi application mapping rather than the
wildcard, same problem!

-----------------------------------------------------------------
In response to your question I tried Server.Transfer with the same URL as
the Response.Redirect and get the following

Error executing child request for urchin/session.cgi.
[HttpException (0x80004005): Error executing child request for
urchin/session.cgi.]
System.Web.HttpServerUtility.ExecuteInternal(Strin g path, TextWriter
writer, Boolean preserveForm) +1773
System.Web.HttpServerUtility.Transfer(String path, Boolean preserveForm)
+24
_dayUrchin.loginAdmin.Login_Click(Object sender, EventArgs e) in
d:\development\urchin\loginadmin.aspx.cs:60
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPo stBackEventHandler.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEve ntHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCol lection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1262

I let the second parameter default as well as testing true and false, all
with exactly the same response. Server Transfer produces this exception with
and without the wildcard application mapping.

Steve

"[MSFT]" wrote:

> Hello Stephen,
>
> How did you redirect from the logon form to the CGI file? If you code like:
>
> Response.Redirect
>
> or
>
> Server.Transfer
>
> Will it get work?
>
> Luke
>
>

 
Reply With Quote
 
Patrick Olurotimi Ige
Guest
Posts: n/a
 
      12-31-2004
Try going through this article at:-
http://www.microsoft.com/india/msdn/articles/57.aspx
Can u try posting some more code since u are using some string.
*Guess there must be a workaround!



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
Stephen Davies
Guest
Posts: n/a
 
      01-01-2005
Patrick

I had already seen the httpmodules document thanks, I used these to create
the http module originally, it has no bearing on the problem at hand. Same
symptoms installed and uninstalled.

Don't think posting the code would help as its simply constructing a URL for
the Response.Redirect i.e. "urchin/session.cgi?action=login&user=steve".

On top of that I don't think its the response redirect that's the issue here
it's the passing of the .cgi through the IIS "Wildcard Appplication Mapping"
to the dotnet ISAPI "aspnet_isapi.dll" so that the .cgi can partisipate in
the forms authentication process that’s the issue. Same problem is
experienced by deleting the wildcard mapping and pointing to the dot net
isapi via the .cgi extension.

Steve

"Patrick Olurotimi Ige" wrote:

> Try going through this article at:-
> http://www.microsoft.com/india/msdn/articles/57.aspx
> Can u try posting some more code since u are using some string.
> *Guess there must be a workaround!
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!
>

 
Reply With Quote
 
[MSFT]
Guest
Posts: n/a
 
      01-04-2005
Hi Steve,

It seems ASP.NET's default HttpHandler didn't recognize the CGI extension,
You may need to add a httphandler for CGI like:

<httpHandlers>

<add verb="*" path="*.cgi"
type="System.Web.HttpForbiddenHandler"/>


Luke

 
Reply With Quote
 
Stephen Davies
Guest
Posts: n/a
 
      01-04-2005
Hi Luke

I don't want to block .cgi, I want to RUN them (once Forms Authenticated).

I have removed any reference to my "httpModules" entry for URL rewriting to
eliminate it completly from the problem.

Simply the issue is when I add the “aspnet_isapi.dll” to the "Wildcard
application mapping" front ending all requests (including .cgi) then it seems
the mime type is NOT honoured and I am requested with a prompt to save the
cgi executable locally (rather than run it and present me with the output).

Instructions outlined in the section "Edit Script Mappings in Internet
Services Manager" on this page:
http://support.microsoft.com/kb/815152/EN-US

I am not adding additional httpModules, httpHandlers
I have Forms Authentication ON
Same problem with auth set to Allow users=”*” as with Deny users=”?”

If I remove the “Wildcard Application Mapping” (or an Application Mapping”
on .cgi) the problem goes away and the .cgi Mime is honoured and executed.

Regards
Stephen Davies

"[MSFT]" wrote:

> Hi Steve,
>
> It seems ASP.NET's default HttpHandler didn't recognize the CGI extension,
> You may need to add a httphandler for CGI like:
>
> <httpHandlers>
>
> <add verb="*" path="*.cgi"
> type="System.Web.HttpForbiddenHandler"/>
>
>
> Luke
>
>

 
Reply With Quote
 
[MSFT]
Guest
Posts: n/a
 
      01-05-2005
Hi Steve,

HttpForbiddenHandler just block the downloading, not executing. For
example, .ASP aslo used this handler and be executed by asp.exe. In your
system, what is the program that will use .cgi file on web server?

Luke

 
Reply With Quote
 
Stephen Davies
Guest
Posts: n/a
 
      01-05-2005
Hi Luke

That wasn't how I read it, but I tried it as you suggested. The program I am
trying to use is Urchin web reporting which is implemented using .cgi
programs.

Server Error in '/' Application
--------------------------------------------------------------------------------
This type of page is not served.
Description: The type of page you have requested is not served because it
has been explicitly forbidden. The extension '.cgi' may be incorrect. Please
review the URL below and make sure that it is spelled correctly.

Requested Url: /urchin/report.cg
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET
Version:1.1.4322.2032


Exactly the same message if I change the extension to .aspx like you
referred to

Server Error in '/' Application
--------------------------------------------------------------------------------
This type of page is not served.
Description: The type of page you have requested is not served because it
has been explicitly forbidden. The extension '.aspx' may be incorrect. Please
review the URL below and make sure that it is spelled correctly.

Requested Url: /default.asp
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET
Version:1.1.4322.2032

You might want to re research this. As I said before the http
modules/handlers are not the issue here, in fact I don't have any implemented
when the problem is present.

Regards
Stephen Davies

"[MSFT]" wrote:

> Hi Steve,
>
> HttpForbiddenHandler just block the downloading, not executing. For
> example, .ASP aslo used this handler and be executed by asp.exe. In your
> system, what is the program that will use .cgi file on web server?
>
> Luke
>
>

 
Reply With Quote
 
Steve Schuler
Guest
Posts: n/a
 
      01-05-2005
Unfortunately, I believe you are probably SOL with your preferred approach.
Here's a link to a thread I was researching a while back on a different
Wildcard usage (URL Authorization), but it has a bearing on this issue:
http://groups-beta.google.com/group/...com%26rnum%3D1

Note the first response from Wade Hilmo of MS.

It's a lot more work than what you wanted, and adds layers of ASP.NET
overhead on top of the CGI processing, but you could probably still use
ASP.NET forms authentication if you created your own handler that used
Platform Invoke to launch the CGI via CreateProcess.

Probably not the answer you were after...

"Stephen Davies" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have enabled forms authentication on an IIS 6 W2k3 server to protect

access
> to the application files until authenticated.
>
> The actual application apart from the login/logout files is .cgi based so

I
> have added a "Wildcard Application Map" entry
>
> site properties
> home directory tab
> Configuration
> Application Configuration
>
> to point to the "aspnet_isapi.dll" so that .cgi application files must be
> authenticated before they can run.
>
> So far all seems to be working well, direct invocation of the .cgi
> application is trapped and redirected to the login screen but after

logging
> in I am prompted with a download dialog (as if there were no mime type)
>
> 1. If I remove the Wildcard Application Mapping the .cgi application runs
> 2. If I allow users="*" in the authorization section of the web config

(with
> the wildcard application mapping in place) it also works perfectly.
>
> On top of this I also have an httphandler routine to perform a URLRewrite

to
> catch the application logout command, although the symptoms above are

exactly
> the same when its removed from the web config.
>
> Any help on this would be greatly appreciated.
>
> Regards
> Stephen Davies
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication to protect .cgi application problem Stephen Davies ASP .Net Security 1 12-31-2004 02:42 AM
Re: Forms authentication to protect non-aspx files? Peter Rilling ASP .Net 1 06-07-2004 09:15 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments