Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms-Based Authentiction and NON ASP.NET Assets

Reply
Thread Tools

Forms-Based Authentiction and NON ASP.NET Assets

 
 
Alex Maghen
Guest
Posts: n/a
 
      02-20-2005
I have a feeling you're gonna say no but, is there any way, with ASP.NET
Forms-Based Authentication, to protect access to NON ASP.NET objects? For
example, if I have a directory that has .ASPX files AND, say, JPEG files
(.jpg), it would appear that if the user has the URL to one of the JPEGs, he
can still come back any time and download it without being sent to the Login
page. I assume this is because, for a JPEG file, ASP.NET is not involved at
all in the whole IIS loop.

Right?

Alex
 
Reply With Quote
 
 
 
 
Geir Aamodt
Guest
Posts: n/a
 
      02-21-2005
Alex,

you are correct....

.......5 minutes later

I found the following, see snippet below, at
http://msdn.microsoft.com/library/de...THCMGlance.asp

I have not tested it yet, but it might be possible to add a new verb like:
<add verb="*" path="*.jpeg" type="System.Web.HttpForbiddenHandler" />

As I said, not sure if this will work, migth be worth a try.

If it does not work, you're still correct Alex

--

Best regards,
Geir Aamodt
geir.aamodt(AT)bekk.no

----------------Snippet start----------------
Map Protected Resources to HttpForbiddenHandler
HTTP handlers are located in Machine.config beneath the <httpHandlers>
element. HTTP handlers are responsible for processing Web requests for
specific file extensions. Remoting should not be enabled on front-end Web
servers; enable Remoting only on middle-tier application servers that are
isolated from the Internet.

a.. The following file extensions are mapped in Machine.config to HTTP
handlers:
b.. .aspx is used for ASP.NET pages.
c.. .rem and .soap are used for Remoting.
d.. .asmx is used for Web Services.
e.. .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp,
..licx, .resx, and .resources are protected resources and are mapped to
System.Web.HttpForbiddenHandler.
For .NET Framework resources, if you do not use a file extension, then map
the extension to System.Web.HttpForbiddenHandler in Machine.config, as shown
in the following example:

<add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler" />
In this case, the .vbproj file extension is mapped to
System.Web.HttpForbiddenHandler. If a client requests a path that ends with
..vbproj, then ASP.NET returns a message that states "This type of page is
not served."

The following guidelines apply to handling .NET Framework file extensions:

a.. Map extensions you do not use to HttpForbiddenHandler. If you do not
serve ASP.NET pages, then map .aspx to HttpForbiddenHandler. If you do not
use Web Services, then map .asmx to HttpForbiddenHandler.
b.. Disable Remoting on Internet-facing Web servers. Map remoting
extensions (.soap and .rem) on Internet-facing Web servers to
HttpForbiddenHandler.
----------------Snippet end----------------



"Alex Maghen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a feeling you're gonna say no but, is there any way, with ASP.NET
> Forms-Based Authentication, to protect access to NON ASP.NET objects? For
> example, if I have a directory that has .ASPX files AND, say, JPEG files
> (.jpg), it would appear that if the user has the URL to one of the JPEGs,
> he
> can still come back any time and download it without being sent to the
> Login
> page. I assume this is because, for a JPEG file, ASP.NET is not involved
> at
> all in the whole IIS loop.
>
> Right?
>
> Alex



 
Reply With Quote
 
 
 
 
IPGrunt
Guest
Posts: n/a
 
      02-21-2005
On 20 Feb 2005, "=?Utf-8?B?QWxleCBNYWdoZW4=?="
<(E-Mail Removed)> postulated in news:CEF1ED71-
http://www.velocityreviews.com/forums/(E-Mail Removed):

> I have a feeling you're gonna say no but, is there any way, with

ASP.NET
> Forms-Based Authentication, to protect access to NON ASP.NET objects?

For
> example, if I have a directory that has .ASPX files AND, say, JPEG

files
> (.jpg), it would appear that if the user has the URL to one of the

JPEGs, he
> can still come back any time and download it without being sent to

the Login
> page. I assume this is because, for a JPEG file, ASP.NET is not

involved at
> all in the whole IIS loop.
>
> Right?
>
> Alex


It's an interesting problem that I may have to solve myself for access
to other types of files, like PDFs, in a pay-for-access document
control system I need to design for a client.

IIS and Windows ACLS determine who gets access to a website folder.

You'd have to investigate impersonation in ASP.NET, but I can imagine a
design where the default IIS account doesn't have access to JPG files
in a certain folder, but the entity impersonated by your ASP.NET app
does.

Another approach might be through ISAPI filters, though these are
different with IIS6.0 and IIS5.1 and I'd have to solve the problem on
two different platforms.

Is this a real problem you're trying to solve, or are you just what-if-
ing.

-- ipgrunt
 
Reply With Quote
 
WJ
Guest
Posts: n/a
 
      02-21-2005
If these objects/files are sensitive, the safest way to store them is
"database" in the form of "image". I do this for documents and images. They
work OK.

John

"Alex Maghen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a feeling you're gonna say no but, is there any way, with ASP.NET
> Forms-Based Authentication, to protect access to NON ASP.NET objects? For
> example, if I have a directory that has .ASPX files AND, say, JPEG files
> (.jpg), it would appear that if the user has the URL to one of the JPEGs,
> he
> can still come back any time and download it without being sent to the
> Login
> page. I assume this is because, for a JPEG file, ASP.NET is not involved
> at
> all in the whole IIS loop.
>
> Right?
>
> Alex



 
Reply With Quote
 
ranganh
Guest
Posts: n/a
 
      02-22-2005
Hi,

You can use Forms Authentication and deny access to PDF and for that matter
any static files that are handled by IIS with a simple configuration of the
IIS Configuration Manager settings.

Please check
http://aspnet_harish.blogspot.com/20...-in-forms.html

Thanks.

"IPGrunt" wrote:

> On 20 Feb 2005, "=?Utf-8?B?QWxleCBNYWdoZW4=?="
> <(E-Mail Removed)> postulated in news:CEF1ED71-
> (E-Mail Removed):
>
> > I have a feeling you're gonna say no but, is there any way, with

> ASP.NET
> > Forms-Based Authentication, to protect access to NON ASP.NET objects?

> For
> > example, if I have a directory that has .ASPX files AND, say, JPEG

> files
> > (.jpg), it would appear that if the user has the URL to one of the

> JPEGs, he
> > can still come back any time and download it without being sent to

> the Login
> > page. I assume this is because, for a JPEG file, ASP.NET is not

> involved at
> > all in the whole IIS loop.
> >
> > Right?
> >
> > Alex

>
> It's an interesting problem that I may have to solve myself for access
> to other types of files, like PDFs, in a pay-for-access document
> control system I need to design for a client.
>
> IIS and Windows ACLS determine who gets access to a website folder.
>
> You'd have to investigate impersonation in ASP.NET, but I can imagine a
> design where the default IIS account doesn't have access to JPG files
> in a certain folder, but the entity impersonated by your ASP.NET app
> does.
>
> Another approach might be through ISAPI filters, though these are
> different with IIS6.0 and IIS5.1 and I'd have to solve the problem on
> two different platforms.
>
> Is this a real problem you're trying to solve, or are you just what-if-
> ing.
>
> -- ipgrunt
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Coderr - Premium Ruby and Python Assets Marketplace. gal harth Ruby 2 05-23-2011 02:24 AM
Sr. SAP resource - Fixed Assets / SME godwin Java 0 03-23-2005 01:29 PM
Sharing GIFs (assets) Amongst Multiple Apps RC ASP .Net 1 11-11-2004 08:41 AM



Advertisments