Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Securing a directory and its files with forms authentication

Reply
Thread Tools

Securing a directory and its files with forms authentication

 
 
Frank
Guest
Posts: n/a
 
      04-15-2008
I have a simple asp.net 2.0 application that includes two components:

- a file uploader
- a lister of files that have been uploaded

Files are word processing documents; they get stored to a "papers"
subdirectory of the application.

It would be good if both the file lister *and* the files in "papers"
were secured. But I sense that IIS and asp.net do not work together
to protect documents that aren't aspx files.. For example, I put an
index.html file into the papers directory, and asked IIS for that
document, and was happily sent the document. This, despite a
<location path="papers"> section in my web.config that includes <deny
users="?" />.

I know how to secure a directory with IIS. What I didn't want to do
was secure both the listing.aspx component *and* the papers
directory. I suppose another approach would be to put the lister.aspx
file into the papers directory and secure the directory with IIS and
forget the authentication in asp.net. But that seems wrong.

So, maybe someone could tell me where my thinking's gone wrong.

Thank you very much.

 
Reply With Quote
 
 
 
 
Dominick Baier
Guest
Posts: n/a
 
      04-17-2008
Hi,

you have to map the file extensions you want to protect to the ASP.NET ISAPI
DLL

Go to IIS application properties and have a look to which DLL the .aspx extension
is mapped - now do the same for your docs.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> I have a simple asp.net 2.0 application that includes two components:
>
> - a file uploader
> - a lister of files that have been uploaded
> Files are word processing documents; they get stored to a "papers"
> subdirectory of the application.
>
> It would be good if both the file lister *and* the files in "papers"
> were secured. But I sense that IIS and asp.net do not work together
> to protect documents that aren't aspx files.. For example, I put an
> index.html file into the papers directory, and asked IIS for that
> document, and was happily sent the document. This, despite a
> <location path="papers"> section in my web.config that includes <deny
> users="?" />.
>
> I know how to secure a directory with IIS. What I didn't want to do
> was secure both the listing.aspx component *and* the papers
> directory. I suppose another approach would be to put the lister.aspx
> file into the papers directory and secure the directory with IIS and
> forget the authentication in asp.net. But that seems wrong.
> So, maybe someone could tell me where my thinking's gone wrong.
>
> Thank you very much.
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
Securing non aspx pages with forms authentication?? joebickley@gmail.com ASP .Net 2 10-06-2005 04:18 PM
securing directories with role-based forms authentication tafs7 ASP .Net Security 0 04-30-2004 02:24 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
Please help: Forms authentication - securing folders in application Jurjen de Groot ASP .Net 0 01-30-2004 03:40 PM



Advertisments