RE: .pdf security using ASP.NET security...

From: Mike Moore (michmo@online.microsoft.com)
Date: 07/25/02

• Next message: Laurent Allardin: "Re: .pdf security using ASP.NET security..."
• Previous message: Derek Hamilton: "Network Impersonation Question"
• In reply to: Laurent Allardin: ".pdf security using ASP.NET security..."
• Next in thread: Laurent Allardin: "Re: .pdf security using ASP.NET security..."
• Reply: Laurent Allardin: "Re: .pdf security using ASP.NET security..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: michmo@online.microsoft.com (Mike Moore (MS))
Date: Thu, 25 Jul 2002 03:55:04 GMT

Hi Laurent,

QUESTION
I am wondering if using the aspnet_isapi.dll to handle PDF files security
access (or even JPG files, GIF, DOC, XLS, etc...) using ASP.NET security
option could cause a performance hit, security issue for the Web Server
etc... What are the impact (security, server impact, performance)?

ANSWER

Part 1 -- how to enable aspnet_isapi.dll to handle these files.

IIS has a list of Application Mappings which dictate whether a particular
file type (meaning file extension) needs to be processed or if it can be
sent as is. HTM, BMP and PDF files are examples of files types that are
not generally listed in the IIS application mappings. Therefore, IIS sends
these files based only on IIS security.

To have these files processed by aspnet_isapi.dll, do the following:
* Open Internet Information Services
* Go to properties for your web folder
* On the "Directory" or "Virtual Directory" or "Home Directory" tab, click
"Configuration"
* On the "App Mappings" tab, review the list of current mappings,
particularly the entry for .ASPX
* Create a similar entry for each file type you want handled by ASP.NET
such that each file type is mapped to aspnet_isapi.dll.

Now these files will be processed on the server by aspnet_isapi.dll before
being sent to the client.

Note: in machine.config, in the httpModules section, there are a series of
entries that tell aspnet_isapi.dll what to do with various file types. One
of these entries is simply an asterisk (meaning all remaining file types
that don't have their own specific entry). This entry will govern how
ASP.NET handles these additional file types. By default, it will use
System.Web.StaticFileHandler for these file types.

Part 2 -- Performance

Files that have no app mapping in IIS are handled with minimal overhead.
IIS has its own security, such as whether the folder (and the file) have
been granted IIS read access. If it passes this test, then IIS attempts to
read the file. Then the file system checks NTFS permissions. If it passes
NTFS, then IIS sends the file.

Files that do have app mappings require all the same steps, plus more. IIS
must call a function in the mapped application for that application to
process the request. In this case aspnet_isapi.dll.

aspnet_isapi.dll has a sequence of steps (modules) for request
pre-processing (before the handler) and post-processing (in this case the
handler is StaticFileHandler). The list of modules is in the machine.config
file in the httpModules section. The good news is that all this takes less
time than one might think.

Without going into the modules too deeply, here are some of the tasks which
the DLL and the modules perform
 - authentication
 - authorization
 - check the cache
 - associate this user's session data with this request
 - create and set properties for a series of objects including:
   Application, Session, Server, Request, and Response objects

aspnet_isapi.dll runs pretty quick, but it does add significant overhead
compared to static files that are not mapped to any application.

Thank you, Mike Moore
Microsoft ASP.NET Developer Support

This posting is provided "AS IS" with no warranties, and confers no rights.

• Next message: Laurent Allardin: "Re: .pdf security using ASP.NET security..."
• Previous message: Derek Hamilton: "Network Impersonation Question"
• In reply to: Laurent Allardin: ".pdf security using ASP.NET security..."
• Next in thread: Laurent Allardin: "Re: .pdf security using ASP.NET security..."
• Reply: Laurent Allardin: "Re: .pdf security using ASP.NET security..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: impact of mapping .??? to ASP.NET ISAPI??? ... security issue, either from ASP.NET or IIS (this is something that my ISP ... > entries that tell aspnet_isapi.dll what to do with various file types. ... > process the request. ... (microsoft.public.dotnet.framework.aspnet.security) Re: .pdf security using ASP.NET security... ... Do you think that mapping could cause a security issue??? ... > not generally listed in the IIS application mappings. ... > entries that tell aspnet_isapi.dll what to do with various file types. ... (microsoft.public.dotnet.framework.aspnet.security) Re: impact of mapping .??? to ASP.NET ISAPI??? ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ... (microsoft.public.dotnet.framework.aspnet.security) Re: File Types not protected by Forms Authentication ... The reason is that IIS handles the requests for those files, not ASP.NET, ... > We have an ASP.NET web application that uses Forms Authentication and ... > All ASPX, HTML, and other web files are protected by security. ... Are only certain file types protected for Forms ... (microsoft.public.dotnet.framework.aspnet.security) Re: How do I receive an access database? ... To provide enhanced security, Microsoft Office Outlook 2003 is designed to ... If you need to share files that have file types blocked by this feature, ... There is no control over those files (no settings within ... (microsoft.public.access.gettingstarted)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint