Re: .pdf security using ASP.NET security...

From: Laurent Allardin (laurent@2k1soft.com)
Date: 07/25/02 

From: "Laurent Allardin" <laurent@2k1soft.com>
Date: Thu, 25 Jul 2002 00:15:49 -0400

Thank you Mike!

Do you think that mapping could cause a security issue??? Because I know
that ISP are not really willing to modify the mapping...

Thanks!

Laurent

"Mike Moore (MS)" <michmo@online.microsoft.com> wrote in message
news:2gVbx74MCHA.2016@cpmsftngxa07...
> Hi Laurent,
>
> QUESTION
> I am wondering if using the aspnet_isapi.dll to handle PDF files security
> access (or even JPG files, GIF, DOC, XLS, etc...) using ASP.NET security
> option could cause a performance hit, security issue for the Web Server
> etc... What are the impact (security, server impact, performance)?
>
> ANSWER
>
> Part 1 -- how to enable aspnet_isapi.dll to handle these files.
>
> IIS has a list of Application Mappings which dictate whether a particular
> file type (meaning file extension) needs to be processed or if it can be
> sent as is. HTM, BMP and PDF files are examples of files types that are
> not generally listed in the IIS application mappings. Therefore, IIS sends
> these files based only on IIS security.
>
> To have these files processed by aspnet_isapi.dll, do the following:
> * Open Internet Information Services
> * Go to properties for your web folder
> * On the "Directory" or "Virtual Directory" or "Home Directory" tab, click
> "Configuration"
> * On the "App Mappings" tab, review the list of current mappings,
> particularly the entry for .ASPX
> * Create a similar entry for each file type you want handled by ASP.NET
> such that each file type is mapped to aspnet_isapi.dll.
>
> Now these files will be processed on the server by aspnet_isapi.dll before
> being sent to the client.
>
> Note: in machine.config, in the httpModules section, there are a series of
> entries that tell aspnet_isapi.dll what to do with various file types.
One
> of these entries is simply an asterisk (meaning all remaining file types
> that don't have their own specific entry). This entry will govern how
> ASP.NET handles these additional file types. By default, it will use
> System.Web.StaticFileHandler for these file types.
>
> Part 2 -- Performance
>
> Files that have no app mapping in IIS are handled with minimal overhead.
> IIS has its own security, such as whether the folder (and the file) have
> been granted IIS read access. If it passes this test, then IIS attempts to
> read the file. Then the file system checks NTFS permissions. If it passes
> NTFS, then IIS sends the file.
>
> Files that do have app mappings require all the same steps, plus more. IIS
> must call a function in the mapped application for that application to
> process the request. In this case aspnet_isapi.dll.
>
> aspnet_isapi.dll has a sequence of steps (modules) for request
> pre-processing (before the handler) and post-processing (in this case the
> handler is StaticFileHandler). The list of modules is in the
machine.config
> file in the httpModules section. The good news is that all this takes less
> time than one might think.
>
> Without going into the modules too deeply, here are some of the tasks
which
> the DLL and the modules perform
> - authentication
> - authorization
> - check the cache
> - associate this user's session data with this request
> - create and set properties for a series of objects including:
> Application, Session, Server, Request, and Response objects
>
> aspnet_isapi.dll runs pretty quick, but it does add significant overhead
> compared to static files that are not mapped to any application.
>
> Thank you, Mike Moore
> Microsoft ASP.NET Developer Support
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>

Relevant Pages

  • RE: .pdf security using ASP.NET security...
    ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: impact of mapping .??? to ASP.NET ISAPI???
    ... security issue, either from ASP.NET or IIS (this is something that my ISP ... > entries that tell aspnet_isapi.dll what to do with various file types. ... > process the request. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: impact of mapping .??? to ASP.NET ISAPI???
    ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ISAPI Application Mappings
    ... I have reviewed IIS online docs as well. ... Likely case is to remove mapping. ... Not sure what its purpose is, but it appears to be security prone - namely ... I've never used these extensions when creating ASP and ASP.NET applications. ...
    (microsoft.public.inetserver.iis.security)
  • Re: File Types not protected by Forms Authentication
    ... The reason is that IIS handles the requests for those files, not ASP.NET, ... > We have an ASP.NET web application that uses Forms Authentication and ... > All ASPX, HTML, and other web files are protected by security. ... Are only certain file types protected for Forms ...
    (microsoft.public.dotnet.framework.aspnet.security)