Re: Securing Non ASP.Net Files
From: Mike Moore [MSFT] (michmo@online.microsoft.com)
Date: 03/18/03
- Next message: Javier Miranda: "Re: ASPNET Account, Impersonation, SQL Server problem"
- Previous message: Javier Miranda: "Re: Authenticating users in an n-Tier/layer architecture"
- In reply to: Jerry Weindel: "Re: Securing Non ASP.Net Files"
- Next in thread: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Reply: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: michmo@online.microsoft.com ("Mike Moore [MSFT]") Date: Tue, 18 Mar 2003 20:02:05 GMT
Hi,
You are correct. Mapping "asp" to the .NET ISAPI filter does require that
the ASP code inside the pages is already compatible with .NET. Therefore,
you cannot directly apply the .NET Framework security settings directly to
ASP pages that must be processed by asp.dll.
Both ASP and ASPX have access to cookies and the query string. They also
both have access to resources on the server such as databases. So, you
could have the ASPX page put something in the cookie or query string that
the ASP pages could later use for authentication and authorization.
For example, you could have your ASPX authentication store something in a
database that indicates someone's authentication as determined by ASPX &
add a cookie with the key value to find that entry in the database. The ASP
pages would then use the cookie to look up that value in the database.
I realize that this isn't the preferred answer, but ASP and ASPX pages run
in separate processes. So, they cannot work with each other directly.
Thank you, Mike Moore
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
>From: "Jerry Weindel" <weindelj@ix.netcom.com>
>References: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
<k7y4FTE6CHA.2768@cpmsftngxa06> <uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl>
<uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl>
<#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl>
<#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl>
<OWeIhxi6CHA.2400@TK2MSFTNGP11.phx.gbl>
<r1FvPPp6CHA.2436@cpmsftngxa08.phx.gbl> <TlK7cgp6CHA.2768@cpmsftngxa06>
>Subject: Re: Securing Non ASP.Net Files
>Date: Mon, 17 Mar 2003 20:52:16 -0500
>Lines: 544
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>Message-ID: <ujp#BDP7CHA.800@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: 65.202.139.50
>Path:
cpmsftngxa08.phx.gbl!cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>Xref: cpmsftngxa08.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:4426
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I've been reading this thread with much interest because I am trying to do
>the same thing. The problem with the proposed solution is that once you
tell
>the aspnet_isapi.dll to handle(protect) .asp files, the aspnet_isapi.dll
>becomes the ISAPI extension that processes the script instead of the
>asp.dll. Since the aspnet_isapi.dll processes much differently than the
>asp.dll (i.e. parses the script using aspx syntax) the execution fails.
>
>The steps outlined in the HOW TO: seem geared to resolve a problem with
>existing links pointing to .asp pages -- but these pages still must already
>be converted to aspx syntax to execute properly. My question is (and I
think
>Joe's as well) is how do you protect .asp pages that have not been
converted
>to aspx yet? That is, the script code is still clasic ASP code, not asp.net
>code.
>
>Try protecting an ASP page that simply has the following code:
>
><%
> Response.write "hello world"
>%>
>
>
>
>
>""Mike Moore [MSFT]"" <michmo@online.microsoft.com> wrote in message
>news:TlK7cgp6CHA.2768@cpmsftngxa06...
>> Hi Joe,
>>
>> I found another article that addresses your question:
>> 815152 HOW TO: Use ASP.NET to Protect File Types
>> http://support.microsoft.com/?id=815152
>>
>> Thank you, Mike Moore
>> Microsoft, ASP.NET
>>
>> This posting is provided "AS IS", with no warranties, and confers no
>rights.
>>
>> --------------------
>> >X-Tomcat-ID: 38130389
>> >References: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
>> <k7y4FTE6CHA.2768@cpmsftngxa06> <uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl>
>> <uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl>
>> <#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl>
>> <#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl>
>> <OWeIhxi6CHA.2400@TK2MSFTNGP11.phx.gbl>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain
>> >Content-Transfer-Encoding: 7bit
>> >From: michmo@online.microsoft.com ("Mike Moore [MSFT]")
>> >Organization: Microsoft
>> >Date: Sat, 15 Mar 2003 01:40:00 GMT
>> >Subject: Re: Securing Non ASP.Net Files
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> >Message-ID: <r1FvPPp6CHA.2436@cpmsftngxa08.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> >Lines: 391
>> >NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
>> >Path: cpmsftngxa06!cpmsftngxa08.phx.gbl
>> >Xref: cpmsftngxa06
microsoft.public.dotnet.framework.aspnet.security:4377
>> >
>> >Hi Joe,
>> >
>> >1) Using .NET security to govern access to ASP pages
>> >815172 HOW TO: Migrate an ASP Web Application to ASP.NET While Retaining
>> >Existing File Name Extensions
>> >http://support.microsoft.com/?id=815172
>> >
>> >Once you have done the above, then you can configure authorization for
>the
>> >ASP files via the web.config file.
>> >
>> >2) How to use Forms authentication so that you don't need to create a
>> >Windows account for each visitor:
>> >
>> >308157 HOW TO: Implement Forms-Based Authentication in Your ASP.NET
>> >Application
>> >http://support.microsoft.com/?id=308157
>> >
>> >306238 HOW TO: Implement Role-Based Security with Forms-Based
>> Authentication
>> >http://support.microsoft.com/?id=306238
>> >
>> >Thank you, Mike Moore
>> >Microsoft, ASP.NET
>> >
>> >This posting is provided "AS IS", with no warranties, and confers no
>> rights.
>> >
>> >--------------------
>> >>From: "Joe Reazor" <joenospam@belgor.com>
>> >>References: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
>> ><k7y4FTE6CHA.2768@cpmsftngxa06> <uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl>
>> ><uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl>
>> ><#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl>
>> ><#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl>
>> >>Subject: Re: Securing Non ASP.Net Files
>> >>Date: Fri, 14 Mar 2003 08:15:32 -0500
>> >>Lines: 357
>> >>X-Priority: 3
>> >>X-MSMail-Priority: Normal
>> >>X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>> >>Message-ID: <OWeIhxi6CHA.2400@TK2MSFTNGP11.phx.gbl>
>> >>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> >>NNTP-Posting-Host: smtp.gorbel.com 216.42.134.6
>> >>Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
>> >>Xref: cpmsftngxa06
>microsoft.public.dotnet.framework.aspnet.security:4360
>> >>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> >>
>> >>I guess I have not clearly stated what I am doing. I have a site that
>was
>> >>all ASP pages that was secured (meaning password protected allowing
only
>> >>authrorized users access) using MS's Site Server Personalization and
>> >>Membership functionality. Site Server P&M does not work with .Net Now
>I
>> >>want to change my entire site to be ASPX pages, but I still need to do
2
>> >>things, 1) keep the site secure for certain users and 2) know who the
>user
>> >>is that is making the request so that I can write a custom object (in
>> Net)
>> >>that will look up information about them (their name, company info,
>etc).
>> >>So I did some research and found that using Web.Config you can easily
>> >>control access to given web apps (folders, urls, whatever you want to
>call
>> >>them). I did further research and found that you can set-up IIS to
>force
>> >>all files in a web app to be handled by the ASP.Net isapi dll so that
>they
>> >>too are controlled by the same security. This has worked fine for
>.aspx,
>> >>.html, .pdf, images, etc, but for .asp pages I get an error saying that
>> >>their access has been restricted, even though I didn't do anything to
>> >>restrict them, so obviously it has something to do with the asp.net dll
>> >>processing them before the asp dll does. So, I was wondering if there
>is
>> a
>> >>better way to do all of this or not. I understand everything you have
>> >>stated in your post below, but it is not what I am trying to do. One
>last
>> >>thing, I want to use a forms login if possible and don't want to have
to
>> >>create a windows account for every user of the site if I don't have to,
>> but
>> >>I'm open to all suggestions that will make this as easy as possible.
>> >>
>> >>
>> >>==============
>> >>Joe Reazor
>> >>Gorbel Inc.
>> >>email: joereaATgorbelDOTcom
>> >>"Joseph Geretz" <jgeretz@nospam.com> wrote in message
>> >>news:#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl...
>> >>> I'm still confused, but maybe it's just me. please bear with me.
>> >>>
>> >>> For both ASP and ASPX pages there are two activities which you might
>> wish
>> >>to
>> >>> deny. (Well more than just two, but let's just deal with two for
now.)
>> >>>
>> >>> 1. Script Download (script source is viewable in the browser).
>> >>>
>> >>> 2. Script Execution (on the server, script output (not source) is
>> >returned
>> >>> to the browser).
>> >>>
>> >>> From what I understand, you'd like to disallow #1, but still allow
#2?
>> >>>
>> >>> In order to ensure that scripts may not be downloaded, there's really
>> >>> nothing you need to do, above and beyond the way IIS will natively
>treat
>> >>ASP
>> >>> and ASPX files. Natively, IIS will execute both of these files on the
>> >>server
>> >>> via their related ISAPI filters.
>> >>>
>> >>> You indicated that after changing some settings to explicitly forbid
>ASP
>> >>> access, the scripts are being downloaded to the client browser. Which
>is
>> >>> (obviously) not what you, or any site administrator, wants to happen.
>If
>> >>you
>> >>> have ASP scripts resident on a site, I am imagining that you want
them
>> to
>> >>> execute on the server upon request. If you don't want these scripts
to
>> >run
>> >>> at all, why not just remove them from the site? Or, you can mark them
>> via
>> >>> IIS to disallow anonymous access.
>> >>>
>> >>> Now back to your original question. You indicate that you'd like to
>> >secure
>> >>a
>> >>> particular site. You can do this through IIS itself. In which case,
>all
>> >>> resources accessed via a particular virtual directory would be
secured
>> >>> without regard to the type of file. It sounds to me like you have an
>> >>interim
>> >>> situation here, while you are converting an ASP application to ASPX?
>Why
>> >>not
>> >>> use IIS security facilities? Since IIS is the common denominator here
>it
>> >>> will secure all your resources regardless of whther they are ASP,
>ASPX,
>> >>> GIF's, etc.
>> >>>
>> >>> (Understand also, that the original technique you attempted, which is
>to
>> >>use
>> >>> .NET to block access to various file types is not appropriate if you
>> want
>> >>to
>> >>> protect a file from download, but still want to allow it to execute
on
>> >the
>> >>> server in response to a user request.)
>> >>>
>> >>> Hope this helps. Please clarify, if I've misunderstood your
situation.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Joseph Geretz
>> >>>
>> >>> "Joe Reazor" <joenospam@belgor.com> wrote in message
>> >>> news:#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl...
>> >>> > No, that's not what I want. I need to secure ALL files in a given
>> >>> directory
>> >>> > regardless of their extension. So while I am in the process of
>> >>converting
>> >>> > asp pages to aspx pages I need something that is going to limit the
>> >>access
>> >>> > to both. I figured using .net security would work. Does anybody
>have
>> >>an
>> >>> > answer to my original question? I can't imagine I'm the first
>person
>> >>> trying
>> >>> > to do this.
>> >>> >
>> >>> >
>> >>> > ==============
>> >>> > Joe Reazor
>> >>> > Gorbel Inc.
>> >>> > email: joereaATgorbelDOTcom
>> >>> >
>> >>> >
>> >>> > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
>> >>> > news:uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl...
>> >>> > > Hi Joe,
>> >>> > >
>> >>> > > Why have you 'protected' .asp pages? .asp pages and .aspx pages
>are
>> >>> simply
>> >>> > > handled by two different ISAPI filters (or is it an extension?
>> >>> > whatever...).
>> >>> > > You don't need to do anything to protect ASP scripts even if
>they're
>> >>> > > co-mingled with ASPX scripts. IIS won't serve the .asp scripts up
>in
>> >>any
>> >>> > > case. Rather, the .asp script will be passed off to the ASP ISAPI
>> >>which
>> >>> > will
>> >>> > > process the script and return the *resulting output* to the
>client.
>> >>> > >
>> >>> > > Isn't that what you want?
>> >>> > >
>> >>> > > - Joe Geretz -
>> >>> > >
>> >>> > > "Joe Reazor" <joenospam@belgor.com> wrote in message
>> >>> > > news:uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl...
>> >>> > > > Thanks for the response. I think I have this much set-up. The
>> >>> problem
>> >>> > I
>> >>> > > am
>> >>> > > > having now is that the *.asp pages that I have protected are
not
>> >>> getting
>> >>> > > > served up. It's indicating that they are explicitly forbidden,
>> and
>> >>> I'm
>> >>> > > not
>> >>> > > > sure why. Is there a way to allow them through the ASP.Net
>isapi
>> >>dll
>> >>> > and
>> >>> > > if
>> >>> > > > so will they then automatically be processed by the normal asp
>> dll?
>> >>> > > >
>> >>> > > > Thanks.
>> >>> > > >
>> >>> > > > ==============
>> >>> > > > Joe Reazor
>> >>> > > > Gorbel Inc.
>> >>> > > > email: joereaATgorbelDOTcom
>> >>> > > >
>> >>> > > >
>> >>> > > > "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
>> >>> message
>> >>> > > > news:k7y4FTE6CHA.2768@cpmsftngxa06...
>> >>> > > > > Hello Joe,
>> >>> > > > > By default ASP.NET is configured to intercept and to stop
>> >>> requests
>> >>> > > for
>> >>> > > > > several different
>> >>> > > > > file types that are used in ASP.NET applications. These file
>> >types
>> >>> are
>> >>> > > > ones
>> >>> > > > > that must not be retrieved by users. These file types include
>> >>> .config
>> >>> > > > files
>> >>> > > > > that store configuration information for the application and
>.cs
>> >>> files
>> >>> > > > that
>> >>> > > > > store the source code of the application. ASP.NET ensures the
>> >>> privacy
>> >>> > of
>> >>> > > > > these
>> >>> > > > > files by associating both file types with
>> >>> > > System.Web.HttpForbiddenHandler.
>> >>> > > > > System.Web.HttpForbiddenHandler returns an error to the user
>who
>> >>> > > requests
>> >>> > > > > the
>> >>> > > > > file. This method of protecting files can be used for any
file
>> >>type.
>> >>> > > This
>> >>> > > > > method is useful for protecting files that exist in the
folder
>> of
>> >>> the
>> >>> > > Web
>> >>> > > > > application and must never be retrieved by users.
>> >>> > > > >
>> >>> > > > > Microsoft Internet Information Services (IIS) 5.0 determines
>how
>> >>> > > > > to handle requests based on the script mapping for the file
>name
>> >>> > > extension
>> >>> > > > > of
>> >>> > > > > the request. These script mappings are adjusted by using
>> Internet
>> >>> > > Services
>> >>> > > > > Manager. For ASP.NET to block file types, you must first
>> >configure
>> >>> IIS
>> >>> > > 5.0
>> >>> > > > > to
>> >>> > > > > forward those requests to ASP.NET. To add additional file
>types
>> >to
>> >>> an
>> >>> > > > > ASP.NET application to protect certain
>> >>> > > > > file types, follow these steps:
>> >>> > > > >
>> >>> > > > > 1. On the taskbar click "start", point to "Settings", and
then
>> >>click
>> >>> > > > > "Control Panel".
>> >>> > > > > 2. Double-click to open the "Administrative Tools" folder and
>> >then
>> >>> > > > > double-click to run " Internet Services Manager".
>> >>> > > > > 3. Right-click the virtual server or the virtual folder that
>> >>contain
>> >>> > > your
>> >>> > > > > ASP.NET application and then click "Properties".
>> >>> > > > > 4. Select the "Home Directory" or the "Directory" tab. If an
>> >>> > application
>> >>> > > > > has not been created for the virtual folder, click "Create"
>> >>> > > > > under "Application Settings".
>> >>> > > > > 5. Under "Application Settings", click "Configuration".
>> >>> > > > > 6. To identify the location of the Aspnet_isapi.dll file that
>> >>> handles
>> >>> > > the
>> >>> > > > > ASP.NET requests, select the ".aspx application mapping" and
>> then
>> >>> > > > > click "Edit".
>> >>> > > > > 7. The "Add/Edit Application Extension Mapping" dialog box
>> >>appears.
>> >>> > > Select
>> >>> > > > > the text in the "Executable" field and then press CTRL+C to
>copy
>> >>> > > > > the text to your Clipboard.
>> >>> > > > > 8. Click "Cancel" to return to the "Application Configuration
>> >>> "dialog
>> >>> > > box.
>> >>> > > > > 9. Now, add application mappings for each extension that you
>> want
>> >>> > > ASP.NET
>> >>> > > > > to block. To do this, click "Add". Then, in the "Executable"
>> >>> > > > > field, press CTRL+V to paste the path of your
Aspnet_isapi.dll
>> >>file.
>> >>> > > > > 10. In the "Verbs" section, select the "All Verbs" option.
>> Verify
>> >>> that
>> >>> > > the
>> >>> > > > > "Script Engine" check box is selected and that the "Check If
>> File
>> >>> > > > > Exists" check box is not selected.
>> >>> > > > > 11. Click "OK".
>> >>> > > > > 12. Repeat this procedure for every file name extension that
>you
>> >>> want
>> >>> > to
>> >>> > > > > have processed by ASP.NET.
>> >>> > > > >
>> >>> > > > > Configure a File Type That You Want Blocked
>> >>> > > > > -------------------------------------------
>> >>> > > > >
>> >>> > > > > To block additional file types for an ASP.NET application,
>> follow
>> >>> > these
>> >>> > > > > steps:
>> >>> > > > >
>> >>> > > > > 1. Open the Web.config file in a text editor such as Notepad.
>> The
>> >>> > > > > Web.config file is located in the root directory of your Web
>> >>> > > > > application.
>> >>> > > > > 2. In the Web.config file add the <httpHandlers>
configuration
>> >>> element
>> >>> > > > > under the <system.web> element. Note You must not copy the
>> >>> > > > > <httpHandlers> element from the Machine.config file. The
>reason
>> >>you
>> >>> > must
>> >>> > > > > not copy the <httpHandlers> element is because the
>> <httpHandlers>
>> >>> > > > > element permits you to add additional file types without
>> >>completely
>> >>> > > > > overriding the Machine.config settings.
>> >>> > > > > 3. In the <httpHandlers> element, use <<add>> sub tags to
>> specify
>> >>> > > > > additional file types that you want blocked.
>> >>> > > > > Set the verb attribute equal to ?*?. When you do this, you
>> >specify
>> >>> > that
>> >>> > > > all
>> >>> > > > > types of HTTP requests are blocked. Define the path attribute
>> >>> > > > > as a wildcard character that matches the types of files you
>want
>> >>to
>> >>> > > block.
>> >>> > > > > For example, you may specify <?*.mdb?>. Finally, set the type
>> >>> attribut
>> >>> > e
>> >>> > > to
>> >>> > > > > <?System.Web.HttpForbiddenHandler">. The code sample that
>> follows
>> >>> > shows
>> >>> > > > how
>> >>> > > > > to configure the "httpHandlers" section in the Web.config
>file:
>> >>> > > > >
>> >>> > > > > <system.web>
>> >>> > > > > <httpHandlers>
>> >>> > > > > <add verb="*" path="*.mdb"
>> >>> > > type="System.Web.HttpForbiddenHandler"
>> >>> > > > > />
>> >>> > > > > <add verb="*" path="*.csv"
>> >>> > > type="System.Web.HttpForbiddenHandler"
>> >>> > > > > />
>> >>> > > > > <add verb="*" path="*.private"
>> >>> > > > > type="System.Web.HttpForbiddenHandler" />
>> >>> > > > > </httpHandlers>
>> >>> > > > > </system.web>
>> >>> > > > >
>> >>> > > > > 4. Save the Web.config file. The ASP.NET application
>> >automatically
>> >>> > > > restarts.
>> >>> > > > >
>> >>> > > > >
>> >>> > > > > Thanks,
>> >>> > > > > Bassel Tabbara
>> >>> > > > > Microsoft, ASP.NET
>> >>> > > > >
>> >>> > > > > This posting is provided "AS IS", with no warranties, and
>> confers
>> >>no
>> >>> > > > rights.
>> >>> > > > >
>> >>> > > > >
>> >>> > > > > --------------------
>> >>> > > > > | From: "Joe Reazor" <joenospam@belgor.com>
>> >>> > > > > | Subject: Securing Non ASP.Net Files
>> >>> > > > > | Date: Tue, 11 Mar 2003 16:35:11 -0500
>> >>> > > > > | Lines: 14
>> >>> > > > > | X-Priority: 3
>> >>> > > > > | X-MSMail-Priority: Normal
>> >>> > > > > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>> >>> > > > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>> >>> > > > > | Message-ID: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
>> >>> > > > > | Newsgroups:
>microsoft.public.dotnet.framework.aspnet.security
>> >>> > > > > | NNTP-Posting-Host: smtp.gorbel.com 216.42.134.6
>> >>> > > > > | Path:
cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>> >>> > > > > | Xref: cpmsftngxa06
>> >>> > > > microsoft.public.dotnet.framework.aspnet.security:4295
>> >>> > > > > | X-Tomcat-NG:
>microsoft.public.dotnet.framework.aspnet.security
>> >>> > > > > |
>> >>> > > > > | I am trying to use .Net, specifically the Web.Config file,
>to
>> >>> secure
>> >>> > a
>> >>> > > > > | website that contains ASP.Net pages, ASP pages, HTML pages,
>> >>> images,
>> >>> > > > PDFs,
>> >>> > > > > | etc. By default Web.Config only secures ASP.Net resources
I
>> >>> > believe.
>> >>> > > > Is
>> >>> > > > > | there a way to automatically have it secure all other
>> resources
>> >>> > > > available
>> >>> > > > > at
>> >>> > > > > | that website?
>> >>> > > > > |
>> >>> > > > > | TIA
>> >>> > > > > |
>> >>> > > > > | ==============
>> >>> > > > > | Joe Reazor
>> >>> > > > > | Gorbel Inc.
>> >>> > > > > | email: joereaATgorbelDOTcom
>> >>> > > > > |
>> >>> > > > > |
>> >>> > > > > |
>> >>> > > > >
>> >>> > > >
>> >>> > > >
>> >>> > >
>> >>> > >
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >
>> >
>>
>
>
>
- Next message: Javier Miranda: "Re: ASPNET Account, Impersonation, SQL Server problem"
- Previous message: Javier Miranda: "Re: Authenticating users in an n-Tier/layer architecture"
- In reply to: Jerry Weindel: "Re: Securing Non ASP.Net Files"
- Next in thread: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Reply: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
