Re: Protect Non-ASP Files
From: Cy Huckaba (cyh@delete.t-3.com)
Date: 03/28/03
- Next message: Dave: "HTTP_REFERER and SSL?"
- Previous message: Edward Henn: "Forms Authentication Expiration Problem"
- In reply to: Matt Rutherford: "Protect Non-ASP Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Cy Huckaba" <cyh@delete.t-3.com> Date: Fri, 28 Mar 2003 11:54:42 -0600
I found this article down the list a bit...it worked for me...
*************original post by Bassel Tabbara [MSFT] **************
By default ASP.NET is configured to intercept and to stop requests for
several different
file types that are used in ASP.NET applications. These file types are ones
that must not be retrieved by users. These file types include .config files
that store configuration information for the application and .cs files that
store the source code of the application. ASP.NET ensures the privacy of
these
files by associating both file types with System.Web.HttpForbiddenHandler.
System.Web.HttpForbiddenHandler returns an error to the user who requests
the
file. This method of protecting files can be used for any file type. This
method is useful for protecting files that exist in the folder of the Web
application and must never be retrieved by users.
Microsoft Internet Information Services (IIS) 5.0 determines how
to handle requests based on the script mapping for the file name extension
of
the request. These script mappings are adjusted by using Internet Services
Manager. For ASP.NET to block file types, you must first configure IIS 5.0
to
forward those requests to ASP.NET. To add additional file types to an
ASP.NET application to protect certain
file types, follow these steps:
1. On the taskbar click "start", point to "Settings", and then click
"Control Panel".
2. Double-click to open the "Administrative Tools" folder and then
double-click to run " Internet Services Manager".
3. Right-click the virtual server or the virtual folder that contain your
ASP.NET application and then click "Properties".
4. Select the "Home Directory" or the "Directory" tab. If an application
has not been created for the virtual folder, click "Create"
under "Application Settings".
5. Under "Application Settings", click "Configuration".
6. To identify the location of the Aspnet_isapi.dll file that handles the
ASP.NET requests, select the ".aspx application mapping" and then
click "Edit".
7. The "Add/Edit Application Extension Mapping" dialog box appears. Select
the text in the "Executable" field and then press CTRL+C to copy
the text to your Clipboard.
8. Click "Cancel" to return to the "Application Configuration "dialog box.
9. Now, add application mappings for each extension that you want ASP.NET
to block. To do this, click "Add". Then, in the "Executable"
field, press CTRL+V to paste the path of your Aspnet_isapi.dll file.
10. In the "Verbs" section, select the "All Verbs" option. Verify that the
"Script Engine" check box is selected and that the "Check If File
Exists" check box is not selected.
11. Click "OK".
12. Repeat this procedure for every file name extension that you want to
have processed by ASP.NET.
Configure a File Type That You Want Blocked
-------------------------------------------
To block additional file types for an ASP.NET application, follow these
steps:
1. Open the Web.config file in a text editor such as Notepad. The
Web.config file is located in the root directory of your Web
application.
2. In the Web.config file add the <httpHandlers> configuration element
under the <system.web> element. Note You must not copy the
<httpHandlers> element from the Machine.config file. The reason you must
not copy the <httpHandlers> element is because the <httpHandlers>
element permits you to add additional file types without completely
overriding the Machine.config settings.
3. In the <httpHandlers> element, use <<add>> sub tags to specify
additional file types that you want blocked.
Set the verb attribute equal to ?*?. When you do this, you specify that all
types of HTTP requests are blocked. Define the path attribute
as a wildcard character that matches the types of files you want to block.
For example, you may specify <?*.mdb?>. Finally, set the type attribute to
<?System.Web.HttpForbiddenHandler">. The code sample that follows shows how
to configure the "httpHandlers" section in the Web.config file:
<system.web>
<httpHandlers>
<add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler"
/>
<add verb="*" path="*.csv" type="System.Web.HttpForbiddenHandler"
/>
<add verb="*" path="*.private"
type="System.Web.HttpForbiddenHandler" />
</httpHandlers>
</system.web>
4. Save the Web.config file. The ASP.NET application automatically restarts.
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
"Matt Rutherford" <matt.l.rutherford@census.gov> wrote in message
news:uArY15J9CHA.1980@TK2MSFTNGP12.phx.gbl...
> I am trying to restrict access to certain non-asp files, based on
> information stored in a sql server database. I have tried setting up
> roles/forms authentication to try and restrict access to these (PDF)
files.
> What I am trying to do with this, is load each file the user is able to
see
> into a "role". Then check to see which file link they have clicked on,
then
> compare to the roles they are allowed to see, and then allow it to be
viewed
> if the role exists. I'm sure there are better ways to do what I am trying
> to do (please let me know if there is!!!), but my problem with this
method,
> is when the code gets to the line comparing the GetRedirectURL with the
> IsInRole directive, the GetRedirectURL points to the last shown ASPX file,
> not the PDF they clicked on... HELP??
>
> Here is my web.config entries
> <authentication mode="Forms"><forms name=".PROCAUTH"
> loginUrl="http://localhost/proceduresdev/login.aspx"
> timeout="30"></forms></authentication>
>
> Here is my Application_Authenticate Request entries:
> If Request.IsAuthenticated = True Then
>
> Dim authName As String = User.Identity.Name
>
> Dim cn As SqlConnection = New
> SqlConnection(ConfigurationSettings.AppSettings("cnString"))
>
> Dim cm As SqlCommand = New SqlCommand("spSELAllowedProc", cn)
>
> Dim dr As SqlDataReader
>
> Dim i As Integer = 1
>
> FormsAuthentication.Initialize()
>
> cn.Open()
>
> cm.CommandType = CommandType.StoredProcedure
>
> cm.Parameters.Add("@prmUserName", authName)
>
> dr = cm.ExecuteReader
>
> Dim arrRoles() As String
>
> Do While dr.Read
>
> ReDim Preserve arrRoles(i + 1)
>
> arrRoles(i) = "http://localhost/proceduresdev/" & dr("FileLocation")
>
> i += 1
>
> Loop
>
> cn.Close()
>
> Dim objIdentity As GenericIdentity = New GenericIdentity(authName)
>
> Context.User = New GenericPrincipal(objIdentity, arrRoles)
>
> If Not
User.IsInRole(FormsAuthentication.GetRedirectUrl(User.Identity.Name,
> False)) Then
>
> Response.Redirect("unauth.aspx")
>
> End If
>
> End If
>
>
>
>
>
- Next message: Dave: "HTTP_REFERER and SSL?"
- Previous message: Edward Henn: "Forms Authentication Expiration Problem"
- In reply to: Matt Rutherford: "Protect Non-ASP Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
