Re: Custom Forms role-based security and HttpModules

From: Larry Lau (larry_the_great@yahoo.com)
Date: 03/31/03 

From: larry_the_great@yahoo.com (Larry Lau)
Date: 31 Mar 2003 01:39:03 -0800

I think u can't have different security mechanism in subdirectory
other than the one u use in the root directory. global.asax is used
for the whole application domain, i.e. the directroy.

If you really need another mechanism, is it possible turn ur
subdirectory as a root directory?

say u have
default web site
|_virtual 1
   |_subdir,

then turn it to
default web site
|_virtual 1
|_virtual 2

For the http module, the following may help:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetAP04.asp?frame=true

"Sangi" <sangi@msn.com> wrote in message news:<Xwrga.51905$7y3.1634770@twister1.libero.it>...
> Hi all,
> I've seen quite a few examples that handle the Application's
> AuthorizeRequest event in the global.asax file to implement a Forms
> role-based security. While this surely works fine, I can't use this
> approach, for two reasons:
> 1) I dont' want to implement this for all the site, but only for part of it,
> and use another security mechanism for the rest of the site. Let's say that
> I want to use my own custom Forms role-based security for a sub-directory,
> and the standard Windows or Forms security for the rest.
> 2) The second reason is that I'm plugging my own sub-site into another
> existent site, and I dont' have access to the site's global.asax/asax.vb
> file, so I can't handle the AuthorizeRequest there.
>
> So my question is: would it work if I handled the AuthorizeRequest from a
> custom HttpModule? Could I install it only for a folder, by registering it
> into that sub-folder's web.config, and continue to use the default security
> in the rest of the site, where my module is not registered?
>
> Also, say that the site already has a custom security implementation in its
> Global.asax file, would my module override it for the folder where it has
> been registered, or would the Global.asax implementation come last, and thus
> override what I do in my module, and for the entire site? I'm not sure how
> the ASP.NET pipeline works in detail. I've read all the articles on MSDN
> Magazine and many others, but couldn't find answers for all these questions.
> Can anyone give a hint? Thanks a lot!
> -- Sangi

Relevant Pages

  • [NT] Enceladus Server Directory Traversal Vulnerability
    ... Beyond Security would like to welcome Tiscali World Online ... * Enceladus Server Suite version 2.6.1 ... attackers to traverse up the root directory and view/download files on the ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Clarification on a Security Issue
    ... The first way to implement security is: ... The problem is that if I try to apply the css file ... even if I move the css file to the root directory of the web application, ...
    (microsoft.public.dotnet.framework.aspnet)
  • .SeCuRiTy. files in root directory
    ... 85 files starting with .SeCuRiTy. ... have shone up in the root directory ... of one of my AIX boxes. ...
    (comp.unix.aix)
  • Re: DNS zone for Domain on Server in another Domain.
    ... > The DC's and most workstations in DOM1 have trouble dynamically ... > their IP addresses(I suspect it is a security issue - may be due to ... > inadequate settings.) ...
    (microsoft.public.windows.server.dns)
  • RE: hoping this is easy - passwords
    ... reports being automatically created with the correct user information. ... Access have it's own security mechanism called workgroup ... With the help of mdw files, ... you may make your own security mechanism. ...
    (microsoft.public.access.forms)