Re: Forms-Based Authentiction and NON ASP.NET Assets

From: Geir Aamodt ("Geir)
Date: 02/21/05 

Date: Mon, 21 Feb 2005 19:08:28 +0100

Alex,

you are correct....

......5 minutes later

I found the following, see snippet below, at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMGlance.asp

I have not tested it yet, but it might be possible to add a new verb like:
<add verb="*" path="*.jpeg" type="System.Web.HttpForbiddenHandler" />

As I said, not sure if this will work, migth be worth a try.

If it does not work, you're still correct Alex 

-- 
Best regards,
Geir Aamodt
geir.aamodt(AT)bekk.no
----------------Snippet start----------------
Map Protected Resources to HttpForbiddenHandler
HTTP handlers are located in Machine.config beneath the <httpHandlers> 
element. HTTP handlers are responsible for processing Web requests for 
specific file extensions. Remoting should not be enabled on front-end Web 
servers; enable Remoting only on middle-tier application servers that are 
isolated from the Internet.
  a.. The following file extensions are mapped in Machine.config to HTTP 
handlers:
  b.. .aspx is used for ASP.NET pages.
  c.. .rem and .soap are used for Remoting.
  d.. .asmx is used for Web Services.
  e.. .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp, 
.licx, .resx, and .resources are protected resources and are mapped to 
System.Web.HttpForbiddenHandler.
For .NET Framework resources, if you do not use a file extension, then map 
the extension to System.Web.HttpForbiddenHandler in Machine.config, as shown 
in the following example:
<add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler" />
In this case, the .vbproj file extension is mapped to 
System.Web.HttpForbiddenHandler. If a client requests a path that ends with 
.vbproj, then ASP.NET returns a message that states "This type of page is 
not served."
The following guidelines apply to handling .NET Framework file extensions:
  a.. Map extensions you do not use to HttpForbiddenHandler. If you do not 
serve ASP.NET pages, then map .aspx to HttpForbiddenHandler. If you do not 
use Web Services, then map .asmx to HttpForbiddenHandler.
  b.. Disable Remoting on Internet-facing Web servers. Map remoting 
extensions (.soap and .rem) on Internet-facing Web servers to 
HttpForbiddenHandler.
----------------Snippet end----------------
"Alex Maghen" <AlexMaghen@discussions.microsoft.com> wrote in message 
news:CEF1ED71-DA8E-4A9F-B70F-3FA4E537FBBE@microsoft.com...
>I have a feeling you're gonna say no but, is there any way, with ASP.NET
> Forms-Based Authentication, to protect access to NON ASP.NET objects? For
> example, if I have a directory that has .ASPX files AND, say, JPEG files
> (.jpg), it would appear that if the user has the URL to one of the JPEGs, 
> he
> can still come back any time and download it without being sent to the 
> Login
> page. I assume this is because, for a JPEG file, ASP.NET is not involved 
> at
> all in the whole IIS loop.
>
> Right?
>
> Alex