Re: File Types not protected by Forms Authentication

From: Brock Allen (ballen_at_NOSPAMdevelop.com)
Date: 06/17/05 

Date: Fri, 17 Jun 2005 09:23:15 -0700

The reason is that IIS handles the requests for those files, not ASP.NET,
and IIS knows nothing about your intent from web.config. You'd have to route
that file extension through the aspnet_isapi.dll in IIS to have ASP.NET serve
it up.

-Brock
DevelopMentor
http://staff.develop.com/ballen

> Howdy All,
>
> We have an ASP.NET web application that uses Forms Authentication and
> has worked without problems for some time.
>
> However, we recently added a Shockwave SWF file to the mix for flash
> and interactivity.
>
> All ASPX, HTML, and other web files are protected by security. If you
> are not properly authenticated but try to access an ASPX or HTML file,
> you will be redirected to the Login page.
>
> However, if you try to access the SWF file directly, it allows you to
> view the animation without ever authenticating the user.
>
> Why is this? Are only certain file types protected for Forms
> Authentication? How can you add to that list of file types? Is it a
> MIME type or file extension we should be securing through IIS in some
> way?
>
> We even tried adding the following to the web.config file:
>
> <location path="OurAnimation.swf">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
> such that it should explicitly deny all anonymous, or unauthenticated
> users. But still, this did not work, and direct access to the file is
> allowed by anyone.
>
> Can anyone shed some light on this issue?
>
> Thank you in advance for whatever help you can provide.
>
> Matthew Roberts
> SOURCECORP
> Framework Architect

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • RE: .pdf security using ASP.NET security...
    ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authentication Problem - Help
    ... I just had similar - and I strongly suspect it's NT security. ... > implies impersonate the LOGON user specified by IIS ... > expired process is shutdown and a new process is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: impact of mapping .??? to ASP.NET ISAPI???
    ... security issue, either from ASP.NET or IIS (this is something that my ISP ... > entries that tell aspnet_isapi.dll what to do with various file types. ... > process the request. ...
    (microsoft.public.dotnet.framework.aspnet.security)