Re: File Types not protected by Forms Authentication

From: John Timney \(ASP.NET MVP\) (timneyj_at_despammed.com)
Date: 06/17/05

  • Next message: MatthewRoberts: "Re: File Types not protected by Forms Authentication" 
    Date: Fri, 17 Jun 2005 17:31:11 +0100

    The asp.net handlers only kick in for files mapped to it in IIS, so it
    suggests extensions for swf are not handled by the asp.net dll and need to
    be. Go to IIS setup and check the file types. 

    -- 
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
"MatthewRoberts" <mroberts521@gmail.com> wrote in message 
news:1119024772.520481.205080@g44g2000cwa.googlegroups.com...
> Howdy All,
>
> We have an ASP.NET web application that uses Forms Authentication and
> has worked without problems for some time.
>
> However, we recently added a Shockwave SWF file to the mix for flash
> and interactivity.
>
> All ASPX, HTML, and other web files are protected by security. If you
> are not properly authenticated but try to access an ASPX or HTML file,
> you will be redirected to the Login page.
>
> However, if you try to access the SWF file directly, it allows you to
> view the animation without ever authenticating the user.
>
> Why is this? Are only certain file types protected for Forms
> Authentication? How can you add to that list of file types? Is it a
> MIME type or file extension we should be securing through IIS in some
> way?
>
> We even tried adding the following to the web.config file:
>
>
> <location path="OurAnimation.swf">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
>
>
> such that it should explicitly deny all anonymous, or unauthenticated
> users. But still, this did not work, and direct access to the file is
> allowed by anyone.
>
> Can anyone shed some light on this issue?
>
> Thank you in advance for whatever help you can provide.
>
> Matthew Roberts
> SOURCECORP
> Framework Architect
>
  • Next message: MatthewRoberts: "Re: File Types not protected by Forms Authentication"

    Relevant Pages

    • RE: file restriction - Forms authentication
      ... Only those file types that are mapped in IIS to the aspnet_isapi.dll are ... options when it comes to PDF files. ... Map the PDF file type to the aspnet_isapi.dll in IIS. ... and I'm using Forms authentication method. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: File Types not protected by Forms Authentication
      ... The reason is that IIS handles the requests for those files, not ASP.NET, ... > We have an ASP.NET web application that uses Forms Authentication and ... > All ASPX, HTML, and other web files are protected by security. ... Are only certain file types protected for Forms ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
      ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: Can no longer access ActiveSync
      ... OMA and Exchange/Exchange-OMA virtual directory. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... issue may be caused by the Exchange attribute of original user account. ...
      (microsoft.public.exchange.admin)
    • Re: Basic Authentication fails with Error 401.2 where Integrated s
      ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
      (microsoft.public.inetserver.iis.security)