Re: IIS 6 and ASP.NET security
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 08/19/05
- Next message: Dominick Baier [DevelopMentor]: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
- Previous message: Dominick Baier [DevelopMentor]: "Re: Problem while using cookieless session"
- In reply to: Michael Tsai: "IIS 6 and ASP.NET security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Aug 2005 23:40:29 -0700
Hello Michael,
W3svc reads the metabase on statup (or when changed) and registers all the
information with http.sys.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
> Hi,
> It said that IIS 6 use HTTP.sys as the front end for
> handling HTTP request, and pass ASP.NET requests
> to w3wp.exe. So I think this also means security
> settings in IIS (metabase) is bypassed, right?
> Apparently the answer is no, I'ved tried using IIS to set my
> ASP.NET web application's authentication method to basic
> authentication, but my web app's web config still allow
> anonymous access. When I use browser to acces my Web
> app, it asks me to input username and password. So IIS
> metabase is still used, but how? All the information I found
> with Google just show that HTTP.sys directly pass request
> to w3wp.exe, so when/where did IIS metabase be read and
> applied?
> Thanks!
>
> Michael Tsai
>
- Next message: Dominick Baier [DevelopMentor]: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
- Previous message: Dominick Baier [DevelopMentor]: "Re: Problem while using cookieless session"
- In reply to: Michael Tsai: "IIS 6 and ASP.NET security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
