Re: Securing static files
- From: "Jon Haakon Ariansen" <jona@xxxxxxxx>
- Date: Tue, 20 Jun 2006 15:21:04 +0200
Yes, I have done this.
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be6319f85c8c86289ddfbd590@xxxxxxxxxxxxxxxxxxxxx
the first thing is to register aspnet_isapi as Wildcard mapping - after
that _all_ files are treated like asp.net content - and authentication and
authorization settings apply.
Have you done that to this point?
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,
Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>
<add path="*.htm" verb="*"
type="System.Web.HttpForbiddenHandler" validate="True" />
</httpHandlers>
then files with extention .htm will now be shown - correct?
But if the user's credentials is verified, do I have to do something
to allow the user to open htm files?
In advance thanks!
Jon Haakon
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6319f81d8c8627df21bddb8@xxxxxxxxxxxxxxxxxxxxx
if it is IIS6 - i would recommed setting up a Wildcard handler
read here first - and if you have questions feel free to post
http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET2
0.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,
In short my problem is securing static pages, so that unauthorized
(anonymous) people doesn't get access to these files. You'll find a
detailed description below.
I have a websolution that is made in Dotnet 2.0. The solution send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html) calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps getting
throwed out and have to log on again - several times. We need to get
the application to be more presistant when the user has logged on.
I'm
not sure why the user have to log on all the time, but my guess is
that when the user uses the flash module, IIS is not aware that the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution to
make
the user beeing loged in. I guess I can use a cookie for this, but
then I guess the user will always come to the same module. The user
has to be presented the login page on startup each time, because the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
.
- Follow-Ups:
- Re: Securing static files
- From: Dominick Baier [DevelopMentor]
- Re: Securing static files
- References:
- Re: Securing static files
- From: Jon Haakon Ariansen
- Re: Securing static files
- From: Dominick Baier [DevelopMentor]
- Re: Securing static files
- Prev by Date: Re: Securing static files
- Next by Date: Re: Securing static files
- Previous by thread: Re: Securing static files
- Next by thread: Re: Securing static files
- Index(es):
Relevant Pages
|
|
