Re: Securing static files
- From: "Jon Haakon Ariansen" <jona@xxxxxxxx>
- Date: Wed, 21 Jun 2006 10:38:53 +0200
Hi Dominick Baier,
Thank you very much for your tips! I really appreciate it!
It seems like I have found a solution to my problem now.
I've added:
<httpHandlers>
<add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
</httpHandlers>
to web.config and I can access the html files.
But it depends how for how long I can access them. The html files calls on
flash files which runs client-side. When the enduser is logged in,
periodially
they are kicked back to the login page.
This might perhaps be caused by Session timeout. I'm not sure. Is there a
why to make the login period more persistant? But it can't be so persistant
that
the user is automatically logged in if the user has used the program before.
The user may log in with other credentials (username/password).
Thank you so much for your help Dominick!!
Kind regards,
Jon Haakon
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be6319f8ab8c862963feb4f9e@xxxxxxxxxxxxxxxxxxxxx
ok -
you can now verify, e.g. by putting a breakpoint in
Application_BeginRequest, that asp.net handles all requests now.
This means that if a user tries to access a .htm file (or whatever) - he
will be redirected to the login page and he has to authenticate first.
Is that what you want?
ps. and btw - make sure you have unchecked the "verify that file exists"
box in the wildcard mapping dialog.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, I have done this.
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6319f85c8c86289ddfbd590@xxxxxxxxxxxxxxxxxxxxx
the first thing is to register aspnet_isapi as Wildcard mapping -
after that _all_ files are treated like asp.net content - and
authentication and authorization settings apply.
Have you done that to this point?
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,
Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>
<add path="*.htm" verb="*"
type="System.Web.HttpForbiddenHandler" validate="True" />
</httpHandlers>
then files with extention .htm will now be shown - correct?
But if the user's credentials is verified, do I have to do something
to allow the user to open htm files?
In advance thanks!
Jon Haakon
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6319f81d8c8627df21bddb8@xxxxxxxxxxxxxxxxxxxxx
if it is IIS6 - i would recommed setting up a Wildcard handler
read here first - and if you have questions feel free to post
http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNE
T2 0.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,
In short my problem is securing static pages, so that unauthorized
(anonymous) people doesn't get access to these files. You'll find
a detailed description below.
I have a websolution that is made in Dotnet 2.0. The solution send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html)
calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps
getting
throwed out and have to log on again - several times. We need to
get
the application to be more presistant when the user has logged on.
I'm
not sure why the user have to log on all the time, but my guess is
that when the user uses the flash module, IIS is not aware that
the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution to
make
the user beeing loged in. I guess I can use a cookie for this, but
then I guess the user will always come to the same module. The
user
has to be presented the login page on startup each time, because
the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
.
- Follow-Ups:
- Re: Securing static files
- From: Dominick Baier [DevelopMentor]
- Re: Securing static files
- References:
- Re: Securing static files
- From: Jon Haakon Ariansen
- Re: Securing static files
- From: Dominick Baier [DevelopMentor]
- Re: Securing static files
- Prev by Date: custom profile provider help
- Next by Date: Re: Securing static files
- Previous by thread: Re: Securing static files
- Next by thread: Re: Securing static files
- Index(es):
Relevant Pages
|
