Re: Securing static files
- From: "Jon Haakon Ariansen" <jona@xxxxxxxx>
- Date: Wed, 21 Jun 2006 12:40:04 +0200
Well, that was what it took to make the solution work.
I got a tips:
http://support.microsoft.com/?kbid=909641
You mentioned that I could make a breakpoint in Application_BeginRequest.
From what I have found out it is restricted access to variables here. Idon't think session variables work here. Therefore the other solution seemed
like a better solution.
Thanks for your tip!
Jon Haakon
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be6319fca18c8633a5da14eb1@xxxxxxxxxxxxxxxxxxxxx
why did you have to add the handlers to web.config? should also work
without them.
It's not the session - it's the authentication timeout - you can set the
timeout in the <forms> element in web.config.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Dominick Baier,
Thank you very much for your tips! I really appreciate it!
It seems like I have found a solution to my problem now. I've added:
<httpHandlers>
<add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
</httpHandlers>
to web.config and I can access the html files.
But it depends how for how long I can access them. The html files
calls on
flash files which runs client-side. When the enduser is logged in,
periodially
they are kicked back to the login page.
This might perhaps be caused by Session timeout. I'm not sure. Is
there a
why to make the login period more persistant? But it can't be so
persistant
that
the user is automatically logged in if the user has used the program
before.
The user may log in with other credentials (username/password).
Thank you so much for your help Dominick!!
Kind regards,
Jon Haakon
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6319f8ab8c862963feb4f9e@xxxxxxxxxxxxxxxxxxxxx
ok -
you can now verify, e.g. by putting a breakpoint in
Application_BeginRequest, that asp.net handles all requests now.
This means that if a user tries to access a .htm file (or whatever) -
he will be redirected to the login page and he has to authenticate
first.
Is that what you want?
ps. and btw - make sure you have unchecked the "verify that file
exists" box in the wildcard mapping dialog.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, I have done this.
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6319f85c8c86289ddfbd590@xxxxxxxxxxxxxxxxxxxxx
the first thing is to register aspnet_isapi as Wildcard mapping -
after that _all_ files are treated like asp.net content - and
authentication and authorization settings apply.
Have you done that to this point?
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,
Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>
<add path="*.htm" verb="*"
type="System.Web.HttpForbiddenHandler" validate="True" />
</httpHandlers>
then files with extention .htm will now be shown - correct?
But if the user's credentials is verified, do I have to do
something to allow the user to open htm files?
In advance thanks!
Jon Haakon
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6319f81d8c8627df21bddb8@xxxxxxxxxxxxxxxxxxxxx
if it is IIS6 - i would recommed setting up a Wildcard handler
read here first - and if you have questions feel free to post
http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASP
NE T2 0.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,
In short my problem is securing static pages, so that
unauthorized (anonymous) people doesn't get access to these
files. You'll find a detailed description below.
I have a websolution that is made in Dotnet 2.0. The solution
send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses
Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html)
calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps
getting
throwed out and have to log on again - several times. We need to
get
the application to be more presistant when the user has logged
on.
I'm
not sure why the user have to log on all the time, but my guess
is
that when the user uses the flash module, IIS is not aware that
the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution
to
make
the user beeing loged in. I guess I can use a cookie for this,
but
then I guess the user will always come to the same module. The
user
has to be presented the login page on startup each time, because
the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
.
- Follow-Ups:
- Re: Securing static files
- From: Dominick Baier [DevelopMentor]
- Re: Securing static files
- References:
- Re: Securing static files
- From: Jon Haakon Ariansen
- Re: Securing static files
- From: Dominick Baier [DevelopMentor]
- Re: Securing static files
- Prev by Date: pdf file client side open problem
- Next by Date: Re: Securing static files
- Previous by thread: Re: Securing static files
- Next by thread: Re: Securing static files
- Index(es):
Relevant Pages
|
|
