Re: Securing a directory and its files with forms authentication
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 Apr 2008 05:29:10 +0000 (UTC)
Hi,
you have to map the file extensions you want to protect to the ASP.NET ISAPI DLL
Go to IIS application properties and have a look to which DLL the .aspx extension is mapped - now do the same for your docs.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
I have a simple asp.net 2.0 application that includes two components:
- a file uploader
- a lister of files that have been uploaded
Files are word processing documents; they get stored to a "papers"
subdirectory of the application.
It would be good if both the file lister *and* the files in "papers"
were secured. But I sense that IIS and asp.net do not work together
to protect documents that aren't aspx files.. For example, I put an
index.html file into the papers directory, and asked IIS for that
document, and was happily sent the document. This, despite a
<location path="papers"> section in my web.config that includes <deny
users="?" />.
I know how to secure a directory with IIS. What I didn't want to do
was secure both the listing.aspx component *and* the papers
directory. I suppose another approach would be to put the lister.aspx
file into the papers directory and secure the directory with IIS and
forget the authentication in asp.net. But that seems wrong.
So, maybe someone could tell me where my thinking's gone wrong.
Thank you very much.
.
- References:
- Prev by Date: Re: GC.Collect() not cleaning memory, how to find out what references to lots of memory still exist?
- Next by Date: Authentication Not working from 1 client
- Previous by thread: Securing a directory and its files with forms authentication
- Next by thread: GC.Collect() not cleaning memory, how to find out what references to lots of memory still exist?
- Index(es):
Relevant Pages
|
