RE: Bypassing form Authentication
From: IT Community [MSFT] (yungc_at_online.microsoft.com)
Date: 08/17/03
- Previous message: Cash Cow: "Earn $500 to $700 per Week Downloading FREE Software"
- In reply to: Microsoft: "Bypassing form Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Aug 2003 13:53:38 GMT
You wrote:
| I'm running a web site and implementing both folder(web.config) and class
| level authorization. A new requirement came in to allow an external web
site
| to access some secure web pages directly, without going through the logon
| page.
Response:
So, these are not secure web pages after all. Many times issues or
complexities are introduced due to mixing security requirements. Putting
non-secure pages into a secure web site, or vice versa is fundamentally
introducing inconsistency, and many times that is where issues and
complexities start. For best practices, put secure and nonsecure resources
in separate physical directory trees and accessed with different logical
paths. Configurations and NTFS permissions are not necessarily inherited
the same way. Where a page is physically placed (i.e. the file system view)
and how a page is logically accessed (the IIS or http view) are determinant
factors.
You wrote:
|
| The users are valid users, and I will build the principle object anyway,
but
| I need to do this before they are being re-directed to the logon page.
|
Response:
1. web.config controls only ASP.NET resources, and not others like asp,
cgi, etc. One way to do it is to make them non-ASP.NET resources and allow
anonymous access in IIS configuration, while ASP.NET will be controlled by
web.config to deny anonymous access and perform form authentication.
2. web.config inheritance is based on the logical structure, i.e. the url,
and not the physical folder structure. So putting resources in a separate
url path is another option. This is not always an option however.
You wrote:
| Would removing the folder\file reference from the web.config file help?
Response:
It depends on how the web site is structured. Again the essence is that
web.config controls only ASP.NET and only ASP.NET resources, and the
inheritance of web.config settings is based on the logical (i.e. url) and
not physical path.
Hope this helps.
Please do not send email directly to this alias. This is an online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Frequently referenced IIS admin recourses:
Microsoft Product Service Packs
http://support.microsoft.com/default.aspx?ID=FH;EN-US;sp&FR=0&SD=GN&LN=EN-US
&CT=SD&SE=NONA
Microsoft Software Update Services
http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
Microsoft.com IIS Portal
http://www.microsoft.com/iis
IIS6 Support Center
http://support.microsoft.com/default.aspx?scid=fh;EN-US;iis60
IIS6 Resource Kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-
b628-ade629c89499&DisplayLang=en
Windows Server 2003 Resources
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
- Previous message: Cash Cow: "Earn $500 to $700 per Week Downloading FREE Software"
- In reply to: Microsoft: "Bypassing form Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
