RE: Protecting Web Files from Direct Access
From: William McIlroy (WilliamMcIlroy_at_discussions.microsoft.com)
Date: 02/20/05
- Next message: David Lindahl: "Error when on CreateSubdirectory in Web App"
- Previous message: William Stacey [MVP]: "Re: API to access loaded assembly hash"
- In reply to: William McIlroy: "Protecting Web Files from Direct Access"
- Next in thread: Dominick Baier [DevelopMentor]: "RE: Protecting Web Files from Direct Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Feb 2005 23:33:03 -0800
Since nobody answered my query, I'll answer it myself. ASP.NET offers
built-in security of a kind. Actually, it offers several kinds, one of which
is useful for deployment on the Internet and the others less so useful. That
kind is attached to the moniker "Forms Authentication." When turned on,
Forms Authentication automatically redirects users who access pages on your
site to a Logon page where they enter a username and password. Code you
write determines whether the combination passes muster. If not, the page
redisplays. The user is free to try again. Otherwise the code behind
creates an authentication token, otherwise known as a "cookie" (we all know
about cookies, not the Oreo variety). Then the code behind uses information
that was passed to it to direct the browser to return to the page that the
user originally requested. Upon reaching that page the token exists and the
user is permitted to view the page. This all works super-swell as long as
every one of the pages has the filename extension ASPX. Pages that have the
filename extension HTML are not protected. I challenge anyone to find that
fact clearly expressed in the relevant KB article or in any of the many
relevant books. Right now, I'm trying to figure out how to rewrite an HTML
page so that it performs the function of the HTML whilst being an ASPX page.
It involves HTML "frames" and such things that are possibly foreign to the
ASPX way of doing things. No doubt there is an alternative, but am I
required to rewire the entire extant application simply to get security?
Yes. No. Maybe? Don't know. And so it goes...
"William McIlroy" wrote:
> I am working on a simple yet large web application that renders static HTML
> files per user request. I wrote an ASPX front end that accepts a userid and
> password combination. It acts as a gatekeeper to the application. The user
> cannot get to the index HTML document from the security check except with a
> valid username and password. However, the user can go directly to the index
> document and, hence the application, if he or she guesses its name or the
> name somehow becomes known. The browser advertises the name when
> Response.Redirect changes the web page. Is there some way to prevent users
> from navigating to pages inside the site without first having to identify
> themselves?
>
> I realize IIS offers several methods of security ranging from none, to using
> Windows authentication to Microsoft Passport. Still, it seems public access
> to application files is an all or nothing affair. I don't want even
> authenticated users to navigate directly to any of the application files.
> The ASPX code could write a cookie that every HTML file could check in a
> script. A helpful sample would be nice.
>
> Is there something I can do to the web.config file to enforce my rules?
>
> Any thoughts?
>
>
> --
> William McIlroy
>
- Next message: David Lindahl: "Error when on CreateSubdirectory in Web App"
- Previous message: William Stacey [MVP]: "Re: API to access loaded assembly hash"
- In reply to: William McIlroy: "Protecting Web Files from Direct Access"
- Next in thread: Dominick Baier [DevelopMentor]: "RE: Protecting Web Files from Direct Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
