Professional Web Applications Themes

Forms authentication to secure various static content? - ASP.NET Security

Hi there gurus, I’d like to secure both dynamic AND STACIC content (html-files, gif’s, Office doents etc.) using forms authentication. In my ASP.net 2.0 test application forms authentication secures all content out of the box on the ASP.net Development Server. However, publishing the application to IIS only dynamic content is secured. Elsewhere I’ve read how to configure IIS to service html-files through the aspnet_isapi.dll, this extents forms authentication to secure html-files. But I need to secure gif’s, office doents etc. on IIS just as the default behavior of the ASP.net Development Server. How can this be accomplished? I’ve had no ...

  1. #1

    Default Forms authentication to secure various static content?

    Hi there gurus,

    I’d like to secure both dynamic AND STACIC content (html-files, gif’s,
    Office doents etc.) using forms authentication.

    In my ASP.net 2.0 test application forms authentication secures all content
    out of the box on the ASP.net Development Server. However, publishing the
    application to IIS only dynamic content is secured.

    Elsewhere I’ve read how to configure IIS to service html-files through the
    aspnet_isapi.dll, this extents forms authentication to secure html-files. But
    I need to secure gif’s, office doents etc. on IIS just as the default
    behavior of the ASP.net Development Server. How can this be accomplished?
    I’ve had no luck sending say .doc doents through aspnet_isapi.dll.

    In how many other significant areas are the behavior of the ASP.net
    Development Server different that the default behavior of IIS 6.0. If no one
    knows, can ASP.net Development Server then be trusted for any serious
    development?

    Can the problem be solved using ASP.net 1.1 as well?

    Best regards,

    Michael Brandt Lassen
    3F, Denmark




    --
    best regards,

    Michael Brandt Lassen, Developer & Architect
    3F, Denmark
    Michael Guest

  2. #2

    Default Re: Forms authentication to secure various static content?

    Hello Michael,

    i wrote an article about that:

    http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx
    http://www.leastprivilege.com/MoreOnProtectingStaticResourcesWithASPNET20.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     


    Dominick Guest

  3. #3

    Default Re: Forms authentication to secure various static content?

    Hi Dominic

    Thanks for your reply.

    After reading you articles and doing various experiments, I still don’t get
    it.

    I’ve tried what seems to me every possible combination of along your advice,
    configuring IIS with specific application extensions or wild card application
    maps, registering the default http handler in both machine.config and
    web.config. My results range from no effect, over 404-errors, to requests
    that never seem to return from IIS.

    I’m Sorry to bother you, but I’m afraid I need a more precise guidance on
    how exactly to enable say forms authentication of htm and gif’s, and/or the
    wild card strategy.

    You write:

    “In ASP.NET […] All unknown file extensions are now handled by a class
    called DefaultHttpHandler.”

    Is this default handler enabled by default? Or do I have to, and in which
    configuration file should I write:

    <add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler"
    validate="True" />

    Is this configuration to be combined with a wildcard application maps in IIS
    pointing to the asp.net isapi dll?

    Thanks a bunch,

    Michael Brandt Lassen, Developer & Architect
    3F, Denmark


    "Dominick Baier [DevelopMentor]" wrote:
     
    >
    >
    >[/ref]
    Michael Guest

  4. #4

    Default Re: Forms authentication to secure various static content?

    Hi there

    I found such a cook book explanation myself in the asp.net SDK:

    http://beta.asp.net/QUICKSTART/aspnet/doc/tipstricks/default.aspx

    This together with a repair of the .NET 2.0 Framework, solved my problem.

    Best regards,

    Michael Brandt Lassen
    3F, Denmark

    Michael Guest

Similar Threads

  1. combining static & dynamic content
    By Duane McGuire in forum Coldfusion - Getting Started
    Replies: 6
    Last Post: February 22nd, 02:26 AM
  2. Replies: 2
    Last Post: July 20th, 12:26 PM
  3. Replies: 1
    Last Post: July 18th, 12:45 AM
  4. Replies: 1
    Last Post: October 20th, 06:04 PM
  5. Including Static Content
    By jordan in forum ASP
    Replies: 2
    Last Post: October 14th, 02:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139