Forms-Based Authentiction and NON ASP.NET Assets

[Alex Maghen]

I have a feeling you're gonna say no but, is there any way, with ASP.NET
Forms-Based Authentication, to protect access to NON ASP.NET objects? For
example, if I have a directory that has .ASPX files AND, say, JPEG files
(.jpg), it would appear that if the user has the URL to one of the JPEGs, he
can still come back any time and download it without being sent to the Login
page. I assume this is because, for a JPEG file, ASP.NET is not involved at
all in the whole IIS loop.

Right?

Alex

[Geir Aamodt]

Alex,

you are correct....

.......5 minutes later

I found the following, see snippet below, at
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMGlance.asp[/url]

I have not tested it yet, but it might be possible to add a new verb like:
<add verb="*" path="*.jpeg" type="System.Web.HttpForbiddenHandler" />

As I said, not sure if this will work, migth be worth a try.

If it does not work, you're still correct Alex

--

Best regards,
Geir Aamodt
geir.aamodt(AT)bekk.no

----------------Snippet start----------------
Map Protected Resources to HttpForbiddenHandler
HTTP handlers are located in Machine.config beneath the <httpHandlers>
element. HTTP handlers are responsible for processing Web requests for
specific file extensions. Remoting should not be enabled on front-end Web
servers; enable Remoting only on middle-tier application servers that are
isolated from the Internet.

a.. The following file extensions are mapped in Machine.config to HTTP
handlers:
b.. .aspx is used for ASP.NET pages.
c.. .rem and .soap are used for Remoting.
d.. .asmx is used for Web Services.
e.. .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp,
..licx, .resx, and .resources are protected resources and are mapped to
System.Web.HttpForbiddenHandler.
For .NET Framework resources, if you do not use a file extension, then map
the extension to System.Web.HttpForbiddenHandler in Machine.config, as shown
in the following example:

<add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler" />
In this case, the .vbproj file extension is mapped to
System.Web.HttpForbiddenHandler. If a client requests a path that ends with
..vbproj, then ASP.NET returns a message that states "This type of page is
not served."

The following guidelines apply to handling .NET Framework file extensions:

a.. Map extensions you do not use to HttpForbiddenHandler. If you do not
serve ASP.NET pages, then map .aspx to HttpForbiddenHandler. If you do not
use Web Services, then map .asmx to HttpForbiddenHandler.
b.. Disable Remoting on Internet-facing Web servers. Map remoting
extensions (.soap and .rem) on Internet-facing Web servers to
HttpForbiddenHandler.
----------------Snippet end----------------



"Alex Maghen" <AlexMaghen@discussions.microsoft.com> wrote in message
news:CEF1ED71-DA8E-4A9F-B70F-3FA4E537FBBE@microsoft.com...

>I have a feeling you're gonna say no but, is there any way, with ASP.NET
> Forms-Based Authentication, to protect access to NON ASP.NET objects? For
> example, if I have a directory that has .ASPX files AND, say, JPEG files
> (.jpg), it would appear that if the user has the URL to one of the JPEGs,
> he
> can still come back any time and download it without being sent to the
> Login
> page. I assume this is because, for a JPEG file, ASP.NET is not involved
> at
> all in the whole IIS loop.
>
> Right?
>
> Alex

[IPGrunt]

On 20 Feb 2005, "=?Utf-8?B?QWxleCBNYWdoZW4=?="
<AlexMaghen@discussions.microsoft.com> postulated in news:CEF1ED71-
[email]DA8E-4A9F-B70F-3FA4E537FBBE@microsoft.com[/email]:

> I have a feeling you're gonna say no but, is there any way, with

ASP.NET

> Forms-Based Authentication, to protect access to NON ASP.NET objects?

For

> example, if I have a directory that has .ASPX files AND, say, JPEG

files

> (.jpg), it would appear that if the user has the URL to one of the

JPEGs, he

> can still come back any time and download it without being sent to

the Login

> page. I assume this is because, for a JPEG file, ASP.NET is not

involved at

> all in the whole IIS loop.
>
> Right?
>
> Alex

It's an interesting problem that I may have to solve myself for access
to other types of files, like PDFs, in a pay-for-access document
control system I need to design for a client.

IIS and Windows ACLS determine who gets access to a website folder.

You'd have to investigate impersonation in ASP.NET, but I can imagine a
design where the default IIS account doesn't have access to JPG files
in a certain folder, but the entity impersonated by your ASP.NET app
does.

Another approach might be through ISAPI filters, though these are
different with IIS6.0 and IIS5.1 and I'd have to solve the problem on
two different platforms.

Is this a real problem you're trying to solve, or are you just what-if-
ing.

-- ipgrunt

[WJ]

If these objects/files are sensitive, the safest way to store them is
"database" in the form of "image". I do this for documents and images. They
work OK.

John

"Alex Maghen" <AlexMaghen@discussions.microsoft.com> wrote in message
news:CEF1ED71-DA8E-4A9F-B70F-3FA4E537FBBE@microsoft.com...

>I have a feeling you're gonna say no but, is there any way, with ASP.NET
> Forms-Based Authentication, to protect access to NON ASP.NET objects? For
> example, if I have a directory that has .ASPX files AND, say, JPEG files
> (.jpg), it would appear that if the user has the URL to one of the JPEGs,
> he
> can still come back any time and download it without being sent to the
> Login
> page. I assume this is because, for a JPEG file, ASP.NET is not involved
> at
> all in the whole IIS loop.
>
> Right?
>
> Alex

[ranganh]

Hi,

You can use Forms Authentication and deny access to PDF and for that matter
any static files that are handled by IIS with a simple configuration of the
IIS Configuration Manager settings.

Please check
[url]http://aspnet_harish.blogspot.com/2004/07/securing-pdfs-docs-in-forms.html[/url]

Thanks.

"IPGrunt" wrote:

> On 20 Feb 2005, "=?Utf-8?B?QWxleCBNYWdoZW4=?="
> <AlexMaghen@discussions.microsoft.com> postulated in news:CEF1ED71-
> [email]DA8E-4A9F-B70F-3FA4E537FBBE@microsoft.com[/email]:
>

> > I have a feeling you're gonna say no but, is there any way, with

> ASP.NET

> > Forms-Based Authentication, to protect access to NON ASP.NET objects?

> For

> > example, if I have a directory that has .ASPX files AND, say, JPEG

> files

> > (.jpg), it would appear that if the user has the URL to one of the

> JPEGs, he

> > can still come back any time and download it without being sent to

> the Login

> > page. I assume this is because, for a JPEG file, ASP.NET is not

> involved at

> > all in the whole IIS loop.
> >
> > Right?
> >
> > Alex

>
> It's an interesting problem that I may have to solve myself for access
> to other types of files, like PDFs, in a pay-for-access document
> control system I need to design for a client.
>
> IIS and Windows ACLS determine who gets access to a website folder.
>
> You'd have to investigate impersonation in ASP.NET, but I can imagine a
> design where the default IIS account doesn't have access to JPG files
> in a certain folder, but the entity impersonated by your ASP.NET app
> does.
>
> Another approach might be through ISAPI filters, though these are
> different with IIS6.0 and IIS5.1 and I'd have to solve the problem on
> two different platforms.
>
> Is this a real problem you're trying to solve, or are you just what-if-
> ing.
>
> -- ipgrunt
>