Link to home
Start Free TrialLog in
Avatar of Psychotext
Psychotext

asked on

Securing non-aspx files with forms authentication / location files.

I've recently written a little app that uses roles and forms authentication so that only users with a certain role type can get access to a specific section of the site.  The problem I have is this - There are non aspx files in the site (asp, xls, pdf, doc files) that you can still get access to provided that you know the url (You don't need to login).  Is there any way around this?

I have the following addition in my web.config file:

      <location path="admin" >
      <system.web>
            <authorization>
                  <deny users="?" />
                  <allow roles="Administrator" />
            </authorization>
      </system.web>
      </location>

And the code I'm using to handle roles is something like this:

      Dim intUserId As Integer = -1
      Dim strUserAlias As String = txtUserAlias.Text

      If WebSecurity.IsValidUser(strUserAlias, Me.txtUserPassword.Text, intUserId) Then
            Dim strRoles(1) As String

            FormsAuthentication.SetAuthCookie(strUserAlias, False)

            strRoles(0) = WebSecurity.GetUserRole(strUserAlias)
            'Add the roles to the User Principal
            HttpContext.Current.User = New GenericPrincipal(User.Identity, strRoles)

            Dim context As System.Web.HttpContext = System.Web.HttpContext.Current
            context.Session("intUserID") = intUserId

            If strRoles(0) = "Administrator" Then
                  Response.Redirect("/admin/admin.aspx")
            End If
      Else
            'Do something else
      End If

Is what I'm trying to achieve here possible?  I'm thinking of impersonating a user with appropriate permissions on admin login, but I'm not sure if doing that forces the aspnet account to impersonate that user or if it swaps over the anonymous IIS user to the impersonated user.

There must be some way of doing this.  It seems a little half assed as a security method as it is!

Thanks in advance.
Avatar of AerosSaga
AerosSaga

Heres a premade component do it:

http://www.iprisma.com/aspbridge/

Regards,

Aeros
disregard previous post sorry wrong question
Restrict the ASP.NET/NETWORK SERVICES accounts NTFS permissions on the formentioned documents.

http://support.microsoft.com/default.aspx?scid=kb;en-us;326214

Regards,

Aeros
The account you restrict depens on your OS.  ASP.NET if your using 2000, NETWORK if 2003
ASKER CERTIFIED SOLUTION
Avatar of daffodils
daffodils

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Psychotext

ASKER

I was thinking about the file extension mapping... but it seems to be I'd always miss one or the other so I need to try and get it done by default.  I'm going to do some permissions testing later, but I've got a nasty feeling that daffodils solution is the only way. (Not that it's a bad solution daffodils, it's just a little painful if you want to lock down every possible file type.).
Actually you are right there.. it is definitely painful !
In the forum posting, one option is given as writing a custom module .. but as I see it, even that requires adding every single file type..
It might be better to probably write a batch script that runs at deployment and updates file extension mapping in IIS.. in that case, one can add the extension types in the script and not open up IIS every time you want to add a file type.
Oh, in reply to AerosSaga - Unfortunately it looks as though it isn't actually as simple as just changing the permissions.  Withouth daffodils step, the system does not actually know to use the aspnet / network account for the files.  You can do it in aspx pages with IHttpHandler / HttpContect but in this case the system will not put these file queries through the asp.net code.
Something just doesn't seem right about this.

If I was accessing the files only through aspx pages it would be easy (Give permissions to aspnet account and have it act as intermediary for all files (No access to anonymous users unless going through .net pages).  If I wanted to stop general access I could just use integrated authentication and appropriate permissions.

But there just doesn't seem any way of tying the two in easily.  I think I might just have to force the issue and write the code to provide an in-page file explorer and allow no direct access to the files.  As for special files such as asp etc I will just have to use the file extension solution from above.  Any other solutions appreciated!
I just tried your solution daffodils, and whilst it does certainly block access to the files if you are not forms authenticated, it also seems to block the files when you are authenticated (Same error message too).  Do I need to add in a handler in the code for these extensions too?
This is the error I get on any files in protected directories (Those with location elements), this happens if I am authenticated or not:

----------------------------------------------------------------------------
You are not authorized to view this page
The URL you attempted to reach has an ISAPI or CGI application installed that verifies user credentials before proceeding. This application cannot verify your credentials.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.
    * Click the Refresh button to try again with different credentials.

HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application.
Internet Information Services (IIS)
----------------------------------------------------------------------------

Files download ok when placed in non-protected directories.  For testing purposes, everyone given full permissions to protected directories.
Hmm.. I had tried by adding this file-mapping option by adding "C:\WINNT.............\aspnet_isapi.dll
As a .htm handler for my web server and the authentication credentials were invoked properly

In your case, does this error occur for all files or just for non-aspx files ??
Also.. did you restart IIS?
Stop and start IIS. In Internet Service Manager check that you have read / execute permissions for the directory.
Ah, hadn't restarted the server (and I was only getting the error on non-aspx files).  Thanks.  Would still like any other solutions if anyone has them please.
Thanks for the help.  It's a shame that there's not a better way to do it, but that's life!