Solved

Securing non-aspx files with forms authentication / location files.

Posted on 2004-08-10
15
831 Views
Last Modified: 2008-10-31
I've recently written a little app that uses roles and forms authentication so that only users with a certain role type can get access to a specific section of the site.  The problem I have is this - There are non aspx files in the site (asp, xls, pdf, doc files) that you can still get access to provided that you know the url (You don't need to login).  Is there any way around this?

I have the following addition in my web.config file:

      <location path="admin" >
      <system.web>
            <authorization>
                  <deny users="?" />
                  <allow roles="Administrator" />
            </authorization>
      </system.web>
      </location>

And the code I'm using to handle roles is something like this:

      Dim intUserId As Integer = -1
      Dim strUserAlias As String = txtUserAlias.Text

      If WebSecurity.IsValidUser(strUserAlias, Me.txtUserPassword.Text, intUserId) Then
            Dim strRoles(1) As String

            FormsAuthentication.SetAuthCookie(strUserAlias, False)

            strRoles(0) = WebSecurity.GetUserRole(strUserAlias)
            'Add the roles to the User Principal
            HttpContext.Current.User = New GenericPrincipal(User.Identity, strRoles)

            Dim context As System.Web.HttpContext = System.Web.HttpContext.Current
            context.Session("intUserID") = intUserId

            If strRoles(0) = "Administrator" Then
                  Response.Redirect("/admin/admin.aspx")
            End If
      Else
            'Do something else
      End If

Is what I'm trying to achieve here possible?  I'm thinking of impersonating a user with appropriate permissions on admin login, but I'm not sure if doing that forces the aspnet account to impersonate that user or if it swaps over the anonymous IIS user to the impersonated user.

There must be some way of doing this.  It seems a little half assed as a security method as it is!

Thanks in advance.
0
Comment
Question by:Psychotext
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 4
15 Comments
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11767013
Heres a premade component do it:

http://www.iprisma.com/aspbridge/

Regards,

Aeros
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11767016
disregard previous post sorry wrong question
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11767071
Restrict the ASP.NET/NETWORK SERVICES accounts NTFS permissions on the formentioned documents.

http://support.microsoft.com/default.aspx?scid=kb;en-us;326214

Regards,

Aeros
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:AerosSaga
ID: 11767106
The account you restrict depens on your OS.  ASP.NET if your using 2000, NETWORK if 2003
0
 
LVL 8

Accepted Solution

by:
daffodils earned 500 total points
ID: 11767679
One of the way is to have the IIS map those file extension to aspnet_isapi.dll
Thus the request for thos extension will be handed to aspnet_wp.exe which is protected by asp.net application.
Another way is to write a custom module and register in the web.config

Look at this discussion:
http://www.dotnet247.com/247reference/msgs/26/131117.aspx

To get the forms authentication you need the extension to at least be processed by the ASP.NET ISAPI Filter. You can do this by adding the extensions you want to the filter list in IIS. You can do this at any level (the web site, an application, etc...). For example, you can
1. right-click on your application folder in IIS and bring up it's properties.
2. Select the directory tab
3. Select the configuration button
4. Select the mappings tab
5. Copy the path that is configured for .aspx (should be something like:
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll)
6. Add a new entry for each extension you want to secure with the path you copied from step 5.
Those extension will now be processed by the ASP.NET isapi filter and will required forms authentication.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 11768175
I was thinking about the file extension mapping... but it seems to be I'd always miss one or the other so I need to try and get it done by default.  I'm going to do some permissions testing later, but I've got a nasty feeling that daffodils solution is the only way. (Not that it's a bad solution daffodils, it's just a little painful if you want to lock down every possible file type.).
0
 
LVL 8

Expert Comment

by:daffodils
ID: 11768324
Actually you are right there.. it is definitely painful !
In the forum posting, one option is given as writing a custom module .. but as I see it, even that requires adding every single file type..
It might be better to probably write a batch script that runs at deployment and updates file extension mapping in IIS.. in that case, one can add the extension types in the script and not open up IIS every time you want to add a file type.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 11768337
Oh, in reply to AerosSaga - Unfortunately it looks as though it isn't actually as simple as just changing the permissions.  Withouth daffodils step, the system does not actually know to use the aspnet / network account for the files.  You can do it in aspx pages with IHttpHandler / HttpContect but in this case the system will not put these file queries through the asp.net code.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 11768450
Something just doesn't seem right about this.

If I was accessing the files only through aspx pages it would be easy (Give permissions to aspnet account and have it act as intermediary for all files (No access to anonymous users unless going through .net pages).  If I wanted to stop general access I could just use integrated authentication and appropriate permissions.

But there just doesn't seem any way of tying the two in easily.  I think I might just have to force the issue and write the code to provide an in-page file explorer and allow no direct access to the files.  As for special files such as asp etc I will just have to use the file extension solution from above.  Any other solutions appreciated!
0
 
LVL 2

Author Comment

by:Psychotext
ID: 11768629
I just tried your solution daffodils, and whilst it does certainly block access to the files if you are not forms authenticated, it also seems to block the files when you are authenticated (Same error message too).  Do I need to add in a handler in the code for these extensions too?
0
 
LVL 2

Author Comment

by:Psychotext
ID: 11768780
This is the error I get on any files in protected directories (Those with location elements), this happens if I am authenticated or not:

----------------------------------------------------------------------------
You are not authorized to view this page
The URL you attempted to reach has an ISAPI or CGI application installed that verifies user credentials before proceeding. This application cannot verify your credentials.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.
    * Click the Refresh button to try again with different credentials.

HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application.
Internet Information Services (IIS)
----------------------------------------------------------------------------

Files download ok when placed in non-protected directories.  For testing purposes, everyone given full permissions to protected directories.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 11768827
Hmm.. I had tried by adding this file-mapping option by adding "C:\WINNT.............\aspnet_isapi.dll
As a .htm handler for my web server and the authentication credentials were invoked properly

In your case, does this error occur for all files or just for non-aspx files ??
0
 
LVL 8

Expert Comment

by:daffodils
ID: 11768874
Also.. did you restart IIS?
Stop and start IIS. In Internet Service Manager check that you have read / execute permissions for the directory.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 11769097
Ah, hadn't restarted the server (and I was only getting the error on non-aspx files).  Thanks.  Would still like any other solutions if anyone has them please.
0
 
LVL 2

Author Comment

by:Psychotext
ID: 11869569
Thanks for the help.  It's a shame that there's not a better way to do it, but that's life!
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question