Solved

Securing non-aspx files with forms authentication / location files.

Posted on 2004-08-10
15
815 Views
Last Modified: 2008-10-31
I've recently written a little app that uses roles and forms authentication so that only users with a certain role type can get access to a specific section of the site.  The problem I have is this - There are non aspx files in the site (asp, xls, pdf, doc files) that you can still get access to provided that you know the url (You don't need to login).  Is there any way around this?

I have the following addition in my web.config file:

      <location path="admin" >
      <system.web>
            <authorization>
                  <deny users="?" />
                  <allow roles="Administrator" />
            </authorization>
      </system.web>
      </location>

And the code I'm using to handle roles is something like this:

      Dim intUserId As Integer = -1
      Dim strUserAlias As String = txtUserAlias.Text

      If WebSecurity.IsValidUser(strUserAlias, Me.txtUserPassword.Text, intUserId) Then
            Dim strRoles(1) As String

            FormsAuthentication.SetAuthCookie(strUserAlias, False)

            strRoles(0) = WebSecurity.GetUserRole(strUserAlias)
            'Add the roles to the User Principal
            HttpContext.Current.User = New GenericPrincipal(User.Identity, strRoles)

            Dim context As System.Web.HttpContext = System.Web.HttpContext.Current
            context.Session("intUserID") = intUserId

            If strRoles(0) = "Administrator" Then
                  Response.Redirect("/admin/admin.aspx")
            End If
      Else
            'Do something else
      End If

Is what I'm trying to achieve here possible?  I'm thinking of impersonating a user with appropriate permissions on admin login, but I'm not sure if doing that forces the aspnet account to impersonate that user or if it swaps over the anonymous IIS user to the impersonated user.

There must be some way of doing this.  It seems a little half assed as a security method as it is!

Thanks in advance.
0
Comment
Question by:Psychotext
  • 7
  • 4
  • 4
15 Comments
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
Heres a premade component do it:

http://www.iprisma.com/aspbridge/

Regards,

Aeros
0
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
disregard previous post sorry wrong question
0
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
Restrict the ASP.NET/NETWORK SERVICES accounts NTFS permissions on the formentioned documents.

http://support.microsoft.com/default.aspx?scid=kb;en-us;326214

Regards,

Aeros
0
 
LVL 17

Expert Comment

by:AerosSaga
Comment Utility
The account you restrict depens on your OS.  ASP.NET if your using 2000, NETWORK if 2003
0
 
LVL 8

Accepted Solution

by:
daffodils earned 500 total points
Comment Utility
One of the way is to have the IIS map those file extension to aspnet_isapi.dll
Thus the request for thos extension will be handed to aspnet_wp.exe which is protected by asp.net application.
Another way is to write a custom module and register in the web.config

Look at this discussion:
http://www.dotnet247.com/247reference/msgs/26/131117.aspx

To get the forms authentication you need the extension to at least be processed by the ASP.NET ISAPI Filter. You can do this by adding the extensions you want to the filter list in IIS. You can do this at any level (the web site, an application, etc...). For example, you can
1. right-click on your application folder in IIS and bring up it's properties.
2. Select the directory tab
3. Select the configuration button
4. Select the mappings tab
5. Copy the path that is configured for .aspx (should be something like:
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll)
6. Add a new entry for each extension you want to secure with the path you copied from step 5.
Those extension will now be processed by the ASP.NET isapi filter and will required forms authentication.
0
 
LVL 2

Author Comment

by:Psychotext
Comment Utility
I was thinking about the file extension mapping... but it seems to be I'd always miss one or the other so I need to try and get it done by default.  I'm going to do some permissions testing later, but I've got a nasty feeling that daffodils solution is the only way. (Not that it's a bad solution daffodils, it's just a little painful if you want to lock down every possible file type.).
0
 
LVL 8

Expert Comment

by:daffodils
Comment Utility
Actually you are right there.. it is definitely painful !
In the forum posting, one option is given as writing a custom module .. but as I see it, even that requires adding every single file type..
It might be better to probably write a batch script that runs at deployment and updates file extension mapping in IIS.. in that case, one can add the extension types in the script and not open up IIS every time you want to add a file type.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 2

Author Comment

by:Psychotext
Comment Utility
Oh, in reply to AerosSaga - Unfortunately it looks as though it isn't actually as simple as just changing the permissions.  Withouth daffodils step, the system does not actually know to use the aspnet / network account for the files.  You can do it in aspx pages with IHttpHandler / HttpContect but in this case the system will not put these file queries through the asp.net code.
0
 
LVL 2

Author Comment

by:Psychotext
Comment Utility
Something just doesn't seem right about this.

If I was accessing the files only through aspx pages it would be easy (Give permissions to aspnet account and have it act as intermediary for all files (No access to anonymous users unless going through .net pages).  If I wanted to stop general access I could just use integrated authentication and appropriate permissions.

But there just doesn't seem any way of tying the two in easily.  I think I might just have to force the issue and write the code to provide an in-page file explorer and allow no direct access to the files.  As for special files such as asp etc I will just have to use the file extension solution from above.  Any other solutions appreciated!
0
 
LVL 2

Author Comment

by:Psychotext
Comment Utility
I just tried your solution daffodils, and whilst it does certainly block access to the files if you are not forms authenticated, it also seems to block the files when you are authenticated (Same error message too).  Do I need to add in a handler in the code for these extensions too?
0
 
LVL 2

Author Comment

by:Psychotext
Comment Utility
This is the error I get on any files in protected directories (Those with location elements), this happens if I am authenticated or not:

----------------------------------------------------------------------------
You are not authorized to view this page
The URL you attempted to reach has an ISAPI or CGI application installed that verifies user credentials before proceeding. This application cannot verify your credentials.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.
    * Click the Refresh button to try again with different credentials.

HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application.
Internet Information Services (IIS)
----------------------------------------------------------------------------

Files download ok when placed in non-protected directories.  For testing purposes, everyone given full permissions to protected directories.
0
 
LVL 8

Expert Comment

by:daffodils
Comment Utility
Hmm.. I had tried by adding this file-mapping option by adding "C:\WINNT.............\aspnet_isapi.dll
As a .htm handler for my web server and the authentication credentials were invoked properly

In your case, does this error occur for all files or just for non-aspx files ??
0
 
LVL 8

Expert Comment

by:daffodils
Comment Utility
Also.. did you restart IIS?
Stop and start IIS. In Internet Service Manager check that you have read / execute permissions for the directory.
0
 
LVL 2

Author Comment

by:Psychotext
Comment Utility
Ah, hadn't restarted the server (and I was only getting the error on non-aspx files).  Thanks.  Would still like any other solutions if anyone has them please.
0
 
LVL 2

Author Comment

by:Psychotext
Comment Utility
Thanks for the help.  It's a shame that there's not a better way to do it, but that's life!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

AJAX ModalPopupExtender has a required property "TargetControlID" which may seem to be very confusing to new users. It means the server control that will be extended by the ModalPopup, for instance, if when you click a button, a ModalPopup displays,…
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now