Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Securing non-aspx files with forms authentication in IIS 6

Posted on 2006-11-17
13
Medium Priority
?
587 Views
Last Modified: 2008-03-04
Hello,

 I want to secure perl files and I mapped the isapi.dll in the wildcard application maps. When I request the pl file it goes to authentication page, the user is authenticated and redirected to perl file. But the perl file is shown as a plain text file and the code is shown. Am i missing something?? Please help,

Thanks,
0
Comment
Question by:tamilgirl77
  • 5
  • 5
  • 3
13 Comments
 
LVL 12

Expert Comment

by:AGBrown
ID: 17972361
Do your perl files run when they are not behind authentication? You can test this by setting the following in your web.config to allow anonymous users to the perl script:

<authorization>
      <allow users="?,*"/>
</authorization>

If that doesn't work then it suggests that the perl scripts are not mapped correctly to the perl engine. Do you have an httpHandlers section in your web.config?

Andy
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17972388
I think I just understood a bit more about what you've done. When you say you mapped isapi.dll in the wildcard application maps, do you mean through IIS 6.0? If so then I would recommend adding the following to the web.config file:

<httpHandlers>
    <add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="False" />
</httpHandlers>

That way you protect any and every request to your application by your application's authentication mechanism. However, once authenticated, the httpHandlers section defines which engine gets passed the request. ".pl" extensions will then get passed back to IIS, which will decide what to do with them. The validate="false" bit means that if the file is virtual (i.e., not a physical file on disk, a situation you might get in a blogging engine) an error will not get thrown by isapi. You might like to make it equal to True if you know that all your files exist on disk.

I _think_ this will work, though I can't test it. Let me know how you do.

Andy
0
 

Author Comment

by:tamilgirl77
ID: 17974850
AGBrown,

Thanks for your replies. I added the httphandlers to my web.config and it gave me following error:

Could not load type System.Web.DefaultHttpHandler from assembly System.Web.

Yes I mapped isapi.dll in wildcard app maps through IIS 6.0 When I insert this, my perl file is being authenticated, but after authentication, the perl file is shown as text file with original code in it.

Thanks,
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17975818
This won't work.

Since you mapped the .pl extension to the ASP.Net ISAPI the file will be passed to ASP.Net for processing.

Since the file doesn't contain any actual ASP.Net code it simply spits out the file contents as is.

In order to have any sort of authentication done on the Perl files *and* have them work as expected you will need to do it in an ISAPI filter before the request gets handed to the Perl handler.

Or, you could move to IIS 7.0 (now available in Windows Vista) where this scenario (with some small changes) would work the way you want it to.  :-)

Dave Dietz
0
 

Author Comment

by:tamilgirl77
ID: 17976183
How do I it in an ISAPI filter in IIS 6.0,

Thanks
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17976266
You would have to write your own ISAPI filter that implemented some sort of forms based authentication or use a third-party solution.

ASP.Net is not designed to be used this way and has no built in functionality to do so.  I should have been more clear in my initial answer since i see how it could be read that you might be able to use it this way.  Sorry for that.

Dave Dietz
0
 

Author Comment

by:tamilgirl77
ID: 17976335
Thank you, I might have to look into incorporating authentication in perl page then. Problem is I am not at all familiar with perl.

Thank you,
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17976640
I think that should have worked ... it works for various things that I protect that require different filters to process them. If you do this then ASP.NET only processes the authorization part of the handler to isapi, which then passes the rest back to IIS.

Have a look at the explanation on this (http://www.leastprivilege.com/default.aspx?date=2005-10-25) url. I don't think I missed anything out. The only thing that I can think is that you might be using an earlier version than .NET 2.0. Is that the case? If so then I don't think that 1.1 or 1.0 will allow you to do this.

Andy
0
 
LVL 34

Assisted Solution

by:Dave_Dietz
Dave_Dietz earned 600 total points
ID: 17976696
Mapping content to the aspnet_isapi.dll ISAPI extension will allow the .Net framework to be used to protect *static* content.  It will not work for any type of dynamic content that is supposed to be mapped to a different handler.

ASP.Net will proces the request and send the response back to the client - it doesn't process what it can and then hand it off to something else for further processing.  The only thing that would make a difference here would be an ISAPI *filter* because it works at a very different place in the request processing pipeline.

Dave Dietz
0
 

Author Comment

by:tamilgirl77
ID: 17976713
AGBrown,

 Yes you are right, I am using 1.1 version. May be thats why your suggestion does not work.

So my only possible solution is to incorporate something in the perl page directly.

Thank you
0
 
LVL 12

Accepted Solution

by:
AGBrown earned 1400 total points
ID: 17976728
Ah well, there we go. I was just installing perl to check it for you. Unfortunately .NET only has the ability to easily protect non asp.net files under .NET 2.0.

Writing a filter could be annoying, but if you understand .NET forms authentication reasonably well, and assume that all your requests are nicely cookie based, it would be possible (http://www.codeproject.com/aspnet/isapilogger.asp?msg=1745768) to write a filter that complemented your .NET forms authentication.

Would it be possible to upgrade your application to .NET 2.0? I'm willing to bet that this might be your easiest option.

Andy
0
 

Author Comment

by:tamilgirl77
ID: 17976812
Thats another question I wanted to start. I have about 7 0r 8 sites running on 1.1. I have lots of database and xml applications. How does upgrading to 2.0 affect my application. I don't have a testing server, so I donot know the impact it will have in my sites,

Thank you both for your timely replies,
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17976844
Dave,

Are you sure? I'm pretty convinced that .NET 2.0 lets you protect both static and dynamic content using its own authentication. This however won't help tamilgirl, as she is using 1.1.

For .NET 2.0, as I understand it:
-Wildcard assignment means that the aspnet isapi dll gets first shout at handling the request,
-the designated HttpHandler (System.Web.DefaultHttpHandler) handles the request doing the authentication,
-it then passes it back to IIS by calling HSE_REQ_EXEC_URL.
-As System.Web.DefaultHttpHandler told IIS "not mine" (assuming it passed authentication and authorisation tests) IIS continues handling and eventually chooses the appropriate script map for the extension (after any other wildcard maps have also run).

This does require that wildcard mappings be set, and that the appropriate perl extensions also be mapped in the ScriptMaps property to the perl scripting engine.

The downside? Performance; ASPNET authentication/authorisation now handles every single file. I just binned my perl installation, and I can't now go back and test it until tomorrow to check all this with perl. I did spend half an hour searching for the MSDN reference that I read which talks about this, to no avail. I found a couple of new ones though.

Andy

Refs:
http://msdn2.microsoft.com/en-gb/library/system.web.defaulthttphandler.aspx
http://blogs.msdn.com/david.wang/archive/2005/08/29/HOWTO-Protect-non-dotNET-content.aspx (search page for System.Web.DefaultHttpHandler)
http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Screencast - Getting to Know the Pipeline
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question