Solved

Securing non-aspx files with forms authentication in IIS 6

Posted on 2006-11-17
13
556 Views
Last Modified: 2008-03-04
Hello,

 I want to secure perl files and I mapped the isapi.dll in the wildcard application maps. When I request the pl file it goes to authentication page, the user is authenticated and redirected to perl file. But the perl file is shown as a plain text file and the code is shown. Am i missing something?? Please help,

Thanks,
0
Comment
Question by:tamilgirl77
  • 5
  • 5
  • 3
13 Comments
 
LVL 12

Expert Comment

by:AGBrown
ID: 17972361
Do your perl files run when they are not behind authentication? You can test this by setting the following in your web.config to allow anonymous users to the perl script:

<authorization>
      <allow users="?,*"/>
</authorization>

If that doesn't work then it suggests that the perl scripts are not mapped correctly to the perl engine. Do you have an httpHandlers section in your web.config?

Andy
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17972388
I think I just understood a bit more about what you've done. When you say you mapped isapi.dll in the wildcard application maps, do you mean through IIS 6.0? If so then I would recommend adding the following to the web.config file:

<httpHandlers>
    <add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="False" />
</httpHandlers>

That way you protect any and every request to your application by your application's authentication mechanism. However, once authenticated, the httpHandlers section defines which engine gets passed the request. ".pl" extensions will then get passed back to IIS, which will decide what to do with them. The validate="false" bit means that if the file is virtual (i.e., not a physical file on disk, a situation you might get in a blogging engine) an error will not get thrown by isapi. You might like to make it equal to True if you know that all your files exist on disk.

I _think_ this will work, though I can't test it. Let me know how you do.

Andy
0
 

Author Comment

by:tamilgirl77
ID: 17974850
AGBrown,

Thanks for your replies. I added the httphandlers to my web.config and it gave me following error:

Could not load type System.Web.DefaultHttpHandler from assembly System.Web.

Yes I mapped isapi.dll in wildcard app maps through IIS 6.0 When I insert this, my perl file is being authenticated, but after authentication, the perl file is shown as text file with original code in it.

Thanks,
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17975818
This won't work.

Since you mapped the .pl extension to the ASP.Net ISAPI the file will be passed to ASP.Net for processing.

Since the file doesn't contain any actual ASP.Net code it simply spits out the file contents as is.

In order to have any sort of authentication done on the Perl files *and* have them work as expected you will need to do it in an ISAPI filter before the request gets handed to the Perl handler.

Or, you could move to IIS 7.0 (now available in Windows Vista) where this scenario (with some small changes) would work the way you want it to.  :-)

Dave Dietz
0
 

Author Comment

by:tamilgirl77
ID: 17976183
How do I it in an ISAPI filter in IIS 6.0,

Thanks
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17976266
You would have to write your own ISAPI filter that implemented some sort of forms based authentication or use a third-party solution.

ASP.Net is not designed to be used this way and has no built in functionality to do so.  I should have been more clear in my initial answer since i see how it could be read that you might be able to use it this way.  Sorry for that.

Dave Dietz
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:tamilgirl77
ID: 17976335
Thank you, I might have to look into incorporating authentication in perl page then. Problem is I am not at all familiar with perl.

Thank you,
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17976640
I think that should have worked ... it works for various things that I protect that require different filters to process them. If you do this then ASP.NET only processes the authorization part of the handler to isapi, which then passes the rest back to IIS.

Have a look at the explanation on this (http://www.leastprivilege.com/default.aspx?date=2005-10-25) url. I don't think I missed anything out. The only thing that I can think is that you might be using an earlier version than .NET 2.0. Is that the case? If so then I don't think that 1.1 or 1.0 will allow you to do this.

Andy
0
 
LVL 34

Assisted Solution

by:Dave_Dietz
Dave_Dietz earned 150 total points
ID: 17976696
Mapping content to the aspnet_isapi.dll ISAPI extension will allow the .Net framework to be used to protect *static* content.  It will not work for any type of dynamic content that is supposed to be mapped to a different handler.

ASP.Net will proces the request and send the response back to the client - it doesn't process what it can and then hand it off to something else for further processing.  The only thing that would make a difference here would be an ISAPI *filter* because it works at a very different place in the request processing pipeline.

Dave Dietz
0
 

Author Comment

by:tamilgirl77
ID: 17976713
AGBrown,

 Yes you are right, I am using 1.1 version. May be thats why your suggestion does not work.

So my only possible solution is to incorporate something in the perl page directly.

Thank you
0
 
LVL 12

Accepted Solution

by:
AGBrown earned 350 total points
ID: 17976728
Ah well, there we go. I was just installing perl to check it for you. Unfortunately .NET only has the ability to easily protect non asp.net files under .NET 2.0.

Writing a filter could be annoying, but if you understand .NET forms authentication reasonably well, and assume that all your requests are nicely cookie based, it would be possible (http://www.codeproject.com/aspnet/isapilogger.asp?msg=1745768) to write a filter that complemented your .NET forms authentication.

Would it be possible to upgrade your application to .NET 2.0? I'm willing to bet that this might be your easiest option.

Andy
0
 

Author Comment

by:tamilgirl77
ID: 17976812
Thats another question I wanted to start. I have about 7 0r 8 sites running on 1.1. I have lots of database and xml applications. How does upgrading to 2.0 affect my application. I don't have a testing server, so I donot know the impact it will have in my sites,

Thank you both for your timely replies,
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17976844
Dave,

Are you sure? I'm pretty convinced that .NET 2.0 lets you protect both static and dynamic content using its own authentication. This however won't help tamilgirl, as she is using 1.1.

For .NET 2.0, as I understand it:
-Wildcard assignment means that the aspnet isapi dll gets first shout at handling the request,
-the designated HttpHandler (System.Web.DefaultHttpHandler) handles the request doing the authentication,
-it then passes it back to IIS by calling HSE_REQ_EXEC_URL.
-As System.Web.DefaultHttpHandler told IIS "not mine" (assuming it passed authentication and authorisation tests) IIS continues handling and eventually chooses the appropriate script map for the extension (after any other wildcard maps have also run).

This does require that wildcard mappings be set, and that the appropriate perl extensions also be mapped in the ScriptMaps property to the perl scripting engine.

The downside? Performance; ASPNET authentication/authorisation now handles every single file. I just binned my perl installation, and I can't now go back and test it until tomorrow to check all this with perl. I did spend half an hour searching for the MSDN reference that I read which talks about this, to no avail. I found a couple of new ones though.

Andy

Refs:
http://msdn2.microsoft.com/en-gb/library/system.web.defaulthttphandler.aspx
http://blogs.msdn.com/david.wang/archive/2005/08/29/HOWTO-Protect-non-dotNET-content.aspx (search page for System.Web.DefaultHttpHandler)
http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now