Solved

Securing non-aspx files with forms authentication in IIS 6

Posted on 2006-11-17
13
559 Views
Last Modified: 2008-03-04
Hello,

 I want to secure perl files and I mapped the isapi.dll in the wildcard application maps. When I request the pl file it goes to authentication page, the user is authenticated and redirected to perl file. But the perl file is shown as a plain text file and the code is shown. Am i missing something?? Please help,

Thanks,
0
Comment
Question by:tamilgirl77
  • 5
  • 5
  • 3
13 Comments
 
LVL 12

Expert Comment

by:AGBrown
ID: 17972361
Do your perl files run when they are not behind authentication? You can test this by setting the following in your web.config to allow anonymous users to the perl script:

<authorization>
      <allow users="?,*"/>
</authorization>

If that doesn't work then it suggests that the perl scripts are not mapped correctly to the perl engine. Do you have an httpHandlers section in your web.config?

Andy
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17972388
I think I just understood a bit more about what you've done. When you say you mapped isapi.dll in the wildcard application maps, do you mean through IIS 6.0? If so then I would recommend adding the following to the web.config file:

<httpHandlers>
    <add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="False" />
</httpHandlers>

That way you protect any and every request to your application by your application's authentication mechanism. However, once authenticated, the httpHandlers section defines which engine gets passed the request. ".pl" extensions will then get passed back to IIS, which will decide what to do with them. The validate="false" bit means that if the file is virtual (i.e., not a physical file on disk, a situation you might get in a blogging engine) an error will not get thrown by isapi. You might like to make it equal to True if you know that all your files exist on disk.

I _think_ this will work, though I can't test it. Let me know how you do.

Andy
0
 

Author Comment

by:tamilgirl77
ID: 17974850
AGBrown,

Thanks for your replies. I added the httphandlers to my web.config and it gave me following error:

Could not load type System.Web.DefaultHttpHandler from assembly System.Web.

Yes I mapped isapi.dll in wildcard app maps through IIS 6.0 When I insert this, my perl file is being authenticated, but after authentication, the perl file is shown as text file with original code in it.

Thanks,
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17975818
This won't work.

Since you mapped the .pl extension to the ASP.Net ISAPI the file will be passed to ASP.Net for processing.

Since the file doesn't contain any actual ASP.Net code it simply spits out the file contents as is.

In order to have any sort of authentication done on the Perl files *and* have them work as expected you will need to do it in an ISAPI filter before the request gets handed to the Perl handler.

Or, you could move to IIS 7.0 (now available in Windows Vista) where this scenario (with some small changes) would work the way you want it to.  :-)

Dave Dietz
0
 

Author Comment

by:tamilgirl77
ID: 17976183
How do I it in an ISAPI filter in IIS 6.0,

Thanks
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17976266
You would have to write your own ISAPI filter that implemented some sort of forms based authentication or use a third-party solution.

ASP.Net is not designed to be used this way and has no built in functionality to do so.  I should have been more clear in my initial answer since i see how it could be read that you might be able to use it this way.  Sorry for that.

Dave Dietz
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:tamilgirl77
ID: 17976335
Thank you, I might have to look into incorporating authentication in perl page then. Problem is I am not at all familiar with perl.

Thank you,
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17976640
I think that should have worked ... it works for various things that I protect that require different filters to process them. If you do this then ASP.NET only processes the authorization part of the handler to isapi, which then passes the rest back to IIS.

Have a look at the explanation on this (http://www.leastprivilege.com/default.aspx?date=2005-10-25) url. I don't think I missed anything out. The only thing that I can think is that you might be using an earlier version than .NET 2.0. Is that the case? If so then I don't think that 1.1 or 1.0 will allow you to do this.

Andy
0
 
LVL 34

Assisted Solution

by:Dave_Dietz
Dave_Dietz earned 150 total points
ID: 17976696
Mapping content to the aspnet_isapi.dll ISAPI extension will allow the .Net framework to be used to protect *static* content.  It will not work for any type of dynamic content that is supposed to be mapped to a different handler.

ASP.Net will proces the request and send the response back to the client - it doesn't process what it can and then hand it off to something else for further processing.  The only thing that would make a difference here would be an ISAPI *filter* because it works at a very different place in the request processing pipeline.

Dave Dietz
0
 

Author Comment

by:tamilgirl77
ID: 17976713
AGBrown,

 Yes you are right, I am using 1.1 version. May be thats why your suggestion does not work.

So my only possible solution is to incorporate something in the perl page directly.

Thank you
0
 
LVL 12

Accepted Solution

by:
AGBrown earned 350 total points
ID: 17976728
Ah well, there we go. I was just installing perl to check it for you. Unfortunately .NET only has the ability to easily protect non asp.net files under .NET 2.0.

Writing a filter could be annoying, but if you understand .NET forms authentication reasonably well, and assume that all your requests are nicely cookie based, it would be possible (http://www.codeproject.com/aspnet/isapilogger.asp?msg=1745768) to write a filter that complemented your .NET forms authentication.

Would it be possible to upgrade your application to .NET 2.0? I'm willing to bet that this might be your easiest option.

Andy
0
 

Author Comment

by:tamilgirl77
ID: 17976812
Thats another question I wanted to start. I have about 7 0r 8 sites running on 1.1. I have lots of database and xml applications. How does upgrading to 2.0 affect my application. I don't have a testing server, so I donot know the impact it will have in my sites,

Thank you both for your timely replies,
0
 
LVL 12

Expert Comment

by:AGBrown
ID: 17976844
Dave,

Are you sure? I'm pretty convinced that .NET 2.0 lets you protect both static and dynamic content using its own authentication. This however won't help tamilgirl, as she is using 1.1.

For .NET 2.0, as I understand it:
-Wildcard assignment means that the aspnet isapi dll gets first shout at handling the request,
-the designated HttpHandler (System.Web.DefaultHttpHandler) handles the request doing the authentication,
-it then passes it back to IIS by calling HSE_REQ_EXEC_URL.
-As System.Web.DefaultHttpHandler told IIS "not mine" (assuming it passed authentication and authorisation tests) IIS continues handling and eventually chooses the appropriate script map for the extension (after any other wildcard maps have also run).

This does require that wildcard mappings be set, and that the appropriate perl extensions also be mapped in the ScriptMaps property to the perl scripting engine.

The downside? Performance; ASPNET authentication/authorisation now handles every single file. I just binned my perl installation, and I can't now go back and test it until tomorrow to check all this with perl. I did spend half an hour searching for the MSDN reference that I read which talks about this, to no avail. I found a couple of new ones though.

Andy

Refs:
http://msdn2.microsoft.com/en-gb/library/system.web.defaulthttphandler.aspx
http://blogs.msdn.com/david.wang/archive/2005/08/29/HOWTO-Protect-non-dotNET-content.aspx (search page for System.Web.DefaultHttpHandler)
http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
dynamic menu in asp.net c# 11 65
Syntax Error 2 48
Split in Javascript 5 31
IIS authorization for web service or reading header data on a webservice post 1 35
One of the pain points with developing AJAX, JavaScript, JQuery, and other client-side behaviors is that JavaScript doesn’t allow for cross domain request for pulling content. For example, JavaScript code on www.johnchapman.name could not pull conte…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now