Composite Control need write permisson

[manikal]

I've just finished building my composite control, it is image gallery
that generates thumbnails from images in specified folder and creates
new folder in which generated thumbnails been saved.

For my control to operate correct in hosting environment in IIS -
Directory Security "Integrated Windows authentication" needs to be
checked. Is that "un-common" pre-request for control of this type?
I am asking this because when I uploaded my web application with this
control on site, on page with my control I get
"System.UnauthorizedAccessException:"
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically {MACHINE}
\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the
application is not impersonating. If the application is impersonating
via <identity impersonate="true"/>, the identity will be the anonymous
user (typically IUSR_MACHINENAME) or the authenticated request user.
Exception is raised when control need to create "thumbnails" folder.

So, I've requested my hosting provider to check "Integrated Windows
authentication" for my site, but they provided me with workaround
instructions on how can I set "modify" permissions on parent folder of
"thumbnails" folder. But that doesn't solve my issue because I can't
set permissions with my FTP client.
My question is, is there some kind of security risk for hosting
provider to grant my site "Integrated Windows authentication", if it
is, is there any way for my control to work without need of taking
care pre-requests like this one.

Thanks,
manikal

 

[Mark Fitzpatrick]

Your host is actually recommending the correct course of action in this
case. If a control needs write access, then the permissions on the directory
must be modified to enable that. Using Integrated authentication isn't going
to alter that. It will still require the correct permissions used by the
user account that ASP.net is running under, the ASPNET user account or
Network Service account (for Win 2003 boxes). Does your host provide you
with a control panel? If so, then that is probably where you need to be
altering permissions. Every host I've run into either has this done through
a control panel, or has a process in place that let's you request particular
permissions for a folder. In this case though, it sounds as if they have
provided you with a mechanism to do this. I don't know of an FTP client
that is able to alter the permissions on a Windows Server, though there may
be one somewhere. Integrated Windows Authentication may cause some
side-effects that you're not aware of. Using this method changes how the
authentication request is sent to the client browser, typically requesting
an NTLM response. Non-IE browsers don't use NTLM authentication and can only
handle basic authentication responses. The side-effect is that when
switching methods you end up with browsers that can't authenticate the
anonymous user to view the site.

 

[manikal]

Hi Mark,

I appreciate your answer.

I've contacted my host, and they don't have control panel feature
"yet", but they've set "modify" permission on whole site for ASPNET
user, and now my control is working properly. However, they've warn me
that this could be potential security risk, without any further
explanation. Now I am interested what exactly security risk?

Thanks,
Mijo