D
Dominick Baier
hi,
asp.net handles only the requests that are mapped on aspnet_isapi which are asmx, aspx and some more - other extensions are directly handled by IIS without even entering your application
add another script mapping to IIS for .mdb pointing to exactly the same script handler as .aspx - you could also add a HttpForbiddenHandler to your web/machine.config after that.
---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<[email protected]>
Hi,
I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.
How can I lockout the database directory to prevent anyone from downloading
it via HTTP?
I have attached my web.config file at the end of this message.
The problem is that the "database" directory is still viewable by anyone.
Not sure why. Do I have a typo?
Thanks,
David
---------------------------------------------
<configuration>
<system.web>
<customErrors mode="Off"/>
<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>
<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>
<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>
<!-- disallow anon users-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!-- Set up secure zone for database -->
<location path="database">
<system.web>
<!-- disallow all users-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
[microsoft.public.dotnet.framework.aspnet.security]
asp.net handles only the requests that are mapped on aspnet_isapi which are asmx, aspx and some more - other extensions are directly handled by IIS without even entering your application
add another script mapping to IIS for .mdb pointing to exactly the same script handler as .aspx - you could also add a HttpForbiddenHandler to your web/machine.config after that.
---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<[email protected]>
Hi,
I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.
How can I lockout the database directory to prevent anyone from downloading
it via HTTP?
I have attached my web.config file at the end of this message.
The problem is that the "database" directory is still viewable by anyone.
Not sure why. Do I have a typo?
Thanks,
David
---------------------------------------------
<configuration>
<system.web>
<customErrors mode="Off"/>
<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>
<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>
<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>
<!-- disallow anon users-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!-- Set up secure zone for database -->
<location path="database">
<system.web>
<!-- disallow all users-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
[microsoft.public.dotnet.framework.aspnet.security]