File Types not protected by Forms Authentication

[MatthewRoberts]

Howdy All,

We have an ASP.NET web application that uses Forms Authentication and
has worked without problems for some time.

However, we recently added a Shockwave SWF file to the mix for flash
and interactivity.

All ASPX, HTML, and other web files are protected by security. If you
are not properly authenticated but try to access an ASPX or HTML file,
you will be redirected to the Login page.

However, if you try to access the SWF file directly, it allows you to
view the animation without ever authenticating the user.

Why is this? Are only certain file types protected for Forms
Authentication? How can you add to that list of file types? Is it a
MIME type or file extension we should be securing through IIS in some
way?

We even tried adding the following to the web.config file:


<location path="OurAnimation.swf">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>


such that it should explicitly deny all anonymous, or unauthenticated
users. But still, this did not work, and direct access to the file is
allowed by anyone.

Can anyone shed some light on this issue?

Thank you in advance for whatever help you can provide.

Matthew Roberts
SOURCECORP
Framework Architect

 

[Brock Allen]

The reason is that IIS handles the requests for those files, not ASP.NET,
and IIS knows nothing about your intent from web.config. You'd have to route
that file extension through the aspnet_isapi.dll in IIS to have ASP.NET serve
it up.

 

[John Timney \(ASP.NET MVP\)]

The asp.net handlers only kick in for files mapped to it in IIS, so it
suggests extensions for swf are not handled by the asp.net dll and need to
be. Go to IIS setup and check the file types.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

 

[Karl Seguin]

There's a pipeline. A request comes into IIS, IIS figures out how to handle
the request. when the page is an aspx, asmx, adx (various others) IIS
passes the request to ASP.Net. When the page is a swf, IIS simply streams
the contents back to the browser and let's it figure out what to do.

In other words, ASP.Net isn't in play when a request happens for a swf
file....so obviously forms authentication can't do anything. Two solutions
frequently recommended are to (a) make asp.net process requests for swf
files
(http://www.dotnetjunkies.com/Article/F32DFC79-3AE7-4D9D-BF1D-91B4B6D130C7.dcik)
or (b) store the .swf file out of your web path and use an aspx file to
stream it, ala showFile.aspx?fileName=someFile.swf which would take the
fileName, and stream the binary file to the user...

Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)

 

[MatthewRoberts]

Thank you for the quick response. Works like a charm.

Matthew