Newbie Needs Help!

[Joe Rigley]

Hi,

I'd appreciate some advise... I've been assigned the task of creating form
based authentication via SQL Server for a section of our corporate web site.
I know classic ASP quite well, but the ASP .NET world is very different.
And from what I've read, ASP .NET has some great functionality built into it
for form based authentication. What I'd like to know is how to make this
work.

Currently, our corporate web server is IIS 5.0 on a Win2K Pro Server in our
DMZ. (We are upgrading to IIS 6 / Win2003 Pro Server next month.) I need
to manage access to a handful of subfolders in the website. The subfolders
contain .html, .asp, and .pdf files.

Will IIS 5.0 support ASP .Net's built in methods for the integrated form
based authentication approach? (The .Net Framework, ver 1.1, is installed).
Obviously, I could go the classic ASP approach and place code in the top of
each page to do some kind of check for authentication. If the check
passes, generate the page, else redirect to the login. However, I'd prefer
to not have to modify every page.

Assuming that setup will work, how will an ASP .NET form based
authentication manage access to .pdf files and static .html files?

At this point, please don't send any code. I'd just appreciate a response
as to whether this is possible and it if it is, what's the best approach to
make it happen.

Thanks kindly,
-Joe

 

[MattC]

AFAIK, forms based authentication is used only to control access to pages in
your ASP.NET application. It simply works by testing to see if you have a
valid ticket for the current session (usually set once login is successful)
if there isn't one then the user is redirected to a login page, usually
defined in the Web.Config file.

Access to files via a direct URL will, I think, only be controlled by the
filesystem access allowed to the directory in question, so I there is a
security restrictions in place then the user might be prompted to enter
their credentials into a windows dialog box.

Hope that help a bit.

IIS 5 does indeed support ASP.NET 1.1 and all that goes with it.

MattC

 

[Craig Deelsnyder]

Hi,

I'd appreciate some advise... I've been assigned the task of creating
form
based authentication via SQL Server for a section of our corporate web
site.
I know classic ASP quite well, but the ASP .NET world is very different.
And from what I've read, ASP .NET has some great functionality built
into it
for form based authentication. What I'd like to know is how to make this
work.

Currently, our corporate web server is IIS 5.0 on a Win2K Pro Server in
our
DMZ. (We are upgrading to IIS 6 / Win2003 Pro Server next month.) I
need
to manage access to a handful of subfolders in the website. The
subfolders
contain .html, .asp, and .pdf files.

Will IIS 5.0 support ASP .Net's built in methods for the integrated form
based authentication approach? (The .Net Framework, ver 1.1, is
installed).
Obviously, I could go the classic ASP approach and place code in the top
of
each page to do some kind of check for authentication. If the check
passes, generate the page, else redirect to the login. However, I'd
prefer
to not have to modify every page.

Assuming that setup will work, how will an ASP .NET form based
authentication manage access to .pdf files and static .html files?

At this point, please don't send any code. I'd just appreciate a
response
as to whether this is possible and it if it is, what's the best approach
to
make it happen.

Thanks kindly,
-Joe

I'd recommend reading up on Forms Authentication; it does exactly what you
would want to do in ASP. It sets a cookie on the user's system to say
whether they are logged in or not; if not they are sent to the login
page. In addition, you may want to check out the concept 'impersonation'
if it's something that may be useful here (intranet application?).

As far as non-aspnet files, as mentioned, IIS by default will be the one
to determine permissions on the folder, files, etc. When a request comes
in for an aspx file, IIS looks up aspx in the ISAPI dll mappings in MMC,
and passes it to the aspnet ISAPI dll (which in essence passes it to the
aspnet worker process). However, if it's not a .NET-type of file such as
html, pdf, etc. IIS will do whatever is setup in the MMC for ISAPI dll
mappings. Which as we know html and pdf are just served up to the user.

You can map the aspnet ISAPI dll to these other file extensions in IIS,
and then Forms Authentication can also protect them. Note there was talk
there may be performance hits and/or maybe corruption problems by doing
this (aspnet handling non-aspnet files), though I've never actually heard
of major problems with it.

 

[Kevin Spencer]

Hi Joe,

Good thinking. I think you will do well with ASP.Net. That said, however, if
you don't have any experience with ASP.Net, you should think about how long
you have to write your app. Just learining ASP.Net could take you several
months, or perhaps longer. It's huge.

If you have plenty of time, by all means, jump in! The water's great!

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[Joe Rigley]

Craig,

Thanks for the great information. You mentioned Impersonation. How would
that help me?

-Joe

 

[Craig Deelsnyder]

Craig,

Thanks for the great information. You mentioned Impersonation. How
would
that help me?

-Joe

Ah, I got a little carried away, you pry won't need it for what you
described, but it is helpful to know about in case you need some forms of
resource access control:

http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconImpersonation.asp

basically it's a way to have aspnet use the credentials of the current
user, making it easier to do things such as access files, etc. Don't
think you need it, but useful to know for future reference