Resource protected by Form based aythetication

[Guest]

I can not figure out what is the problem that I can protect ASP.NEt form
resource but not some other type of files, for example, images.
All my aspx forms located in Demo folder and image files located in a
subfolder of Demo, named images. I implement Role based form authentication.
When I access all aps forms, it works fine and ask me user/password. However,
I can use IE browser to directly access any image file in subfolder images.

My configuration:
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="login.aspx" path="/"
protection="All"> </forms>

</authentication>
<authorization>
<deny users="?" /> <!--deny anonymous users-->
<allow users="*" /> <!-- Allow all users -->
</authorization>
<location path="images">
<system.web>
<authorization>

<deny users="?" />
</authorization>
</system.web>
</location>

 

[Brock Allen]

If the images are .JPG or some other file extension IIS handles directly,
then configuration in web.config won't apply, since the request never makes
it there. You can either control security on the files so that anyonymous
users can't access the files but thie requires IIS to do the authentication,
which from your other thread, I don't think you want. In that case you should
map the .JPG request to the aspnet_isapi.dll and let the built in StaticFileHandler
serve up the JPGs and then the web.config settings will take effect.

 

[Steve C. Orr [MVP, MCSD]]

Brock's suggestion of using IIS to manage the permissions is a good one.
Another approach is to manually manage the permissions of your files by
keeping them in a database or a private folder. Then you can use
Response.Write after you've determined the user has the necessary
permissions.

Here's more info:
http://steveorr.net/articles/EasyUploads.aspx
http://msdn.microsoft.com/library/d...fsystemwebhttpresponseclasswritefiletopic.asp

 

[Guest]

Thank your comments from both of you.
Because I use the Form based authentication, so IIS should be set as
anonymous. Therefore, the image files are not protected by directly access
from any user. Am I right? Now the question is that if I still use the form
based authentication, how can I set the security property of the images
folder (right now it is not shared by web and others)?
If I put other type image files (my own version), does it protect them?

David

 

[Guest]

Could you give me a hint who to do the job "you should
map the .JPG request to the aspnet_isapi.dll and let the built in
StaticFileHandler
serve up the JPGs and then the web.config settings will take effect."

Thank you

 

[Brock Allen]

Yeah, you need to go into IIS for your application. Right-click properties,
select the Directory Tab and hit the configuration button. On the Mappings
tab, add a new mapping. The executable is "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll"
(assuming you're on v1.1). The extension is *.JPG. This maps the request
to ASP.NET which will then honor your security settings.

 

[Guest]

Hi, Brock:
I have done it following your direction. At the beginning, it seems work but
something else wrong. Now it doesn't work. Is there something missing in my
configuration? Do I need add a web.config into images directory? If so, what
shloud it look like?

 

[Guest]

Hi, Steve:
Thank you very much.
You mean that I can use Response.WriteFile instead of Response.write. Am I
right?

David

 

[Brock Allen]

So when you say something else is wrong, what exactly isn't working? You
your pages still work? Do you get an error from ASP.NET?

 

[Steve C. Orr [MVP, MCSD]]

Correct.

Hi, Steve:
Thank you very much.
You mean that I can use Response.WriteFile instead of Response.write. Am I
right?

David

 

[Steve C. Orr [MVP, MCSD]]

You can adjust the ACL of the files through IIS or through the standard
windows security tab of explorer.
(For WinXP you might have to turn off simple file sharing to see this tab.)

 

[Guest]

At beginning, I have copied the web.config in the parent directory of images.
It shows the arror message about web.config of the comment line. After I
modified it, then I got another error message about the line <authentication
mode="Forms">.
But ther is nothing wrong with. I have deleted the web.config in the
directory images. It does not work anymore, i.e., I can directly access the
image file without asking password. The web.config is in the parent directory
as before and protects the other files. When I configured the mappings in
IIS, I set Verbs limit to GET,HEAD,POST,and DEBUG, or all. In either case,
the result is same. The mappings was configured for the parent directory Demo.

David

 

[Guest]

Hi, Brock:
Today I try to access the image.jpg in images directory, I got the error
message in the following:

--------
Server Error in '/Demo' Application.
--------------------------------------------------------------------------------

Configuration Error
Description: An error occurred during the processing of a configuration file
required to service this request. Please review the specific error details
below and modify your configuration file appropriately.

Parser Error Message: It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This error
can be caused by a virtual directory not being configured as an application
in IIS.

Source Error:


Line 41: -->
Line 42: <!-- ref. data access reference in SMDN April 7, 2005-->
Line 43: <authentication mode="Forms">
Line 44: <forms name="AuthCookie" loginUrl="login.aspx" path="/Demo" >
<!-- I delete timeout="30", otherwise, I can access without asking password
-->
Line 45: </forms>


Source File: c:\inetpub\wwwroot\Demo\images\web.config Line: 43

 

[Brock Allen]

It shows the arror message about web.config of the comment line. After

I
modified it, then I got another error message about the line
<authentication
mode="Forms">.

<authentication> can only go in the root web.config of your application.
You can put a child web.config with an <authorization> element though. That
will protect the images directory.