I have configured my asp.net application to use Forms Authentication, 
which works fine except for what I am wanting it to do.

I have some Word, Excel, .htm and .pdf files in a directory that the user 
can just go right in and pull up in the browser, bypassing the security.
If the user tries to get to an .aspx file without first being 
authenticated they are directed to my login page.

My question is:
Dose Forms Authentcation only secure the .aspx files in the directory and 
sub-directorys or ALL files in the directories?

Any input on this would be greatly appreciated.

When you say that you have other "...files in a directory that the user
can just go right in and pull up in the browser...", I'm assuming that
this is via a publicly accessible web page (not by browsing the network,
for example, with Windows Explorer).

Keep in mind that .NET security is built upon windows security.  Take a
look at any authentication example for "web.config" and you will see
only settings relating to aspx pages.  If you want to secure non-web
files it looks like you have two options:
1) Use the standard NTFS security on the file.  This will require
additional programming and security settings to implement authentication
within web forms.
2) Wrap the protected files in another web form and use standard Forms
Authentication to limit access to that aspx.

With the correct security settings in IIS 5.0 and using .NET (also
installing the latest patches), most every file can be protected from
unauthorized access.

There are a couple of books on .NET security that have just been or will
soon be released by the publishers.  One of these may be a good
reference for you.  I can't make any recommendations since I haven't
read them myself.  Just search the usual programming book publisher web
sites.

Now if I was incorrect in my first sentence, that is, if you are
allowing folks to use their Internet Explorer to traverse your IIS
directories, I suggest you go back to the basics of web server security
and start over.

J Edward (Jerry) Banasik


-----Original Message-----
From: Ed Stiles [mailto:ed.stiles@v...]
Sent: Wednesday, September 11, 2002 12:20 PM
To: ASP .NET Security
Subject: [aspx_security] Forms Authentication Confusion


I have configured my asp.net application to use Forms Authentication,
which works fine except for what I am wanting it to do.

I have some Word, Excel, .htm and .pdf files in a directory that the
user
can just go right in and pull up in the browser, bypassing the security.
If the user tries to get to an .aspx file without first being
authenticated they are directed to my login page.

My question is:
Dose Forms Authentcation only secure the .aspx files in the directory
and
sub-directorys or ALL files in the directories?

Any input on this would be greatly appreciated.
---
Visual Basic .NET Code Security Handbook

This book provides a practical guide to help you
utilize .NET's code access security system. This
important new feature of the .NET framework allows
you to protect your code from attackers even in
complex distributed computing environments. The
book demonstrates best practices for writing
secure code and the worst practices to avoid.

http://www.wrox.com/ACON11.asp?ISBN=3D1861007477