Wrox Programmer Forums
|
BOOK: ASP.NET Website Programming Problem-Design-Solution
This is the forum to discuss the Wrox book ASP.NET Website Programming: Problem - Design - Solution, Visual Basic .NET Edition by Marco Bellinaso, Kevin Hoffman; ISBN: 9780764543869
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET Website Programming Problem-Design-Solution section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old September 12th, 2004, 08:43 AM
Registered User
 
Join Date: Sep 2004
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am NOT able to rename the .doc file! I get Access to this Path Denied.

More information:

I am testing logged onto my Windows XP workstation (TITANIA) as TITANIA\Dave. TITANIA\Dave is a member of the TITANIA Administrators group, shich has full access in Windows Explorer to the physical root folder (C:\Wrox\ThePhileVB) of the site. I don't really understand why, but 'Dave' is also listed on the security list for this and all other folders, and cannot be removed because "it it inheriting"? I manually gave Dave full rights as well, but that made no difference.
I can edit the files in the folder through Windows Explorer with no problem


In IIS console, I navigate to TITANIA\Web Sites\Default Web Site\ThePhileVB, which is what I call this site. It identifies C:\Wrox\ThePhileVB as the root folder. Looking at its properties: Read, Directory Browsing, Log Visits, and Index This Resource are checked. On the security tab, I click Authentication methods, and Anonymous is unchecked, Integrated Windows authentication is checked.

The book says on page 135 that I should navigate on down to the ThePhileVB\WebModules\FileManager in IIS and set Windows authentication there. When I do that, the security settings of the FileManager folder are all the same as I just described for the ThePhileVB folder.

Since I am logged onto my machine as Dave, who is an administrator, why do I need to set up another group named ThePhile_FileManagerAdmins? Shouldn't IIS authenticate me as a member of administrators?

One more piece of information: I do NOT get prompted for a username/password as I open BrowseFiles.aspx directly from IE, or when I run the ThePhile web site from Visual Studio.

Thanks,

OBERONOP



 
Old September 12th, 2004, 09:03 PM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 917
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Are you getting the login dialog box on p131? It sounds to me like you aren't getting this.

If you don't log in to the File Manager with a Windows account, then you're likely running as IUSR_machinename (or possible ASPNET). You can try giving NTFS security to these accounts and see if that works.

If you get it working this way, it won't be secure, but at least it tells you that the pages are working. The problem that remains is to figure out how you can get the Windows login box - without the login box it can't know who you are.

At the bottom of p131 he mentions that you can't have 2 forms of authentication in one application, and your main web.config is set up for Forms authentication, not Windows authentication. Therefore, if you don't see the Windows login box, that means it has determined your identity using only Forms auth, and that will not equate to your Windows account (so it thinks you are IUSR_machinename).

I read the section several times, and I can't see anything he did to make the Windows login box show up.

Anyway, I don't agreee with mixing Windows authentication and Forms authentication in the same application. I strongly recommend switching all of the File Manager pages to use Forms authentication.

Eric
 
Old September 12th, 2004, 09:05 PM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 917
Thanks: 0
Thanked 0 Times in 0 Posts
Default

By the way, the page number I referenced is for the C# version of the book. I'm not sure if the page number is the same for the VB.NET version.

Eric
 
Old September 12th, 2004, 09:36 PM
Registered User
 
Join Date: Sep 2004
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

READ THIS BEFORE RESPONDING TO MY LAST POST!

OK, I solved the problem (atually 2 or 3 problems) over the weekend.

1) All I had to do to make renames etc. work was give ASPNET write permissions (which is NOT the default) to THePhileVB & its subdirectories. (Even though that is not the standard setting, I don't see anywhere that was mentioned in the book or Readme.htm!)

2) How is the book's discussion of ThePhileMaster in the FileManager chapter relevant? Since it's ASPNET's permissions that determines whether I can write to server files, how would logging into windows as ThePhileMaster on an intranet, and then using the FileManager module, have given me the right permissions? Was it intended that I make ASP.NET run under ThePhileManager? I don't understand that part of the book at all.

3) Not sure how you switch to Windows integrated security instead of Forms - when I changed web.config to "Windows" instead of "Forms", the app simply tried to find "TITANIA\Dave" in the users table - hard to put that in the users table when the Account app requires new account IDs to be valid email addresses with an @ sign in them.

3) My download problem still persisted after I had gotten file writes working. I did however discover that the correct file WAS downloading, but the dialog was confused about the file's name. The following site shows the correct syntax for setting the dialog's file name:

http://www.eggheadcafe.com/forums/fo...=12118&INTID=6


Instead of

      'Response.AddHeader("Content-Disposition", "attachment filename=" _
      ' & theFile.Name)

This syntax works and solves the problem:

      Response.AddHeader("Content-Disposition", "attachment; filename=""" _
        & theFile.Name & """")

 (maybe it's a VS2003, Framework 1.1 thing???):

Thanks for you efforts last week Eric, at least you got me headed in some more fruitful directions!

OBERONOP




 
Old September 13th, 2004, 02:15 PM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 917
Thanks: 0
Thanked 0 Times in 0 Posts
Default

1) Be careful with this. You have opened it up to all users. This isn't a problem on your computer, but isn't the right way to deploy an application! The File Manager is a dangerous module - you need to make sure the security is locked down. I can't see how to make Windows security work on the File Manager when Forms auth is used at the application level. Maybe someone else can shed light on this.
2) I guess you're having trouble understanding inheritance. The basic idea is that ASP.NET provides a Page class that doesn't have any features to set the user's Principal based on his Identity, so the authors created a new class called PhilePage that decends from the ASP.NET Page class (meaning that it gets all of the functionality of that class), and they've added some new functionality to take care of site-wide needs like setting the Principal and doing some common logging functions. You should do some web searches for Identity and Principal. This is a complex area, but I can get you started. Identity is how we know who a user is. We can use WindowsIdentity, GenericIdentity, or we can design our own Identity by implementing the IIdentity interface (like we did in SiteIdentity in ThePhile). The Principal object is how we know what a user is authorized to do. We can use WindowsPrincipal, GenericPrincipal, or we can design our own Principal by implementing the IPrincipal interface (like we did in PhilePrincipal).
3) You should not switch from Forms to Windows unless all of your users will be on the same Intranet. You can't allow users outside your network to authenticate using Windows security, because they don't have a Windows account on your network. Most of us need Forms authentication so we can support users that aren't on our network.
4) This is interesting - the C# version works fine, but the VB.NET version needs the extra quotes. This must be a language issue.

New bug in File Manager:
I just found that the copy function in the File Manager isn't working in either version.

I'm not a big believer in the File Manager, as you might have seen in other messages. It's dangerous if it's not implemented right, and it's usually not needed, since we normally use FTP and "Copy Project" to deploy and manage our files on the web server.

Eric
 
Old September 13th, 2004, 02:41 PM
Registered User
 
Join Date: Sep 2004
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hmmm... maybe not to many people have tried the VB version?

I see your point about the security, and I was somewhat familiar with Principal and Identity ideas from Lhotka's books.

I agree that I need to switch to Forms security - I am planning to adapt some of these ideas to implement a web site for a HS choir program where parents and students can navigate a folder structure to find various informational documents in Word or PDF format. They will get only the download link and file size information. But I want to give the directors and parent volunteers the ability to browse the folder structure and upload, move, and delete docs - for that FileManager is perfect.

I see how I can use Forms security to make the admins log in before they can get to Filemanager. But it looks to me as though I still must make IIS run in a context that has the necessary permissions to modify the folders, even though I will be keeping guests out of FileManager. Does that mean that user ASPNET on the server hosting this must have full permissions to my doc folders? Can I have a typical hosting company set this up without opening myself up to all kinds of threats? Am I safe assuming users of other hosted sites can't get to my folders? Or does a good hosting company set things up so that the "user" IIS runs under for me is different then the user it runs under for other sites?

Thanks for all your help, hope I have not overstayed my welcome on this topic ...

OBERONOP



 
Old September 14th, 2004, 05:13 PM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 917
Thanks: 0
Thanked 0 Times in 0 Posts
Default

1) I want to give the directors and parent volunteers the ability to browse the folder structure and upload, move, and delete docs

This is a fine application for the File Manager. But I would consider locking it down to one folder, or a group of folders. I wouldn't want even your trusted users to have the ability to delete or edit essential files like web.config, or the files in the config subdir (where your very critical connection string is stored).

2) Does that mean that user ASPNET on the server hosting this must have full permissions to my doc folders?

yes, but as you said, you can restrict this to only the doc folders. On my site, I made a Downloads folder, and I have some subfolders under that. Those folders have full access for ASPNET.

3) Can I have a typical hosting company set this up without opening myself up to all kinds of threats? Am I safe assuming users of other hosted sites can't get to my folders?

You are pretty safe this way, but there's no such thing as being 100% safe. Users of other sites won't have a path to your site. Their virtual root is separate from yours, and there's no files in common, excpet for machine.config and the other Framework files.

But, "just in case", you should always have a good backup of your whole site, and you should backup the SQL DB at least weekly. And, save many generations of backups. You might learn of a problem that first occured a month ago, so you need to keep backs that are several months old.

Eric
 
Old September 14th, 2004, 09:35 PM
Registered User
 
Join Date: Sep 2004
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Very helpful! I think I'm starting to get it!

Thanks for all your help!


OBERONOP








Similar Threads
Thread Thread Starter Forum Replies Last Post
downloaded code Joseph BOOK: Beginning SQL 5 December 23rd, 2007 09:35 PM
Smaller download/single download file available jminatel BOOK: Beginning ASP.NET 2.0 BOOK VB ISBN: 978-0-7645-8850-1; C# ISBN: 978-0-470-04258-8 0 November 21st, 2005 11:10 AM
New.aspx works but login.aspx fails Validation nigelhamilton BOOK: ASP.NET Website Programming Problem-Design-Solution 8 September 13th, 2004 02:29 AM
HowTo Pass Form data from Page1.aspx to Page2.aspx dati ASP.NET 1.0 and 1.1 Basics 6 January 27th, 2004 06:57 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.