 |
| General .NET For general discussion of MICROSOFT .NET topics that don't fall within any of the other .NET forum subcategories or .NET language forums.  If your question is specific to a language (C# or Visual Basic) or type of application (Windows Forms or ASP.Net) try an applicable forum category.
** PLEASE BE SPECIFIC WITH YOUR QUESTION **
When posting here, provide details regarding the Microsoft .NET language you are using and/or what type of application (Windows/Web Forms, etc) you are working in, if applicable to the question. This will help others answer the question without having to ask. |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the General .NET section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|

May 20th, 2005, 08:57 AM
|
|
Registered User
|
|
Join Date: May 2005
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Question about authentication
For two days I've been struggling with this, and it seems like it should be so easy!
I've got a set of subdirectories I want protected from unauthorized viewing -- these are XL and word files. (These are on a WIN2k box with NTFS, IIS as the web server)
I want to use .Net Forms-based authentication to check the user's credentials against a SQL server (no problem here), and allow users to get to the contents of these protected directories.
In a nutshell, I guess the question is this: how do I authenticate from this (unprotected) directory where the login.aspx file exists into these protected directories? Can this authentication be blanket, or must it be performed on a per-file basis?
|
|

May 25th, 2005, 02:04 AM
|
 |
Friend of Wrox
|
|
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
|
|
The problem is that .NET handles security for .NET pages (aspx). When you request an .ASPX page, the request is passed off from IIS to the aspnet_wp (worker process). That process falls within the scope of the asp.net application and thus
the web.config. Therefore the security settings you set up in the web.config apply. However, when you access a directory listing or another file extension that is not mapped to the aspnet worker process ASP.NET never sees it and thus doesn't apply any security as defined in the web.config. A possible way around this is to build an application that provides a list of available files, and then lets you access them thru an ASPX link (getfile.aspx?file=folder/filename.xls). The getfile ASPX page will simply read the file and stream out the binary data from it. This way you can get the file as a raw file, but it will be controlled by ASP.NET security. Unfortunately, I'm not familiar with how you would get ASP.NET security to work together with IIS security such that you can achieve blanket protection over the listings and non-ASP.NET files.
- Peter
|
|

May 26th, 2005, 12:34 PM
|
|
Authorized User
|
|
Join Date: Jun 2003
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
If this app is for an intranet then you might want to use impersonation. I'm not sure if you can do this, but I think you can include impersonation with your .Net Forms-based authentication.
To add impersonation to your app just add this line to web.config file:
<identity impersonate="true"/>
If you're just using .NET Form-based authentication against SQL, then IIS will run your web app under the local system account ASP.NET. However, with impersonation, it forces IIS to run the web app under the person who's using the web app and not ASP.NET account. By setting permissions on NTFS folders, only people with the correct rights will be able to access the folders -- thus the files in the folder.
I use impersonation all the time so I know it works for an intranet app.
Well, let us know how it goes.
|
|

May 26th, 2005, 01:15 PM
|
|
Authorized User
|
|
Join Date: Jun 2003
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
If this is for an intranet, then authenticate against AD instead of SQL. This way you won't need to maintain a user table in SQL.
|
|

May 26th, 2005, 08:29 PM
|
|
Friend of Wrox
|
|
Join Date: Jun 2003
Posts: 1,101
Thanks: 0
Thanked 2 Times in 2 Posts
|
|
First-- using the impersonate means that he would be using both forms and NTFS authentication... (with the assumption that he is authenticating against SQL server, not AD) They would login to the app using the form... but the impersonation wouldn't work-- since there has been no domain authentication. Therefore, the server would likely try to do an NTFS authentication also-- or just fail. Either would be a bad result. I have never tried the scenario, so I can't be sure what would happen.
Working of Peter's idea-- if the files are stored in a directory that IIS can not access through a URL (outside of the web path)-- then the only way to get to the files would be through the 'file server' aspx page he discuses. you need to make sure that you check security when you show the list of files availbile AND when serving, otherwise anyone can get to it by just typing the correct URL. The question in this is where you would be storing who can access what file- You would need to manage that through a SQL table, if that's where authentication takes place.
If this is an intranet app- as others have said. Authenticate against AD and make sure you use impersonation. Then you can manage the security through NTFS and AD Groups.
Hal Levy
I am here to help you, not do it for you.
That is, unless you hire me. I am looking for work.
|
|
 |