Authorization Confusion

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Jonathan Wood
    #1

    Authorization Confusion

    I have a subfolder on my Website that contains images. It also contains the
    web.config file shown below.

    When I access the site, I get the Login page as expected. But if I type in
    the URL of an image in the folder that contains images, the image is
    displayed in the browser.

    I don't understand why I am not prevented from seeing the contents of this
    folder since I have not been authenticated. Does it have something to do
    with the fact that these resources are images? How would I prevent access to
    this folder by users who are not logged in?

    Thanks.

    <?xml version="1.0" encoding="utf-8"?>
    <configuratio n>
    <system.web>
    <authorizatio n>
    <allow roles="Client,T rainer,Admin" />
    <deny users="*" />
    </authorization>
    </system.web>
    </configuration>

    Jonathan

    Tags: None
    • Juan T. Llibre
      #2
      Re: Authorization Confusion

      You need to map the image files' extensions to aspnet_isapi.dl l.

      Here's a primer on what you need to do :
      http://aspnet.4guysfromrolla.com/articles/020404-1.aspx





      Juan T. Llibre, asp.net MVP
      asp.net faq : http://asp.net.do/faq/
      foros de asp.net, en español : http://asp.net.do/foros/
      =============== =============== ========
      "Jonathan Wood" <jwood@softcirc uits.comwrote in message news:Odr5cpExIH A.5580@TK2MSFTN GP04.phx.gbl...
      >I have a subfolder on my Website that contains images. It also contains the web.config file shown below.
      >
      When I access the site, I get the Login page as expected. But if I type in the URL of an image in the folder that
      contains images, the image is displayed in the browser.
      >
      I don't understand why I am not prevented from seeing the contents of this folder since I have not been authenticated.
      Does it have something to do with the fact that these resources are images? How would I prevent access to this folder
      by users who are not logged in?
      >
      Thanks.
      >
      <?xml version="1.0" encoding="utf-8"?>
      <configuratio n>
      <system.web>
      <authorizatio n>
      <allow roles="Client,T rainer,Admin" />
      <deny users="*" />
      </authorization>
      </system.web>
      </configuration>
      >
      Jonathan
      >

        Comment

        • Juan T. Llibre
          #3
          Re: Authorization Confusion

          I should add that you only need to do step 1:

          1. Configure IIS so that .jpg, .gif, etc. files are mapped to the ASP.NET ISAPI extension

          That will prevent the image files from being served without authorization.

          Step 2 :

          2. Configure ASP.NET so that *.xxx files are mapped to the HttpForbiddenHa ndler HTTP handler

          ....will prevent the files from being served, period.
          You don't want to do step 2.




          Juan T. Llibre, asp.net MVP
          asp.net faq : http://asp.net.do/faq/
          foros de asp.net, en español : http://asp.net.do/foros/
          =============== =============== ========
          "Juan T. Llibre" <nomailreplies@ nowhere.comwrot e in message news:OGzGG0FxIH A.4376@TK2MSFTN GP06.phx.gbl...
          You need to map the image files' extensions to aspnet_isapi.dl l.
          >
          Here's a primer on what you need to do :
          http://aspnet.4guysfromrolla.com/articles/020404-1.aspx

          >
          >
          >
          >
          Juan T. Llibre, asp.net MVP
          asp.net faq : http://asp.net.do/faq/
          foros de asp.net, en español : http://asp.net.do/foros/
          =============== =============== ========
          "Jonathan Wood" <jwood@softcirc uits.comwrote in message news:Odr5cpExIH A.5580@TK2MSFTN GP04.phx.gbl...
          >>I have a subfolder on my Website that contains images. It also contains the web.config file shown below.
          >>
          >When I access the site, I get the Login page as expected. But if I type in the URL of an image in the folder that
          >contains images, the image is displayed in the browser.
          >>
          >I don't understand why I am not prevented from seeing the contents of this folder since I have not been
          >authenticate d. Does it have something to do with the fact that these resources are images? How would I prevent access
          >to this folder by users who are not logged in?
          >>
          >Thanks.
          >>
          ><?xml version="1.0" encoding="utf-8"?>
          ><configuration >
          > <system.web>
          > <authorizatio n>
          > <allow roles="Client,T rainer,Admin" />
          > <deny users="*" />
          > </authorization>
          > </system.web>
          ></configuration>
          >>
          >Jonathan
          >>
          >
          >


            Comment

            • Jonathan Wood
              #4
              Re: Authorization Confusion

              Soooo... It defaults to making resources not specified available to anyone
              regardless of the allow/deny settings...

              I thought ASP.NET usually defaulted to being secure.

              Thanks for the info!

              Jonathan

              "Juan T. Llibre" <nomailreplies@ nowhere.comwrot e in message
              news:OGzGG0FxIH A.4376@TK2MSFTN GP06.phx.gbl...
              You need to map the image files' extensions to aspnet_isapi.dl l.
              >
              Here's a primer on what you need to do :
              http://aspnet.4guysfromrolla.com/articles/020404-1.aspx

              >
              >
              >
              >
              Juan T. Llibre, asp.net MVP
              asp.net faq : http://asp.net.do/faq/
              foros de asp.net, en español : http://asp.net.do/foros/
              =============== =============== ========
              "Jonathan Wood" <jwood@softcirc uits.comwrote in message
              news:Odr5cpExIH A.5580@TK2MSFTN GP04.phx.gbl...
              >>I have a subfolder on my Website that contains images. It also contains
              >>the web.config file shown below.
              >>
              >When I access the site, I get the Login page as expected. But if I type
              >in the URL of an image in the folder that contains images, the image is
              >displayed in the browser.
              >>
              >I don't understand why I am not prevented from seeing the contents of
              >this folder since I have not been authenticated. Does it have something
              >to do with the fact that these resources are images? How would I prevent
              >access to this folder by users who are not logged in?
              >>
              >Thanks.
              >>
              ><?xml version="1.0" encoding="utf-8"?>
              ><configuration >
              > <system.web>
              > <authorizatio n>
              > <allow roles="Client,T rainer,Admin" />
              > <deny users="*" />
              > </authorization>
              > </system.web>
              ></configuration>
              >>
              >Jonathan
              >>
              >
              >

                Comment

                Previous template Next
                Working...