ExamGuru IT/.Net Guru : Protecting non aspx and ascx resources on ASPFriends.com 'aspngsec' list

.NETGURU

Protecting non aspx and ascx resources

Messages

Related Types

This message was discovered on ASPFriends.com 'aspngsec' list.
Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions.

Wolfgang Baeck

-- Moved from [aspappsecurity] to [aspngsec] by Tim Musschoot <Click here to reveal e-mail address> --

-- Moved from [aspngsec] to [aspappsecurity] by Tim Musschoot <Click here to reveal e-mail address> --

Hi,

Where can I tell the asp worker process to watch over non-aspx and non-ascx
files. Currently, any other file with .rpt, .sql extension can bedownloaded
without authentication.

Thanks,

Wolfgang

Reply to this message...

Brian W. Spolarich

I'm confused as to where the moderator thinks this question should be =
posted. Tim told me to post my version of this question to =
aspappsecurity. :-)

In any case, I have the same concern, and it seems to be dependent on =
the mechanism that IIS uses for passing requests to particular handlers, =
which is done based on filename extension. Is there a way to tell IIS =
to pass all requests to a particular handler, either for the server as a =
whole or (preferably) for a particular application or virtual directory?

Regards,

-bws
=20
| -- Moved from [aspappsecurity] to [aspngsec] by Tim Musschoot=20
| <Click here to reveal e-mail address> --
|=20
| -- Moved from [aspngsec] to [aspappsecurity] by Tim Musschoot=20
| <Click here to reveal e-mail address> --
|=20
| Hi,
|=20
| Where can I tell the asp worker process to watch over=20
| non-aspx and non-ascx
| files. Currently, any other file with .rpt, .sql extension=20
| can bedownloaded
| without authentication.
|=20
| Thanks,
|=20
| Wolfgang
|=20
| | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID
| | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT
| | http://www.asplists.com/search =3D SEARCH Archives
|=20
|=20

Reply to this message...

Brian Espey

would it work to add an entry in the httpHandlers
section of your web.config file?

<httpHandlers>
<add verb="*" path="*.rpt"
type="System.Web.HttpForbiddenHandler"/>
<add verb="*" path="*.sql"
type="System.Web.HttpForbiddenHandler"/>
</httpHandlers>

or do you need to allow authenticated users to have
access to these files?

Brian

--- Wolfgang Baeck <Click here to reveal e-mail address> wrote:
[Original message clipped]

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com

Reply to this message...

Brian W. Spolarich

I want to protect an entire virtual directory/application using =
ASP.NET forms authentication.

I could just rename my .htm files to .aspx and that will invoke =
ASP.NET DLL handler, but I'm wondering if there's a more elegant way to =
do this?

Brian, I don't think your solution will work because ASP.NET isn't =
being called to handle the request at all, so web.config doesn't get =
parsed, does it?

Thanks,

-bws

| -----Original Message-----
| From: Brian Espey [mailto:Click here to reveal e-mail address]
| Sent: Monday, July 15, 2002 1:17 PM
| To: aspngsec
| Subject: [aspngsec] Re: Protecting non aspx and ascx resources
|=20
|=20
| would it work to add an entry in the httpHandlers
| section of your web.config file?
|=20
| <httpHandlers>
| <add verb=3D"*" path=3D"*.rpt"
| type=3D"System.Web.HttpForbiddenHandler"/>
| <add verb=3D"*" path=3D"*.sql"
| type=3D"System.Web.HttpForbiddenHandler"/>
| </httpHandlers>
|=20
| or do you need to allow authenticated users to have
| access to these files?
|=20
| Brian
| =20
| --- Wolfgang Baeck <Click here to reveal e-mail address> wrote:
| > -- Moved from [aspappsecurity] to [aspngsec] by Tim
| > Musschoot <Click here to reveal e-mail address> --
| >=20
| > -- Moved from [aspngsec] to [aspappsecurity] by Tim
| > Musschoot <Click here to reveal e-mail address> --
| >=20
| > Hi,
| >=20
| > Where can I tell the asp worker process to watch
| > over non-aspx and non-ascx
| > files. Currently, any other file with .rpt, .sql
| > extension can bedownloaded
| > without authentication.
| >=20
| > Thanks,
| >=20
| > Wolfgang
| >=20
| > | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID
| > | http://www.asplists.com/asplists/aspngsec.asp =3D
| > JOIN/QUIT
| > | http://www.asplists.com/search =3D SEARCH Archives
| >=20
|=20
|=20
| __________________________________________________
| Do You Yahoo!?
| Yahoo! Autos - Get free new car price quotes
| http://autos.yahoo.com
|=20
| | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID
| | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT
| | http://www.asplists.com/search =3D SEARCH Archives
|=20
|=20

Reply to this message...

Wolfgang Baeck

I need authenticated users to have access to these.

Thanks for the idea

Wolfgang

-----Original Message-----
From: Brian Espey [mailto:Click here to reveal e-mail address]
Sent: Monday, July 15, 2002 11:17 AM
To: aspngsec
Subject: [aspngsec] Re: Protecting non aspx and ascx resources

would it work to add an entry in the httpHandlers
section of your web.config file?

<httpHandlers>
<add verb="*" path="*.rpt"
type="System.Web.HttpForbiddenHandler"/>
<add verb="*" path="*.sql"
type="System.Web.HttpForbiddenHandler"/>
</httpHandlers>

or do you need to allow authenticated users to have
access to these files?

Brian

--- Wolfgang Baeck <Click here to reveal e-mail address> wrote:
[Original message clipped]

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Brian Bilbro (VIP)

To get the forms authentication you need the extension to at least be
processed by the ASP.NET ISAPI Filter. You can do this by adding the
extensions you want to the filter list in IIS. You can do this at any level
(the web site, an application, etc...). For example, you can

1. right-click on your application folder in IIS and bring up it's
properties.
2. Select the directory tab
3. Select the configuration button
4. Select the mappings tab
5. Copy the path that is configured for .aspx (should be something like:
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll)
6. Add a new entry for each extension you want to secure with the path you
copied from step 5.

Those extension will now be processed by the ASP.NET isapi filter and will
required forms authentication (if you have it configured in asp.net).

HTHs
Brian

----- Original Message -----
From: "Wolfgang Baeck" <Click here to reveal e-mail address>
Sent: Monday, July 15, 2002 9:39 AM

> -- Moved from [aspappsecurity] to [aspngsec] by Tim Musschoot
<Click here to reveal e-mail address> --
[Original message clipped]

Reply to this message...

Daniel Kent

[Original message clipped]

You would still need to map the file type to ASP.NET in IIS.

If you just want to prevent these files being downloaded, the best thing to
do would be to store them in a folder that is not accessible to the
anonymous web request user (IUSR_[servername])

-----Original Message-----
From: Brian Espey [mailto:Click here to reveal e-mail address]
Sent: 15 July 2002 18:17
To: aspngsec
Subject: [aspngsec] Re: Protecting non aspx and ascx resources

would it work to add an entry in the httpHandlers
section of your web.config file?

<httpHandlers>
<add verb="*" path="*.rpt"
type="System.Web.HttpForbiddenHandler"/>
<add verb="*" path="*.sql"
type="System.Web.HttpForbiddenHandler"/>
</httpHandlers>

or do you need to allow authenticated users to have
access to these files?

Brian

--- Wolfgang Baeck <Click here to reveal e-mail address> wrote:
[Original message clipped]

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Wolfgang Baeck

Brian,

Therein lies the problem. I need the stuff protected but processed by the
default processor which for .rpt files is the Crystal reports crweb.dll.

Note that I want to use the old crystal reports webpage server for licensing
reasons.

Any other ideas rather than putting a IIS authentication (basic or so) on
it?

Wolfgang

-----Original Message-----
From: Brian Bilbro [mailto:Click here to reveal e-mail address]
Sent: Monday, July 15, 2002 3:44 PM
To: aspngsec
Subject: [aspngsec] Re: Protecting non aspx and ascx resources

To get the forms authentication you need the extension to at least be
processed by the ASP.NET ISAPI Filter. You can do this by adding the
extensions you want to the filter list in IIS. You can do this at any level
(the web site, an application, etc...). For example, you can

1. right-click on your application folder in IIS and bring up it's
properties.
2. Select the directory tab
3. Select the configuration button
4. Select the mappings tab
5. Copy the path that is configured for .aspx (should be something like:
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll)
6. Add a new entry for each extension you want to secure with the path you
copied from step 5.

Those extension will now be processed by the ASP.NET isapi filter and will
required forms authentication (if you have it configured in asp.net).

HTHs
Brian

----- Original Message -----
From: "Wolfgang Baeck" <Click here to reveal e-mail address>
Sent: Monday, July 15, 2002 9:39 AM

> -- Moved from [aspappsecurity] to [aspngsec] by Tim Musschoot
<Click here to reveal e-mail address> --
[Original message clipped]

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Remas Wojciechowski

Wolfgang,

I'll repeat my suggestion:
how about you store the rpt files in a folder that is not mapped to the
webserver. The only file visible to the server would be. e.g., stream.aspx
(protected by an authentication mechanisms). That file would--nomen
omen--stream the RPTs to the user.

Remas
http://www.aspalliance.com/remas

----- Original Message -----
From: "Wolfgang Baeck" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Wednesday, July 17, 2002 11:28 PM
Subject: [aspngsec] Re: Protecting non aspx and ascx resources

[Original message clipped]

Reply to this message...

Wolfgang Baeck

Remas,

Sorry, I never connected this to my original question since I'm still unable
to use the cr in dot net because of a logon problem. This problem is shared
by some other folks here and I haven't seen a solution yet. I don't have the
problem with my existing reports and old way of doing it with the cr webpage
server (CR 7.0).

If I were able to successfully log on to the db with the cr dot net version
(I posted this some time ago), then I would just have to figure out how to
stream that to the browser or to create a pdf file from it.

In my opinion, the old cr web page server dll and the pdf solution are
superior to the new server side control because of the fact that printing
and exporting can be done from the client side, aside from the fact that the
licensing issue with the new CR Webserver is prohibitive for individuals
like me.

So, any help on logging on? Here is the code:

-----------------------------------------------------------------------
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using CrystalDecisions.Shared;
using CrystalDecisions.CrystalReports.Engine;

namespace HopeAndHome.Admin
{
    public class PlacementHistory : System.Web.UI.Page
    {
        protected CrystalDecisions.Web.CrystalReportViewer CrystalReportViewer1;
        // CR variables
        HopeAndHome.Admin.Reports.PlacementHistory crReportDocument;
        Database crDatabase;
        Tables crTables;
        TableLogOnInfo crTableLogOnInfo;
        ConnectionInfo crConnectionInfo;

        private void Page_Load(object sender, System.EventArgs e)
        {
            //Create an instance of the strongly-typed report object
            crReportDocument = new HopeAndHome.Admin.Reports.PlacementHistory();

            //Create a new instance of the connectioninfo object and
            //set its properties

            crConnectionInfo = new ConnectionInfo();
            crConnectionInfo.ServerName = "metaphor-lt1";
            crConnectionInfo.DatabaseName = "HopeAndHome";
            crConnectionInfo.UserID = "userid";
            crConnectionInfo.Password = "password";

            //Get the tables collection from the report object
            // Note, I have no collection of tables in the report object, therefore
this
could be the culprit but it doesn't work with reports on tables either
            crDatabase = crReportDocument.Database;
            crTables = crDatabase.Tables;

            //Apply the logon information to each table in the collection
            // there seems to be no foreach ...Engine.StoredProcedure ???
            foreach (CrystalDecisions.CrystalReports.Engine.Table crTable in
crTables)
            {
                crTableLogOnInfo = crTable.LogOnInfo;
                crTableLogOnInfo.ConnectionInfo = crConnectionInfo;
                crTable.ApplyLogOnInfo(crTableLogOnInfo);
            }
            //Once the connection to the database has been established for
            //each table in the report, the report object can be bound to the viewer
            //using the reportsource property of the viewer to display the report.
            CrystalReportViewer1.ReportSource = crReportDocument;
        }

        #region Web Form Designer generated code
        override protected void OnInit(EventArgs e)
        {
            //
            // CODEGEN: This call is required by the ASP.NET Web Form Designer.
            //
            InitializeComponent();
            base.OnInit(e);
        }

        /// <summary>
        /// Required method for Designer support - do not modify
        /// the contents of this method with the code editor.
        /// </summary>
        private void InitializeComponent()
        {
            this.Load += new System.EventHandler(this.Page_Load);

        }
        #endregion
    }
}

-----Original Message-----
From: Remas Wojciechowski [mailto:Click here to reveal e-mail address]
Sent: Thursday, July 18, 2002 1:43 AM
To: aspngsec
Subject: [aspngsec] Re: Protecting non aspx and ascx resources

Wolfgang,

I'll repeat my suggestion:
how about you store the rpt files in a folder that is not mapped to the
webserver. The only file visible to the server would be. e.g., stream.aspx
(protected by an authentication mechanisms). That file would--nomen
omen--stream the RPTs to the user.

Remas
http://www.aspalliance.com/remas

----- Original Message -----
From: "Wolfgang Baeck" <Click here to reveal e-mail address>
To: "aspngsec" <Click here to reveal e-mail address>
Sent: Wednesday, July 17, 2002 11:28 PM
Subject: [aspngsec] Re: Protecting non aspx and ascx resources

[Original message clipped]

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Brian W. Spolarich

As far as I can tell this is essentially a limitation of the handler =
invocation mechanism that IIS offers, or at least the implementation =
that is currently provided by ASP.NET.

That is to say that the ASP.NET framework is not even invoked until =
the request matches an application invocation directive on the server, =
and those are mapped based on filename extension. To see this, run the =
IIS MMC snap-in, right-click on your Default Web Server, and select =
Properties. Click on Home Directory, then Configuration... and you'll =
see what I'm talking about.

So while you can configure your ASP.NET application via a web.config =
directive to limit access to a certain directory, the aspnet_isapi.dll =
isn't invoked until you hit a script mapping, based on filename =
extension. Now I did some testing and this does work: if you add =
C:\WINNT\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll as a handler =
for .htm files for either your whole web server or a particular virtual =
directory/application, the web.config authentication handler is invoked =
as you would expect.

Now I've briefly looked through the IIS 5.0 Resource Guide (comes w/ =
the Win2K Server Resource Kit) and it looks like you can also implement =
custom processing functionality via an ISAPI filter, and thus it could =
be possible to invoke the ASP.NET framework based on other conditions =
(such as directory mapping). I would expect that if this functionality =
were to be offered it would be in a future release of ASP.NET, or =
perhaps as part of a new major release of IIS (Windows .NET Server =
perhaps?). I haven't followed these product cycles closely enough to =
know how this will all fit together.

I did try loading the =
C:\WINNT\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll and =
C:\WINNT\Microsoft.NET\Framework\v1.0.3705\aspnet_filter.dll files as =
ISAPI Filters on my server, hoping this would somehow magically work. =
The filter one loads properly after IIS restarts, but doesn't seem to =
have any effect (i.e. my web.config file doesn't appear to be parsed =
before my .htm file is sent back, so the auth handler never gets =
invoked.

-bws =20

| Sorry, I never connected this to my original question since=20
| I'm still unable
| to use the cr in dot net because of a logon problem. This=20
| problem is shared
| by some other folks here and I haven't seen a solution yet. I=20
| don't have the
| problem with my existing reports and old way of doing it with=20
| the cr webpage
| server (CR 7.0).

Reply to this message...

	System.EventArgs
	System.EventHandler
	System.Web.UI.Page

ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification

Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews

.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT

Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project

FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.

Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials

	Copyright © ExamGuru, Inc. 2001-2006
	Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification