Hi,
I need to cover by custom authentication algorithm both ASP.NET and other
resources within the site.
FormsAuthentica tion covers only resources beeing handled by ASP.NET. Other
generic resources can be retrieved without beeing logged on.
I'm trying to configure the site to handle all resources via ASP.NET. Is it
possible?
My results are
a.. Things are working OK under .NET 2.0 Development Server (started from
Visual Studio 2005)
b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html) are
not being authenticated.
Solved by adding ".*" extension mapping to ASP.NET
c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
1.. .* - is not recognized as valid extension
2.. After mapping .htm to ASP.NET - .htm pages are not served anymore.
a.. Browser shows completely blank page
b.. HTTP Watch tracks ERROR_HTTP_INVA LID_SERVER_RESP ONSE error code,
response stream is empty
c.. IIS log on the server gives error code 200, i.e. OK
Any ideas to configure this correctly under WinSrv 2003?
Or probably there is some other better way to imlement custom authentication
instead of FormsAuthentica tion?
Best regards,
Sergey.
8  3886 
Why not just rename the .htm files as .aspx files?
"Sergey V" wrote:
Hi,
I need to cover by custom authentication algorithm both ASP.NET and other
resources within the site.
FormsAuthentica tion covers only resources beeing handled by ASP.NET. Other
generic resources can be retrieved without beeing logged on.
I'm trying to configure the site to handle all resources via ASP.NET. Is it
possible?
My results are
a.. Things are working OK under .NET 2.0 Development Server (started from
Visual Studio 2005)
b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html) are
not being authenticated.
Solved by adding ".*" extension mapping to ASP.NET
c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
1.. .* - is not recognized as valid extension
2.. After mapping .htm to ASP.NET - .htm pages are not served anymore.
a.. Browser shows completely blank page
b.. HTTP Watch tracks ERROR_HTTP_INVA LID_SERVER_RESP ONSE error code,
response stream is empty
c.. IIS log on the server gives error code 200, i.e. OK
Any ideas to configure this correctly under WinSrv 2003?
Or probably there is some other better way to imlement custom authentication
instead of FormsAuthentica tion?
Best regards,
Sergey.
Yes,
this will work for *.htm files - though we have plenty of them in legacy
site. And proper configuration of the site will make much less headache.
But what about *.doc and *.xls files? The question is about any resource
within protected folders in general.
"clickon" <cl*****@discus sions.microsoft .comwrote in message
news:DC******** *************** ***********@mic rosoft.com...
Why not just rename the .htm files as .aspx files?
"Sergey V" wrote:
>Hi,
I need to cover by custom authentication algorithm both ASP.NET and other
resources within the site.
FormsAuthentic ation covers only resources beeing handled by ASP.NET.
Other
generic resources can be retrieved without beeing logged on.
I'm trying to configure the site to handle all resources via ASP.NET. Is
it
possible?
My results are
a.. Things are working OK under .NET 2.0 Development Server (started
from
Visual Studio 2005)
b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html)
are
not being authenticated.
Solved by adding ".*" extension mapping to ASP.NET
c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
1.. .* - is not recognized as valid extension
2.. After mapping .htm to ASP.NET - .htm pages are not served
anymore.
a.. Browser shows completely blank page
b.. HTTP Watch tracks ERROR_HTTP_INVA LID_SERVER_RESP ONSE error
code,
response stream is empty
c.. IIS log on the server gives error code 200, i.e. OK
Any ideas to configure this correctly under WinSrv 2003?
Or probably there is some other better way to imlement custom
authenticati on
instead of FormsAuthentica tion?
Best regards,
Sergey.
The standard way to do this is to map the extensions you want served by
ASP.NET to ASP.NET in the script mappings in IIS (or just use a wildcard
map). Then, in your web.config file, you map the static file extensions to
the StaticFileHandl er in the httpHandlers config section.
There are some drawbacks to doing this, but it will work for the most part.
IIS 7 makes this super easy.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
--
"Sergey V" <se******@mail. ruwrote in message
news:uJ******** ******@TK2MSFTN GP03.phx.gbl...
Yes,
this will work for *.htm files - though we have plenty of them in legacy
site. And proper configuration of the site will make much less headache.
But what about *.doc and *.xls files? The question is about any resource
within protected folders in general.
"clickon" <cl*****@discus sions.microsoft .comwrote in message
news:DC******** *************** ***********@mic rosoft.com...
>Why not just rename the .htm files as .aspx files?
"Sergey V" wrote:
>>Hi,
I need to cover by custom authentication algorithm both ASP.NET and
other
resources within the site.
FormsAuthenti cation covers only resources beeing handled by ASP.NET.
Other
generic resources can be retrieved without beeing logged on.
I'm trying to configure the site to handle all resources via ASP.NET. Is
it
possible?
My results are
a.. Things are working OK under .NET 2.0 Development Server (started
from
Visual Studio 2005)
b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm, *.html)
are
not being authenticated.
Solved by adding ".*" extension mapping to ASP.NET
c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
1.. .* - is not recognized as valid extension
2.. After mapping .htm to ASP.NET - .htm pages are not served
anymore.
a.. Browser shows completely blank page
b.. HTTP Watch tracks ERROR_HTTP_INVA LID_SERVER_RESP ONSE error
code,
response stream is empty
c.. IIS log on the server gives error code 200, i.e. OK
Any ideas to configure this correctly under WinSrv 2003?
Or probably there is some other better way to imlement custom
authenticatio n
instead of FormsAuthentica tion?
Best regards,
Sergey.
Thanks Joe,
adding following to web.config really helps.
<system.web>
<httpHandlers >
<add path="*.htm" verb="GET,HEAD"
type="System.We b.StaticFileHan dler" validate="True" />
</httpHandlers>
</system.web>
Can you provide more details about drawbacks? Do not want to have some
surpises on production site.
Thanks,
Sergey.
PS: MS is very short in his docs as usual.
Frequently Asked Questions http://msdn.microsoft.com/asp.net/su...q/default.aspx
Configuring ASP.NET 2.0
I used the ASP.NET configuration system to restrict access to my ASP.NET
application, but anonymous users can still view some of my files. Why is
that?
The features of the ASP.NET configuration system only apply to ASP.NET
resources. For example, Forms Authentication only restricts access to
ASP.NET files, not to static files or ASP (classic) files unless those
resources are mapped to ASP.NET file name extensions. Use the configuration
features of IIS to configure non-ASP.NET resources.
How do we use configuration features of IIS for this purpose? No details.
"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.comwrot e
in message news:e0******** ******@TK2MSFTN GP03.phx.gbl...
The standard way to do this is to map the extensions you want served by
ASP.NET to ASP.NET in the script mappings in IIS (or just use a wildcard
map). Then, in your web.config file, you map the static file extensions
to the StaticFileHandl er in the httpHandlers config section.
There are some drawbacks to doing this, but it will work for the most
part.
IIS 7 makes this super easy.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Sergey V" <se******@mail. ruwrote in message
news:uJ******** ******@TK2MSFTN GP03.phx.gbl...
>Yes,
this will work for *.htm files - though we have plenty of them in legacy
site. And proper configuration of the site will make much less headache.
But what about *.doc and *.xls files? The question is about any resource
within protected folders in general.
"clickon" <cl*****@discus sions.microsoft .comwrote in message
news:DC******* *************** ************@mi crosoft.com...
>>Why not just rename the .htm files as .aspx files?
"Sergey V" wrote:
Hi,
I need to cover by custom authentication algorithm both ASP.NET and
other
resources within the site.
FormsAuthent ication covers only resources beeing handled by ASP.NET.
Other
generic resources can be retrieved without beeing logged on.
I'm trying to configure the site to handle all resources via ASP.NET.
Is it
possible?
My results are
a.. Things are working OK under .NET 2.0 Development Server (started
from
Visual Studio 2005)
b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm,
*.html) are
not being authenticated.
Solved by adding ".*" extension mapping to ASP.NET
c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
1.. .* - is not recognized as valid extension
2.. After mapping .htm to ASP.NET - .htm pages are not served
anymore.
a.. Browser shows completely blank page
b.. HTTP Watch tracks ERROR_HTTP_INVA LID_SERVER_RESP ONSE error
code,
response stream is empty
c.. IIS log on the server gives error code 200, i.e. OK
Any ideas to configure this correctly under WinSrv 2003?
Or probably there is some other better way to imlement custom
authenticati on
instead of FormsAuthentica tion?
Best regards,
Sergey.
Hi,
on IIS 6 just add a wildcard mapping for ASP.NET - that's on the same dialog
where you add individual mappings -
add an entry that points to the 2.0 aspnet_isapi.dl l - also uncheck "verify
that file exists"
afterwards you should remove the individual mappings, you also don't need
any handler mapped to .htm in web.config then.
this makes ASP.NET handle all requests in a very efficient fashion.
I don't see any drawback here.
dominick
The standard way to do this is to map the extensions you want served
by ASP.NET to ASP.NET in the script mappings in IIS (or just use a
wildcard map). Then, in your web.config file, you map the static file
extensions to the StaticFileHandl er in the httpHandlers config
section.
There are some drawbacks to doing this, but it will work for the most
part.
IIS 7 makes this super easy.
Joe K.
The drawbacks that I'm aware of are that it is much slower to route things
through ASP.NET that IIS could have handled directly. If performance is an
issue, you might want to test in this scenario and make sure you are still
meeting your stated perf goals.
As I recall, there is another functional drawback, but I can't actually
remember what it is. :) I don't think it is a major issue though. I'm
basically agreed with Dominick on this one.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
--
"Sergey V" <se******@mail. ruwrote in message
news:eF******** ******@TK2MSFTN GP04.phx.gbl...
Thanks Joe,
adding following to web.config really helps.
<system.web>
<httpHandlers >
<add path="*.htm" verb="GET,HEAD"
type="System.We b.StaticFileHan dler" validate="True" />
</httpHandlers>
</system.web>
Can you provide more details about drawbacks? Do not want to have some
surpises on production site.
Thanks,
Sergey.
PS: MS is very short in his docs as usual.
Frequently Asked Questions
http://msdn.microsoft.com/asp.net/su...q/default.aspx
Configuring ASP.NET 2.0
I used the ASP.NET configuration system to restrict access to my ASP.NET
application, but anonymous users can still view some of my files. Why is
that?
The features of the ASP.NET configuration system only apply to ASP.NET
resources. For example, Forms Authentication only restricts access to
ASP.NET files, not to static files or ASP (classic) files unless those
resources are mapped to ASP.NET file name extensions. Use the
configuration features of IIS to configure non-ASP.NET resources.
How do we use configuration features of IIS for this purpose? No details.
"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.comwrot e
in message news:e0******** ******@TK2MSFTN GP03.phx.gbl...
>The standard way to do this is to map the extensions you want served by
ASP.NET to ASP.NET in the script mappings in IIS (or just use a wildcard
map). Then, in your web.config file, you map the static file extensions
to the StaticFileHandl er in the httpHandlers config section.
There are some drawbacks to doing this, but it will work for the most
part.
IIS 7 makes this super easy.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Sergey V" <se******@mail. ruwrote in message
news:uJ******* *******@TK2MSFT NGP03.phx.gbl.. .
>>Yes,
this will work for *.htm files - though we have plenty of them in legacy
site. And proper configuration of the site will make much less headache.
But what about *.doc and *.xls files? The question is about any resource
within protected folders in general.
"clickon" <cl*****@discus sions.microsoft .comwrote in message
news:DC****** *************** *************@m icrosoft.com...
Why not just rename the .htm files as .aspx files?
"Sergey V" wrote:
Hi,
>
I need to cover by custom authentication algorithm both ASP.NET and
other
resources within the site.
FormsAuthen tication covers only resources beeing handled by ASP.NET.
Other
generic resources can be retrieved without beeing logged on.
>
I'm trying to configure the site to handle all resources via ASP.NET.
Is it
possible?
>
My results are
>
a.. Things are working OK under .NET 2.0 Development Server (started
from
Visual Studio 2005)
>
>
b.. Under local WinXP IIS - non-ASP.NET resources (like *.htm,
*.html) are
not being authenticated.
>
Solved by adding ".*" extension mapping to ASP.NET
>
>
c.. Under WinSrv 2003 SP1 / IIS6 there are following problems
>
1.. .* - is not recognized as valid extension
>
2.. After mapping .htm to ASP.NET - .htm pages are not served
anymore.
a.. Browser shows completely blank page
b.. HTTP Watch tracks ERROR_HTTP_INVA LID_SERVER_RESP ONSE error
code,
response stream is empty
c.. IIS log on the server gives error code 200, i.e. OK
Any ideas to configure this correctly under WinSrv 2003?
>
Or probably there is some other better way to imlement custom
authenticat ion
instead of FormsAuthentica tion?
>
>
>
Best regards,
>
Sergey.
>
>
>
the perf drawback is in 1.1 and IIS5
In 2.0 they use a new feature that bounces back requests in HandlerExecute
to IIS6 to serve them
Pre and Post Events still run - which is kinda close to whats happening in
IIS 7.
dominick
The drawbacks that I'm aware of are that it is much slower to route
things through ASP.NET that IIS could have handled directly. If
performance is an issue, you might want to test in this scenario and
make sure you are still meeting your stated perf goals.
As I recall, there is another functional drawback, but I can't
actually remember what it is. :) I don't think it is a major issue
though. I'm basically agreed with Dominick on this one.
Joe K.
Cool, good to know.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier@pleasep leasenospam_lea stprivilege.com wrote in
message news:45******** *************** **@news.microso ft.com...
the perf drawback is in 1.1 and IIS5
In 2.0 they use a new feature that bounces back requests in HandlerExecute
to IIS6 to serve them
Pre and Post Events still run - which is kinda close to whats happening in
IIS 7.
dominick
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Kris van der Mast |
last post by:
Hi,
I've created a little site for my sports club. In the root folder there are
pages that are viewable by every anonymous user but at a certain subfolder
my administration pages should be protected by forms authentication.
When I create forms authentication at root level it works but when I move my
code up to the subfolder I get this error:
Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.
|
by: francois |
last post by:
hello,
I am using forms authentication and I would like that my authentication
cookie expires after let say 1 minutes (just for the exemple).
When I log in in my longon page, the user has to input a username, password
and the click a button to effectively login.
In the event handler for my button I have the following code:
// create authentication ticket and encrypt it
|
by: Travis Parrent |
last post by:
I'm having a problem where my application forces the user to log on
intially, but then never forces them to reauthenticate. Following is the
login code currently but I've tried several different things. I can walk
away from the app for an hour and come back and it will still not force them
to log back in. Where can i look?
Here's current login code :
Private Sub btnLogon_Click(ByVal sender As System.Object, ByVal e As...
|
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET Applications and
owner of Access Microsystems. Doug can be reached at
doug@accessmicrosystems.com.
--------------------------------------------------------------------------------
|
by: CW |
last post by:
It's recommended that when signing on using FormsAuthentication, one should
do so over a secure (SSL) channel.
If I understand FormsAuthentication mechanism correctly, the Authentication
ticket generated is then appended to every single page requests that need to
be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be
spoofed and hijacked. The...
| | |
by: Manny Chohan |
last post by:
I am using forms authetication in the web config. i can validate a user
against a database and click on images which makes hidden panels
visible.However when i click on the link inside a panel which should take
user to another pages, it defaults them back to the login page prompting them
to enter username and password.
Could someone please shed some light on this on how i can fix this issue?
Thanks
Manny
|
by: Justin |
last post by:
I am trying to password protect a subdirectory using forms authentication. I
am using the "Location" tag to specify the directory to be protected. The
login.aspx page is in the root directory of the app. Here is the web.config:
<location path="Admin">
<system.web>
<authentication mode="Forms">
<forms name="authAdmin" loginUrl="Login.aspx" protection="All" timeout="30">
<credentials passwordFormat="Clear">
<user name="Admin"...
|
by: Randall Parker |
last post by:
Some questions on forms authentication:
1) Can one do one's own checking of username and password and totally bypass calling
FormsAuthentication.Authenticate?
2) does the "new FormsAuthenticationTicket" create a cookie?
3) Can one send the cookie back to the browser just by doing the new call on the
FormsAuthenticationTicket?
|
by: Mark Olbert |
last post by:
I'm building an ASPNET2 website which uses forms authentication but does not use the Microsoft-supplied membership providers (mostly
because I don't want to create my own provider at this point, and the supplied stuff comes with a lot of baggage I don't want/need).
In ASPNET1.1 what I would do was something like the following, after authenticating the user on the login form:
FormsAuthentication.SetAuthCookie(userInfo.UserID, false);
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
