I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.
I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.
Lo and hehold - the file is there.
Is there anyway to stop this behavior? What I really want is a way to limit
the people who get to my web site by using a userid/password stored in a
database and then and only then can they get at my documents. Currently we
use NT security with one userid/password which isn't a good solution. We
have people coming and going quickly so we need a better way to do this. And
putting the users in NT just seems a pain.
Thanks for you help.
J.
4  1348 
Have you annotated your classes and/or methods with attributes that issue
security challenges, ensuring that users are logged in, and members of the
correct role before accessing the class/method? Something like (from msdn):
[PrincipalPermis sionAttribute(S ecurityAction.D emand, Name="Bob",
Role="Superviso r")]
or (from one of our applications (slightly altered to protect the
innocent)[PrincipalPermis sionAttribute(S ecurityAction.D emand,
Authenticated=T rue, Role="Superviso r")]Or you can do the same thing
programmaticall y using things like IsInRole().You catch any security
exceptions that get thrown as a result of these in a convenient place, like
Global.asax
HTH
Peter
"Mufasa" <jb@nowhere.com wrote in message
news:uM******** ******@TK2MSFTN GP05.phx.gbl...
>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.
I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.
Lo and hehold - the file is there.
Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.
Thanks for you help.
J.
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHa ndler. See the
following link: http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks www.explosivedog.com
"Mufasa" <jb@nowhere.com wrote in message
news:uM******** ******@TK2MSFTN GP05.phx.gbl...
>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.
I verified this by pulling up one of my pfds copying the url, closing down
all of IE and then starting IE and putting in the url.
Lo and hehold - the file is there.
Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.
Thanks for you help.
J.
Mufasa,
Also, in ASP.NET 2.0, you have the option of adding the following to your
httpHandlers:
<add path="*" verb="GET,HEAD, POST" type="System.We b.DefaultHttpHa ndler"
validate="True" />
This will cause ASP.NET to process all unknown extensions through the
Authenticate and AuthorizeReques t events in the execution pipeline.
Again, I will refer you to the same URL which has more information on this: http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks www.explosivedog.com
"Page Brooks" <NO************ **@gmail.comwro te in message
news:u$******** ******@TK2MSFTN GP02.phx.gbl...
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHa ndler. See
the following link:
http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.com wrote in message
news:uM******** ******@TK2MSFTN GP05.phx.gbl...
>>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.
I verified this by pulling up one of my pfds copying the url, closing
down all of IE and then starting IE and putting in the url.
Lo and hehold - the file is there.
Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.
Thanks for you help.
J.
Thanks everybody. I got it to work.
J.
"Page Brooks" <NO************ **@gmail.comwro te in message
news:u$******** ******@TK2MSFTN GP02.phx.gbl...
Mufasa,
Since pdfs and other files do not pass through the ASP.NET processing
pipeline forms authentication will not protect these types of files.
However, there are several ways to prevent IIS from serving up files to
unauthenticated users. One way is to use the HttpForbiddenHa ndler. See
the following link:
http://www.leastprivilege.com/Protec...hASPNET20.aspx
--
Page Brooks
www.explosivedog.com
"Mufasa" <jb@nowhere.com wrote in message
news:uM******** ******@TK2MSFTN GP05.phx.gbl...
>>I have a website where there is a login screen on it. All works fine. As
part of the website I have links to some pdfs, htmls, jpgs, and assorted
other stuff. I have found if you know the name of the file (or login, and
copy the link) you can get at the file without logging in.
I verified this by pulling up one of my pfds copying the url, closing
down all of IE and then starting IE and putting in the url.
Lo and hehold - the file is there.
Is there anyway to stop this behavior? What I really want is a way to
limit the people who get to my web site by using a userid/password stored
in a database and then and only then can they get at my documents.
Currently we use NT security with one userid/password which isn't a good
solution. We have people coming and going quickly so we need a better way
to do this. And putting the users in NT just seems a pain.
Thanks for you help.
J.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms
Authentication set up and it worked just fine. Then I
realized that I needed to have some pages unsecure.
I then created 2 directories. One named Secure and the
other named Public. I placed my web.config file in my
|
by: Senthil |
last post by:
1. Created a new C# web application project
2. Change the name of webform1 to login.aspx
3. And in the .cs file change the name of the class to login, and include
System.web.security namespace.
4. Place a textbox and a button in the login.aspx form.
5. Have the following code in the button click event.
if (true)
{
FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, false)
|
by: VR |
last post by:
Hi,
I am using Forms type of authentication, but having
problems redirecting users to default page after they get
authenticated.
My default page is default.aspx, but it's in 'public'
directory in realtion to my virtual directory:
"/public/default.aspx". In IIS I set the default document
to be "/public/default.aspx".
|
by: Eric |
last post by:
I am trying to build an app where the stuff in the root directory is open to
all, but anything under the Restricted directory requires you to login and I
want to use Forms to do it. I'm having trouble getting the web.config to
work properly.
First I tried to have a second web.config in the sub directory with
authentication and authorization set to forms, but it blew up.
Next, I tried to modify the root web.config in the following manner...
|
by: Brett Robichaud |
last post by:
Is anyone familiar with this error? I have this running just fine on my
local machine but when I pushed it out to our development server I get this
error. I have no idea what it is saying. Any clues?
-Brett-
Server Error in '/' Application.
----------------------------------------------------------------------------
----
| | |
by: Gavin Stevens |
last post by:
I'm trying to figure out the ASP.NET Forms Auth
I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want to manually authenticate users to provide acess
My project has 2 web.config files... the default file
<authentication mode="Forms"><forms loginUrl="Login.aspx" protection="All" timeout="30"...
|
by: Thomas Scheiderich |
last post by:
I am trying to set up forms authentication in my IIS pages.
I have a folder inside of my root folder I am trying to protect and I am
getting an error when a page in the folder is accessed.
The error is:
****************************************************************************
****
Server Error in '/' Application.
----------------------------------------------------------------------------
|
by: Stu Lock |
last post by:
Hi,
Is there a way of requiring a log in for individual asp.net pages rather
than securing a entire directory. I have a web app where there are 100+
pages but only 2 need to be password protected. I am currently using forms
authentication to block the entire folder:
<authentication mode="Forms">
<forms name=".MYCOOKIE"
loginUrl="login.aspx"
|
by: Evan Basalik |
last post by:
I have an ASP.NET application which uses forms authentication. For some
reason, after someone logs in, they get a Windows logon dialog whenever they
try to access any ASPX files in the forms-protected directory. I am
inferring this from the fact that the last entry in the IIS log is the ASPX
file in that directory.
The really odd thing is that I have another ASP.NET application on the same
server with the same exact setup (at least as...
|
by: thechaosengine |
last post by:
Hi eveyone,
If anyone could advise on the following I would be truly greatful:
I have a fairly standard set up. An IIS 5.1 website set up with anonymous
access allowed in all areas of the site but a secure subdirectory called
/secure/
I am using windows forms authentication and this is configured in my web.config
file.
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| | |
