File Types not protected by Forms Authentication

MatthewRoberts

Howdy All,

We have an ASP.NET web application that uses Forms Authentication and
has worked without problems for some time.

However, we recently added a Shockwave SWF file to the mix for flash
and interactivity.

All ASPX, HTML, and other web files are protected by security. If you
are not properly authenticated but try to access an ASPX or HTML file,
you will be redirected to the Login page.

However, if you try to access the SWF file directly, it allows you to
view the animation without ever authenticating the user.

Why is this? Are only certain file types protected for Forms
Authentication? How can you add to that list of file types? Is it a
MIME type or file extension we should be securing through IIS in some
way?

We even tried adding the following to the web.config file:
<location path="OurAnimation.swf">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
such that it should explicitly deny all anonymous, or unauthenticated
users. But still, this did not work, and direct access to the file is
allowed by anyone.

Can anyone shed some light on this issue?

Thank you in advance for whatever help you can provide.

Matthew Roberts
SOURCECORP
Framework Architect

Nov 19 '05 #1

Subscribe Post Reply

1932

Brock Allen

The reason is that IIS handles the requests for those files, not ASP.NET,
and IIS knows nothing about your intent from web.config. You'd have to route
that file extension through the aspnet_isapi.dll in IIS to have ASP.NET serve
it up.

-Brock
DevelopMentor
http://staff.develop.com/ballen

Howdy All,

We have an ASP.NET web application that uses Forms Authentication and
has worked without problems for some time.

However, we recently added a Shockwave SWF file to the mix for flash
and interactivity.

All ASPX, HTML, and other web files are protected by security. If you
are not properly authenticated but try to access an ASPX or HTML file,
you will be redirected to the Login page.

However, if you try to access the SWF file directly, it allows you to
view the animation without ever authenticating the user.

Why is this? Are only certain file types protected for Forms
Authentication? How can you add to that list of file types? Is it a
MIME type or file extension we should be securing through IIS in some
way?

We even tried adding the following to the web.config file:

<location path="OurAnimation.swf">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
such that it should explicitly deny all anonymous, or unauthenticated
users. But still, this did not work, and direct access to the file is
allowed by anyone.

Can anyone shed some light on this issue?

Thank you in advance for whatever help you can provide.

Matthew Roberts
SOURCECORP
Framework Architect

Nov 19 '05 #2

John Timney $ASP.NET MVP$

The asp.net handlers only kick in for files mapped to it in IIS, so it
suggests extensions for swf are not handled by the asp.net dll and need to
be. Go to IIS setup and check the file types.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"MatthewRoberts" <mr*********@gmail.com> wrote in message
news:11**********************@g44g2000cwa.googlegr oups.com...

Howdy All,

We have an ASP.NET web application that uses Forms Authentication and
has worked without problems for some time.

However, we recently added a Shockwave SWF file to the mix for flash
and interactivity.

All ASPX, HTML, and other web files are protected by security. If you
are not properly authenticated but try to access an ASPX or HTML file,
you will be redirected to the Login page.

However, if you try to access the SWF file directly, it allows you to
view the animation without ever authenticating the user.

Why is this? Are only certain file types protected for Forms
Authentication? How can you add to that list of file types? Is it a
MIME type or file extension we should be securing through IIS in some
way?

We even tried adding the following to the web.config file:
<location path="OurAnimation.swf">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
such that it should explicitly deny all anonymous, or unauthenticated
users. But still, this did not work, and direct access to the file is
allowed by anyone.

Can anyone shed some light on this issue?

Thank you in advance for whatever help you can provide.

Matthew Roberts
SOURCECORP
Framework Architect

Nov 19 '05 #3

Karl Seguin

There's a pipeline. A request comes into IIS, IIS figures out how to handle
the request. when the page is an aspx, asmx, adx (various others) IIS
passes the request to ASP.Net. When the page is a swf, IIS simply streams
the contents back to the browser and let's it figure out what to do.

In other words, ASP.Net isn't in play when a request happens for a swf
file....so obviously forms authentication can't do anything. Two solutions
frequently recommended are to (a) make asp.net process requests for swf
files
(http://www.dotnetjunkies.com/Article...4B6D130C7.dcik)
or (b) store the .swf file out of your web path and use an aspx file to
stream it, ala showFile.aspx?fileName=someFile.swf which would take the
fileName, and stream the binary file to the user...

Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"MatthewRoberts" <mr*********@gmail.com> wrote in message
news:11**********************@g44g2000cwa.googlegr oups.com...

Howdy All,

We have an ASP.NET web application that uses Forms Authentication and
has worked without problems for some time.

However, we recently added a Shockwave SWF file to the mix for flash
and interactivity.

All ASPX, HTML, and other web files are protected by security. If you
are not properly authenticated but try to access an ASPX or HTML file,
you will be redirected to the Login page.

However, if you try to access the SWF file directly, it allows you to
view the animation without ever authenticating the user.

Why is this? Are only certain file types protected for Forms
Authentication? How can you add to that list of file types? Is it a
MIME type or file extension we should be securing through IIS in some
way?

We even tried adding the following to the web.config file:
<location path="OurAnimation.swf">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
such that it should explicitly deny all anonymous, or unauthenticated
users. But still, this did not work, and direct access to the file is
allowed by anyone.

Can anyone shed some light on this issue?

Thank you in advance for whatever help you can provide.

Matthew Roberts
SOURCECORP
Framework Architect

Nov 19 '05 #4

MatthewRoberts

Thank you for the quick response. Works like a charm.

Matthew

Nov 19 '05 #5

by: Maziar Aflatoun | last post by:

Hi, I'm trying to protect one of my subfolders from Web.config file in my root folder. Here is my directory structure / // My shopping cart /admin // Shopping cart...

C# / C Sharp

file restriction - Forms authentication

by: Ed | last post by:

Hi, I'm have an asp.NET project, and I'm using Forms authentication method. I was wondering if there is a way to deny access to files that are not .aspx...ie: Someone who tries to access...

ASP.NET

File level permissions using the web.config & forms authentication

by: Stu Lock | last post by:

Hi, Is there a way of requiring a log in for individual asp.net pages rather than securing a entire directory. I have a web app where there are 100+ pages but only 2 need to be password...

ASP.NET

Authorization for file upload via an external application

by: Stanislav Simicek | last post by:

Hello, I would like to ask for any ideas how to do user authorization for file upload which is done via an external application (not HtmlInputFile control). I have an asp.net web site which...

ASP.NET

Control Access To File Types In asp.net

by: Joey | last post by:

I have a web app that uses forms authentication. The app also has a downloads section, and I need to be able to use <location> tags to control access to the downloadable files there (preferably by...

ASP.NET

downloading file from asp.net to flash not working

by: Trapulo | last post by:

Hi, I've a big trouble with an asp.net page. Basically, the page has an swf that starts and downloads some data from an other asp.net page. The application works well on my testing IIS 6, but...

ASP.NET

Password protected html files

by: nick | last post by:

I need to create a simple asp.net application that use password protect some html pages. The html page provider doesn't know asp.net. And the host doesn't allow me to create user accounts. ...

ASP.NET

How can I get the specific file handle information from a System.Diagnostics.Process.Start call?

by: forest demon | last post by:

for example, let's say I do something like, System.Diagnostics.Process.Start("notepad.exe","sample.txt"); if the user does a SaveAs (in notepad), how can i capture the path that the user...

C# / C Sharp

Authentication: multiple auth types for one site

by: Steve | last post by:

I'm looking for feedback on an authentication solution we are considering for an ASP.NET 2.0 project. The site will be accessed by both internal users who are logged into the Windows domain, and...

ASP.NET

Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"

by: taylorcarr | last post by:

A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...

General

Basic Javascript concepts

by: aa123db | last post by:

Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...

Javascript

Batch import of multiple excel files into the database

by: ryjfgjl | last post by:

If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...

Data Management

Migrating Website to Cloud - Emmanuel Katto

by: emmanuelkatto | last post by:

Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel

General

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

Is that possible of reading the .csv file in column wise and the column have different lengths ?

by: Sonnysonu | last post by:

This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...

C / C++

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...

C / C++

File Types not protected by Forms Authentication

Similar topics