Hi All,
I create a personal website by using the vb templete in VS 2005, then i
changed the web.config like this:
<location path="Images">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
after save web.config, i open the url: http://localhost/personalwebsite/images/imgfile.jpg
i can see the picture, is there any other thing that i need to do?
Thanks
--
Pony Tsui 9  1122 
Yes, make sure that jpg is mapped to aspnet dll in IIS.
"Pony Tsui" <Po******@community.nospam> wrote in message
news:35**********************************@microsof t.com... Hi All,
I create a personal website by using the vb templete in VS 2005, then i
changed the web.config like this:
<location path="Images">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
after save web.config, i open the url:
http://localhost/personalwebsite/images/imgfile.jpg
i can see the picture, is there any other thing that i need to do?
Thanks
--
Pony Tsui
Hi Shimon,
I don't know how to map the aspnet dll in IIS, can you help me?
--
Pony Tsui
"Shimon Sim" wrote: Yes, make sure that jpg is mapped to aspnet dll in IIS.
"Pony Tsui" <Po******@community.nospam> wrote in message
news:35**********************************@microsof t.com... Hi All,
I create a personal website by using the vb templete in VS 2005, then i
changed the web.config like this:
<location path="Images">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
after save web.config, i open the url:
http://localhost/personalwebsite/images/imgfile.jpg
i can see the picture, is there any other thing that i need to do?
Thanks
--
Pony Tsui
Hi Pony,
Yes, as shimon has mentioned, if you want to let the image files also
utilize the ASP.NET url authorization protection, you need to configure the
IIS to forward requests (for those image files) to ASP.NET's extension
dll(aspnet_isapi.dll).
Basically, in IIS, most request for static files, such as txt, css, gif,
jpg, js..... will be directly processed by IIS instead of ASP.NET runtime
engine. that's why you find that the protection rules(url authorizaiton)
you set in web.config doesn't take effect for image files. To configure
this, you can use the IIS manager (inetmgr.exe) and locate your
application's virtual directory, in the property dialog, choose "virutal
directory" tab, and click the "Configuration" button on the sheet, you'll
find all the extension mapping for that virtual directory( generally
they're inherited from parent virtual directory or IIS site). You can add a
new extension for the file extension which you want to let ASP.NET process
it. Here is a web article which has mentioend on such setting:
#Protecting Files with ASP.NET http://aspnet.4guysfromrolla.com/articles/020404-1.aspx
#Setting Application Mappings in IIS 6.0 (IIS 6.0) http://www.microsoft.com/technet/pro.../Library/IIS/4
c840252-fab7-427e-a197-7facb6649106.mspx
BTW, basically it will have better performance if we let IIS directly
process those static files, so you need to think it over whether you do
need to let ASP.NET take the ownership of the processing on those requests.
Hope this helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Thanks Steven,
Actually i want to protect our documents by using urlauthorization, as you
say, it will reduce iis performance, any suggest ? or just change the
authorization mode to windows?
--
Pony Tsui
"Steven Cheng[MSFT]" wrote: Hi Pony,
Yes, as shimon has mentioned, if you want to let the image files also
utilize the ASP.NET url authorization protection, you need to configure the
IIS to forward requests (for those image files) to ASP.NET's extension
dll(aspnet_isapi.dll).
Basically, in IIS, most request for static files, such as txt, css, gif,
jpg, js..... will be directly processed by IIS instead of ASP.NET runtime
engine. that's why you find that the protection rules(url authorizaiton)
you set in web.config doesn't take effect for image files. To configure
this, you can use the IIS manager (inetmgr.exe) and locate your
application's virtual directory, in the property dialog, choose "virutal
directory" tab, and click the "Configuration" button on the sheet, you'll
find all the extension mapping for that virtual directory( generally
they're inherited from parent virtual directory or IIS site). You can add a
new extension for the file extension which you want to let ASP.NET process
it. Here is a web article which has mentioend on such setting:
#Protecting Files with ASP.NET
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx
#Setting Application Mappings in IIS 6.0 (IIS 6.0)
http://www.microsoft.com/technet/pro.../Library/IIS/4
c840252-fab7-427e-a197-7facb6649106.mspx
BTW, basically it will have better performance if we let IIS directly
process those static files, so you need to think it over whether you do
need to let ASP.NET take the ownership of the processing on those requests.
Hope this helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Thanks for your response Pony,
If you do need to redirect those static files' request from IIS to ASP.NET
runtime, I'm afraid these hasn't any good means to optimize the performance
since the overhead is not avoidable.
I'm not very sure your detailed scenario on those static files or documents
that need protection. However, IMO, if you have some documents that need
protected accessing, I think you can consider put them into database and
use an HTTPHandler to dynamically stream them out to client-side, thus we
can provide role based (or other security protection) against that
httphandler. Also, for other normal static document or files, just still
put them in IIS virtual directory and let IIS process them.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Steven,
This maybe a stupid scenario, i don't know it's possible or not.
If i create a website, set authentication mode to forms, and put the protect
documents or files in a directory that anomynous user can not access, when
the client login from a login form success, the client will be anomynous
user, but i can check this user's roles, if the roles can access the protect
documents or files, can i impersonate the client user to a windows user that
can access the protect documents or files?
Reguards
Pony
Thanks for your followup Pony,
If you're using formsauthentiation, that means you will configure IIS to
allow anonymous access, then the login windows account (from IIS) will be
the IIS anonymous account. After that , if you want to programmatically
impersonate the ASP.NET to execute under a certain windows user account,
you need to provide clear text username/password(do you think it possible
in your scenario?). I still recommend you consider put your protected
documents in a certain protected place like a physical dir (which can not
be accessed through internet user directly) or in database, then let your
application to programmatically retrieve them based on the application
roles(associated with the client user ---authenticated by
formauthehntication).
If you have any other ideas or questions, please feel free to post here.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Steven,
I think i need to study the httphandlers, is there any "How TO" or "Step by
Step" documents about httphandlers?
Thanks
--
Pony Tsui
Thanks for your response Pony,
I think you can have a look at the ASP.NET server http pipeline and the
request/response processing model first. Also, being familiar with the
IIS's application extension mapping and how the request get processing and
forward in IIS will also be very helpful. You can find many such info in
MSDN or TECHNET website.
In addition ,here are some good web articles you can have a look:
#Securely Implement Request Processing, Filtering, and Content Redirection
with HTTP Pipelines in ASP.NET http://msdn.microsoft.com/msdnmag/is...HTTPPipelines/
#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview http://support.microsoft.com/default...b;en-us;307985
#Extending ASP.NET with HttpHandlers and HttpModules http://www.devx.com/dotnet/Article/6962/0/page/3
#How ASP.NET Web Pages are Processed on the Web Server http://aspnet.4guysfromrolla.com/articles/011404-1.aspx
Hope this also helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Stevey |
last post by:
I have the following XML file...
<?xml version="1.0"?>
<animals>
<animal>
<name>Tiger</name>
<questions>
<question index="0">true</question>
<question index="1">true</question>
</questions>
|
by: nospam |
last post by:
Ok, 3rd or is it the 4th time I have asked this question on Partial Types,
so, since it seems to me that Partial Types is still in the design or
development stages at Microsoft, I am going to ask...
|
by: Ekqvist Marko |
last post by:
Hi,
I have one Access database table including questions and answers. Now
I need to give answer id automatically to questionID column. But I
don't know how it is best (fastest) to do?
table...
|
by: glenn |
last post by:
I am use to programming in php and the way session and post vars are past
from fields on one page through to the post page automatically where I can
get to their values easily to write to a...
|
by: Rider |
last post by:
Hi, simple(?) question about asp.net configuration..
I've installed ASP.NET 2.0 QuickStart Sample successfully. But, When I'm
first start application the follow message shown.
=========
Server...
|
by: Jeff |
last post by:
In the function below, can size ever be 0 (zero)?
char *clc_strdup(const char * CLC_RESTRICT s)
{
size_t size;
char *p;
clc_assert_not_null(clc_strdup, s);
size = strlen(s) + 1;
|
by: spibou |
last post by:
In the statement "a *= expression" is expression assumed to be
parenthesized ? For example if I write "a *= b+c" is this the same
as "a = a * (b+c)" or "a = a * b+c" ?
|
by: Allan Ebdrup |
last post by:
Hi,
I'm trying to render a Matrix question in my ASP.Net 2.0 page, A matrix
question is a question where you have several options that can all be rated
according to several possible ratings (from...
|
by: Zhang Weiwu |
last post by:
Hello!
I wrote this:
..required-question p:after {
content: "*";
}
Corresponding HTML:
<div class="required-question"><p>Question Text</p><input /></div>
<div...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
