473,327 Members | 1,919 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,327 software developers and data experts.

HttpHandler not overriding security

I have an HttpHandler installed on a server in the GAC that I want to grant
public access to across all sites on the server. The problem I have is that
some sites use forms authentication. For these sites I need to override the
security of the public URLs using the GLOBAL web.config file.

When I try to grant anonymous access to a site that uses forms
authentication using the local web.config file it works fine. Example:
<location path="showASPXVersion.ashx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>

But since this is a hosted environment I don't have access to the web.config
on each and every app. What I tried to do is add this to the GLOBAL
web.config:
<location path="showASPXVersion.ashx" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>

While this does not throw an error, it also does not work. Is there a way
to force this page to always be allowed via anonymous access while still
allowing the various applications to use their authentication mechanism of
choice?

More info:
- showASPXVersion.ashx is registered in the GLOBAL web.config and functions
properly for all sites that are configured w/o forms authentication
- the compiled binary for showASPXVersion exists in the GAC

Thanks!

Dec 30 '06 #1
4 2128
Hi Kevin,

Welcome to MSDN Managed Newsgroup!

Based on my understanding, the issue is that you're not able to override a
child web site's web.config settings in machine-wide web.config using
<locationelement. It's actually not related to http handler, since
following simple test can reproduce the issue you described:

1) Add following xml snippet in machine-wide web.config:

<location path="Anonymous.aspx" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>

2) In a web site that is using Forms authentication and denies anonymous
user:

<authentication mode="Forms" >
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>

3) Create a web page "Anonymous.aspx" in the web site and visit it in web
browser, it still redirects to the Logon.aspx.

4) This issue also doesn't only exist in Forms authentication mode, if
you're using Windows authentication mode, I believe the user account is
automatically used; if you print Request.IsAuthenticated in Anonymous.aspx,
you will find it's True.

5) If we put the <locationxml snipeet in step 1) to the web site's
web.config, you find it's working correctly.
Therefore the issue seems that <locationelement setting in machine-wide
web.config doesn't overrides the web.config in individual web site.

Currently I'm consulting this question in our internal discussion list with
product team, I'll let you know the result as soon as possible. Thank you
for your patience and understanding.

By the way, I saw that you've posted some posts and somehow they're not
captured in our internal tool system, therefore they're not replied by MSFT
employees. This might be your email alias is not activated or recogonized
at that time. We're sorry for the inconvenience caused. Anyway, since your
account is setup correctly now, would you please post those questions again
so that our tool can recogonize correctly? Thanks.

Sincerely,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Jan 2 '07 #2
Hi Kevin,

Sorry for deplayed reply. I was discussing this question with product team.

The behavior you're seeing is expected due to current design of ASP.NET.
We're sorry for the inconvenience. If you think this is important for your
project, please feel free to submit your feedback at
http://connect.microsoft.com/Main/co...ContentID=2220 so
that product team will know how common is this request and will consider to
improve it in future version.

For now, I'm sorry I didn't find any workaround to let you override each
web site's security settings in global web.config.

Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Jan 5 '07 #3
Hi Kevin,

Since I haven't seen your reply to my message, I'm wondering if you have
seen them or not. Would you please reply here to let me know the status?
Also, please feel free to let me know if there's anything else I can help.

Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Jan 9 '07 #4
Kevin,

Thanks for the follow-up. Yes I've reported this to product team and
they're aware of such requirement now.

Have a nice day!

Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Jan 11 '07 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Hanse Davion | last post by:
Can anyone provide some insight on what this problem could be? I have searched the web, read forums, and all the installation documentation for the dotnetnuke feeware portal from asp.net. I am...
5
by: Earl Teigrob | last post by:
My company sells software and wants to provide downloadable product. Some of these downloads will be full CD's of over 550M I had everything working fine using Response.filewrite() but when we...
9
by: Jared Tullis | last post by:
We have an .NET 1.1 application running on 4 2K3 load balanced servers (using WLBS). IIS has the .NET aspnet_isapi.dll mapped as a wildcard application map. The web.config points *.html to a...
7
by: Adam | last post by:
Im trying to add an httphandler for all *.sgf file extensions. I have developed the handler, 1. installed it into the gac 2. added it to the machine.config: <httpHandlers> <add verb="*"...
8
by: bryan | last post by:
I've got a custom HttpHandler to process all requests for a given extension. It gets invoked OK, but if I try to do a Server.Transfer I get an HttpException. A Response.Redirect works, but I really...
3
by: Liming | last post by:
Hi, I have a HttpHandler (Thumbnail.axd) that output Thumbnail images). The problem is that all the output images being gerneated in the browser all takes the same name "Thumbnail.axd.gif" ...
3
by: Michael Schwarz | last post by:
Hi, I have a own HttpHandler running and configured like this in my web.config: <add verb="*" path="subfolder/*.ashx" type="Class,Assembly"/> Now, when turning cookieless Sessions on my...
3
by: Jeeran | last post by:
I need to perform url rewriting to convert this (for example): /blogs/feeds/popular/posts/ to this: /blogs/feeds.aspx?type=popular&type2=posts What I did was the following: 1. Created an...
2
by: Roshawn | last post by:
Hi, I've been fighting tooth and nail trying to handle clunky viewstate data. I happened to find some code that moves this data to the bottom of the page (to enhance spidering, of course). ...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.