473,396 Members | 1,940 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > authorization confusion

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Authorization Confusion

I have a subfolder on my Website that contains images. It also contains the
web.config file shown below.

When I access the site, I get the Login page as expected. But if I type in
the URL of an image in the folder that contains images, the image is
displayed in the browser.

I don't understand why I am not prevented from seeing the contents of this
folder since I have not been authenticated. Does it have something to do
with the fact that these resources are images? How would I prevent access to
this folder by users who are not logged in?

Thanks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Jonathan

Jun 2 '08 #1
3 1319
You need to map the image files' extensions to aspnet_isapi.dll.

Here's a primer on what you need to do :
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Jonathan Wood" <jw***@softcircuits.comwrote in message news:Od**************@TK2MSFTNGP04.phx.gbl...
>I have a subfolder on my Website that contains images. It also contains the web.config file shown below.

When I access the site, I get the Login page as expected. But if I type in the URL of an image in the folder that
contains images, the image is displayed in the browser.

I don't understand why I am not prevented from seeing the contents of this folder since I have not been authenticated.
Does it have something to do with the fact that these resources are images? How would I prevent access to this folder
by users who are not logged in?

Thanks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Jonathan

Jun 2 '08 #2
I should add that you only need to do step 1:

1. Configure IIS so that .jpg, .gif, etc. files are mapped to the ASP.NET ISAPI extension

That will prevent the image files from being served without authorization.

Step 2 :

2. Configure ASP.NET so that *.xxx files are mapped to the HttpForbiddenHandler HTTP handler

....will prevent the files from being served, period.
You don't want to do step 2.


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Juan T. Llibre" <no***********@nowhere.comwrote in message news:OG**************@TK2MSFTNGP06.phx.gbl...
You need to map the image files' extensions to aspnet_isapi.dll.

Here's a primer on what you need to do :
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Jonathan Wood" <jw***@softcircuits.comwrote in message news:Od**************@TK2MSFTNGP04.phx.gbl...
>>I have a subfolder on my Website that contains images. It also contains the web.config file shown below.

When I access the site, I get the Login page as expected. But if I type in the URL of an image in the folder that
contains images, the image is displayed in the browser.

I don't understand why I am not prevented from seeing the contents of this folder since I have not been
authenticated. Does it have something to do with the fact that these resources are images? How would I prevent access
to this folder by users who are not logged in?

Thanks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Jonathan



Jun 2 '08 #3
Soooo... It defaults to making resources not specified available to anyone
regardless of the allow/deny settings...

I thought ASP.NET usually defaulted to being secure.

Thanks for the info!

Jonathan

"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:OG**************@TK2MSFTNGP06.phx.gbl...
You need to map the image files' extensions to aspnet_isapi.dll.

Here's a primer on what you need to do :
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Jonathan Wood" <jw***@softcircuits.comwrote in message
news:Od**************@TK2MSFTNGP04.phx.gbl...
>>I have a subfolder on my Website that contains images. It also contains
the web.config file shown below.

When I access the site, I get the Login page as expected. But if I type
in the URL of an image in the folder that contains images, the image is
displayed in the browser.

I don't understand why I am not prevented from seeing the contents of
this folder since I have not been authenticated. Does it have something
to do with the fact that these resources are images? How would I prevent
access to this folder by users who are not logged in?

Thanks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Jonathan

Jun 2 '08 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
Authorization elements in web.config
by: Chris Leffer | last post by:
Hi. I would like to confirm a behaviour in the authorization element from the web.config file. Suppose the following (using Forms authentication): <authorization> <deny users="?" /> <deny...
ASP.NET
9
Detecting Failed Authorization
by: Bijoy Naick | last post by:
I've implemented forms authentication and authorization on my application. In my Web.Config, my authorization section looks like this.. <authorization> <allow roles="admin" /> <deny users="*"...
ASP.NET
1
Authorization
by: Shapper | last post by:
Hello, In my web site I need to restrict the access to page1.aspx, page2.aspx and page3.aspx to users which had login and which access level is "administrator". The remaining pages can be...
ASP.NET
4
Requiring Authorization for a Single Subfolder
by: Johnnie Norsworthy | last post by:
ASP.NET 2.0 How do I configure my web site to require forms authorization only for a subfolder off the root? I know how to set Web.config for forms authentication for the whole site, but I need...
ASP.NET
2
ASP.NET Authorization
by: Water Cooler v2 | last post by:
Is the authorization tag/class in web.config\<system.web> available only for Windows authorization? Does it make sense for Forms based authentication?
Visual Basic .NET
1
authorization problem
by: sonu | last post by:
Mark is creating a website using ASP.NET. He is using Forms authentication for authenticating and authorizing users. He has the following layout of files and directories in his website: Root...
C# / C Sharp
14
Windows Authorization
by: tshad | last post by:
I am trying to set up an intranet at work that will use our Active directory to authorize our users. We also want them to access the site from the outside (such as at home) and also be...
ASP.NET
4
authorization based on url parameters
by: xke | last post by:
Using web.config authorization settings, is it possible to allow my users to access default.aspx but not default.aspx?action=edit ?? <location path="default.aspx"> <system.web> <authorization>...
ASP.NET
2
Authorization Confusion
by: Jonathan Wood | last post by:
I have a subfolder on my Website that contains images. It also contains the web.config file shown below. When I access the site, I get the Login page as expected. But if I type in the URL of an...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!