Hi.
I'm restricting access to my webpage with forms authentication, but I have some .htm files that I want to restrict as well (by default, ASP.NET does not restrict this, so anyone with access to the URL could open them).
I've run across a number of solutions on the web, none however seem to work for me. It's possible I'm just missing something stupid and obvious. (I hope that's it.)
First, this page advised me to add a setting to IIS to make aspnet_asapi.dll handle the .htm files. However, the result was less that satisfactory. In Firefox (2.0.0.x) the page would simply be blank, and IE (6&7) would give the "Internet Explorer cannot display the webpage" message.
Then this page and this page suggested adding httpHandler entries into my web.config file.
These settings did nothing to filter these files.
Then, with ever increasing desperation I tried them both at the same time, and again I got the blank Firefox and the taunting IE message.
Can anyone help me figure out what I'm missing here?
10  1676 
Are these pages to be protected by the same login credentials as the aspnet pages?
Because you could restrict access to the directories they're in with the http security.
(challenge authentication)
Or convert them over to full-fledged aspx pages. Really you should have been able to just drop the html source code into the aspx page.
Are these pages to be protected by the same login credentials as the aspnet pages?
Because you could restrict access to the directories they're in with the http security.
(challenge authentication)
Or convert them over to full-fledged aspx pages. Really you should have been able to just drop the html source code into the aspx page.
I'm handling the specifics of which files go to which users... All I need is a simple redirect to the login page if they aren't authenticated.
The idea is that these are generated reports, and people get access to their own reports. Users access the reports page, the page queries the database, scoops up all the files in the folders specified by the database, and displays them in a datagrid with hyperlinks.
The benefits to this are that:
1) existing reports work (to preserve report histories without modifying those files by hand)
2) the existing reporting process is automated and can generate and upload a new report to the ftp site. This setup preserves this functionality so it doesn't need to be modified.
I've already got a good bit of other site content restricted by various roles granted by the forms authentication, the last bit to restrict is this non-ASP.NET content...
hmmm. well have you tried making a "serve-up" aspx page?
Like all those hyperlinks goto:
"myserveup.aspx?filename=report456.html"
And then your serveup.aspx page goes and grabs that file and returns the content.
Then you can just make sure they're authenticated for that aspx page.
I use this method in my own company. The actual location where the data files are is not available through the website, only through the serveup page can they be accessed.
hmmm. well have you tried making a "serve-up" aspx page?
Like all those hyperlinks goto:
"myserveup.aspx?filename=report456.html"
And then your serveup.aspx page goes and grabs that file and returns the content.
Then you can just make sure they're authenticated for that aspx page.
I use this method in my own company. The actual location where the data files are is not available through the website, only through the serveup page can they be accessed.
Hmmm, that's an intriguing idea. I'm not readily able to imagine some of the specifics (I'm a desktop programmer by trade that got somewhat pressed into this web development project just recently. I'll admit to being a bit out of my native element)... A couple of questions come to mind:
Would I need to strip out any of the html from the files, or would the ASPX page simply not care about duplicate <HEAD> tags, <BODY> tags, etc?
How can I set the folder to be inaccessible to the outside? Move it to be within the app_data folder? Could I still set that folder to be an FTP site to receive the auto-generated reports?
The aspx page...wouldn't really be an aspx page.
Inside it would do all the validating of "should this user be able to access this file?"
Then if yes it'd be something like: -
Response.Clear();//wipe out anything that would be sent to client
-
/*
-
* Some code to send the file, I think it's like Response.TransmitFile(filename)
-
*/
-
Response.End();
-
If it was no, display some sort of "not allowed" message
The aspx page...wouldn't really be an aspx page.
Inside it would do all the validating of "should this user be able to access this file?"
Then if yes it'd be something like:
-
Response.Clear();//wipe out anything that would be sent to client
-
/*
-
* Some code to send the file, I think it's like Response.TransmitFile(filename)
-
*/
-
Response.End();
-
If it was no, display some sort of "not allowed" message
This sounds like a good solution, however I would still like a way to deny access to anyone who might be able to guess the URL of the source HTML files... Maybe I could store the files within app_data?
Don't expose there location to the web.
Like for instance in my setup, the iis website is located at:
c:\inetpub\wwwroot\
And the datafiles are in say:
c:\data\
The code behind can access that directory, but the website does not have access to it.
Hi,
U can restrict by setting the web.config.
<location path="admin.html">
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
<authentication mode="Forms">
<forms name="frmLogin"
loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
</system.web>
</location>
try this one
Oooo, good call on that one. I think you can take wildcards in the path= attribute too?
Yes, using location for the files is the cleanest way to do that.
What you could also do is deny acces to unauthenticated users and grant acces to the specific role where your html files are. In you web.config: - <authentication mode="Forms">
-
<forms loginUrl="/yoursite/default.aspx" name="name" timeout="20" protection="All" path="/">
-
</forms>
-
</authentication>
-
<authorization>
-
<deny users="?"/>
-
</authorization>
-
<location path="the folder where your html files are">
-
<system.web>
-
<authorization>
-
<allow roles="Roles that can access the path"/>
-
</authorization>
-
</system.web>
-
</location>
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Xenophobe |
last post by:
I have a popup window (required by the client) containing a form and would
like to prevent users from accessing it directly. They are instead required
to access the page via a hyperlink on another...
|
by: Jeremy Langworthy |
last post by:
Hi
I have two "totals" inputs whose values are dynamically calculated.
For obvious reasons I don't want users to be able to edit the
information in these. However, I do want this total passed to...
|
by: Dennis C. Drumm |
last post by:
Is there a way with C# to allow one class access to a method or field of
another class, without making that method or field visible to all other
classes, as would be the case when making the method...
|
by: Barguast |
last post by:
Is there any way to restrict the area in a control that can be painted? For
example, if I wanted to enforce a three-pixel wide border around my control,
how would I go about it?
Thanks
|
by: volume |
last post by:
Restricting a windows textbox (edit item) to digits only.
Is there a windows option, using .NET C#, to only allow a user to enter
digits ONLY? If so, what is the flag or setting? If no, what is...
|
by: CLEAR-RCIC |
last post by:
Hi. I'm using web controls in my web application. Using IIS, I am trying to
restrict an IP address from viewing one of my contols. When I restrict the
IP Address using the Directory Security tab...
|
by: Piper707 |
last post by:
Hi,
I'd like to know if there are any more ways of restricting an XML
document to having only non-empty tags (containing Strings).
I can think of 2 ways:
1)
<xs:simpleType name="tagName">
|
by: Brett Romero |
last post by:
I have a CustomDataGrid that inherits DataGrid. I use the filter below
via a context menu, which works fine.
( ( DataTable ) this.DataSource ).DefaultView.RowFilter =
filterexpress;
The...
|
by: Patient Guy |
last post by:
The code below shows the familiar way of restricting a function to be a
method of a constructed object:
function aConstructor(arg)
{
if (typeof(arg) == "undefined")
return (null);...
|
by: =?Utf-8?B?R3JlZw==?= |
last post by:
I'm from an Access background and I'm working with VB.Net.
In MS Access I can restrict data-entry into my fields on a form using the
Format property. Is there an equivilant in VB.Net. I want to...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
