IIS 6 ignores Web.config authorization settings

Context:

  • IIS 6 on Windows 2003 Server
  • ASP.NET 3.5 sp1
  • C # web application launched from virtual directory

There are a few files that I would like not to serve. For example, there is a root directory hibernate.cfg.xml

that should not be accessible. There are also log files in the log directory. On a local development server (Visual Studio 2008), the NHibernate config file can be protected in several ways via the Web.config:

<location path="hibernate.cfg.xml">
    <system.web>
      <authorization>
        <deny users="?"/>
        <deny users="*"/>
      </authorization>
    </system.web>
</location>

      

OR

<httpHandlers>
...
    <add path="*.cfg.xml" verb="*" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>

      

Logs in a different directory can be protected through a different Web.config file:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

      

None of these work when the application is compiled using aspnet_compiler.exe and deployed to an IIS 6 server. There are no errors in the logs. Files are readable for everyone. The application is compiled and installed using MSBuild as follows:

<AspNetCompiler Force="true" Debug="true" PhysicalPath="$(DeploymentTempPath)\$(DeploymentAppName)" TargetPath="$(DeploymentPath)\$(DeploymentAppName)" VirtualPath="/$(DeploymentAppName)" />

      

How to force IIS 6 to respect the authorization rules in Web.config.

Note. Let's assume that I cannot move these files outside the deployment directory.

+2


source to share


5 answers


It looks like IIS is not redirecting the request for .xml or .txt files to ASP.NET, so it has no way to enforce its authorization controls.

To get around this, I had to do the following (from this forum post ):



  • In the IIS console, open the properties for my application's virtual directory.
  • Virtual Directory> Configuration
  • Add new handler for ".xml" extension using ASP.NET filter ( c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll

    in my case)
  • All verbs. Uncheck "Script engine" and "Check if file exists".

Is there a way to do this internally Web.config

?

+6


source


Try the following:



<location path="hibernate.cfg.xml">
    <system.web>
      <authorization>
        <deny users="?"/>
        <deny users="*"/>
      </authorization>
    </system.web>
</location>

      

+3


source


Static files such as .jpg

, .xml

and .pdf

are handled by the kernel driver by default http.sys

. If you haven't tied these extensions to ASP.NET, they will never end up in the ASP.NET pipeline, and thus the ASP.NET authorization mechanism.

+2


source


To force static files like .xml to be processed by .NET on .NET 2.0 / 3.5 / 4.0 and IIS6, follow these steps:

1) Add entries for .xml (or other file type) to IIS as described above (IIS6 website properties, Home Directory, Configuration)

2) in web.config add location for restricted directory or file

<location path="directory_or_file_name">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
</location>

      

3) Add the following to the httpHandlers section:

<add path="*.xml" verb="*" type="System.Web.StaticFileHandler" validate="true" />

      

This will force .NET to only use the XML files specified in the tag <location>

for authenticated users.

+1


source


URL Authorization: The URLAuthorizationModule class is responsible for URL authorization on Windows 2003. This mechanism uses the URL Namespace to store user and access role information. The authorization URL is available for use at any time. You save the authorization information in a special XML file in the directory. The file contains tags to allow or deny access to the directory for specific users or groups. If not specified tags also apply to subdirectories.

You need to do the following:

<deny users="?"/>
<deny users="*"/>

      

Wild card entry "?" means that no one else will be able to access this directory.

0


source







All Articles