reading
You Should Read
archives
- September 2004
- October 2004
- November 2004
- December 2004
- January 2005
- April 2005
- May 2005
- June 2005
- July 2005
- August 2005
- September 2005
- October 2005
- November 2005
- December 2005
- January 2006
- February 2006
- March 2006
- April 2006
- May 2006
- June 2006
- July 2006
- August 2006
- September 2006
blogs I read
- Caspian Arts
- Coding Horror
- ComputerZen
- Joel On Software
- Knowing.net
- MSBuild Team Blog
- Rob Howard
- ScottGu
- Scott On Writting
- Signal vs. Noise
- SimpleBits Articles
Thursday, January 27, 2005
Securing .html pages using ASP.NET 2.0 on IIS 6.0
Problem
I was trying to secure non-ASP.NET 2.0 files (i.e. .html, .pdf) in an application running on IIS 6.0, Windows 2003 server using the .NET Framework 2.0.
What has worked in the past, using .NET Framework 1.1 on IIS 6.0, is the following :
1. Open IIS
2. Right click website, choose Properties.
3. Click "Home Directory" tab.
4. Click "Configuration" button. This opens "Application Configuration"
window.
5. Click on an any entry that uses the .NET Framework ISAPI filter.
6. Copy the "Execcutable" path (i.e. C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll)
7. Click "Cancel".
5. Click "Add" to add a new Application Extension.
6. Paste the path into the "Executable" text box.
7. Type in ".html" into the "Extension" textbox.
8.Click "OK" until you are out of the properties window.
Now ".html" extensions should be handled by the ASP.NET worker process, so if authentication is turned on, .html files will be protected from anonymous users.
Taking the same steps on the same Windows 2003 server for .NET Framework 2.0,
I run into problems. I browse to a ".html" page and I am required to login, but after I am authenticated, I get a generic "The page cannot be displayed" error. At the bottom of the page was the text"Cannot find server or DNS Error Internet Explorer". All of the .aspx pages I went to work just as they should. I have double checked the path. I have tried other file extensions such as ".pdf" with the same results as the ".html". The Execution path I am using is
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_isapi.dll". I have also tried using impersonation using the machine.configtag. I used System and the Administrator user accounts to no avail.
Solution
I decided to try displaying the contents of an .html file on a .aspx page as a work-around. Using a StreamReader to get the contents of the .html file I could display the contents on the .aspx page with a Literal control. Works great, but seemed like such a hack. That is when a friend recommended creating a custom HttpHandler. Seemed like a possible solution.
I opened the machine.config located in the "C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\CONFIG\" directory. In the .Net Framework 1.1 machine.config file, there is a list of HttpHandlers specified in the <httphandlers>section. However, the 2.0 files <httphandlers>tag was empty. That got me thinking. What if the reason the 2.0 ASP.NET Worker Process doesn't know how to display .html files because there is not default HttpHandler specified for it.
I decided to add the <httphandlers>tag to handle .html pages to the web.config for this app instead of the machine.config. This would allow more flexibilty for future apps hosted on this server. Here is the code I added to the web.config :
<httphandlers>
<add type="System.Web.StaticFileHandler" path="*.html" verb="*">
</httphandlers>
Saved the web.config, surfed to the .html page, logged into the site, and...BINGO! The .html page is displayed as it should be.
I was trying to secure non-ASP.NET 2.0 files (i.e. .html, .pdf) in an application running on IIS 6.0, Windows 2003 server using the .NET Framework 2.0.
What has worked in the past, using .NET Framework 1.1 on IIS 6.0, is the following :
1. Open IIS
2. Right click website, choose Properties.
3. Click "Home Directory" tab.
4. Click "Configuration" button. This opens "Application Configuration"
window.
5. Click on an any entry that uses the .NET Framework ISAPI filter.
6. Copy the "Execcutable" path (i.e. C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll)
7. Click "Cancel".
5. Click "Add" to add a new Application Extension.
6. Paste the path into the "Executable" text box.
7. Type in ".html" into the "Extension" textbox.
8.Click "OK" until you are out of the properties window.
Now ".html" extensions should be handled by the ASP.NET worker process, so if authentication is turned on, .html files will be protected from anonymous users.
Taking the same steps on the same Windows 2003 server for .NET Framework 2.0,
I run into problems. I browse to a ".html" page and I am required to login, but after I am authenticated, I get a generic "The page cannot be displayed" error. At the bottom of the page was the text"Cannot find server or DNS Error Internet Explorer". All of the .aspx pages I went to work just as they should. I have double checked the path. I have tried other file extensions such as ".pdf" with the same results as the ".html". The Execution path I am using is
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_isapi.dll". I have also tried using impersonation using the machine.config
Solution
I decided to try displaying the contents of an .html file on a .aspx page as a work-around. Using a StreamReader to get the contents of the .html file I could display the contents on the .aspx page with a Literal control. Works great, but seemed like such a hack. That is when a friend recommended creating a custom HttpHandler. Seemed like a possible solution.
I opened the machine.config located in the "C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\CONFIG\" directory. In the .Net Framework 1.1 machine.config file, there is a list of HttpHandlers specified in the <httphandlers>section. However, the 2.0 files <httphandlers>tag was empty. That got me thinking. What if the reason the 2.0 ASP.NET Worker Process doesn't know how to display .html files because there is not default HttpHandler specified for it.
I decided to add the <httphandlers>tag to handle .html pages to the web.config for this app instead of the machine.config. This would allow more flexibilty for future apps hosted on this server. Here is the code I added to the web.config :
<httphandlers>
<add type="System.Web.StaticFileHandler" path="*.html" verb="*">
</httphandlers>
Saved the web.config, surfed to the .html page, logged into the site, and...BINGO! The .html page is displayed as it should be.
Comments:
Links to this post:
<< Home
Content copyright ©2003-2006 Tod Birdsall
What the difference between using System.Web.StaticFileHandler for the type and System.Web.HttpForbiddenHandler? I have the later typed in the web config for my HTTPHandler. I guess I could try but just thought I would ask you. email: ajgould at iastate dot edu
The System.Web.HttpForbiddenHandler tells the ASP.NET runtime to throw an (System.Web.HttpException) indicating that the URL they are trying to get to is forbidden. Similar to the following:
Exception Information: Path '/web.config' is forbidden.
That is why you will see this handler attached to the '.config' and '.cs' file extensions.
Post a Comment
Exception Information: Path '/web.config' is forbidden.
That is why you will see this handler attached to the '.config' and '.cs' file extensions.
Links to this post:
<< Home