|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How do you restrict access to directory below parent dir with anon access?Hi,
This seems like an easy question. Has me stumped!! If I have a web site and I would like allow anon access, how can I restrict it so that the client can't access a directory below the parent directly, but has to go to the root index.htm say and then can navigate to where ever from any links? Is this possible? I have a further question, but this one is the starter. Thanks so much Hi,
Simply speaking, no, this is not possible. when your browser makes a request, the server doesn't know if the request was made from a "typed url", a "html anchor tag" or whaterver. Now, you can achieve this behavior implementing some server side processing trought any kind of server extension (like ASP, ASP.NET, ISAPI filters/extensions and others). One commonly used way to do this is trough the "referer" http header, but keep in mind that this is *extremly easy* to bypass it and should not be consider a secure method to protect a server resource. Another aproach would be implement some ASP/ASP.NET and use the session state to control it. If you still considering go for the referer solution check out David's blog entry http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_direct_access_to_resources_using_Referer_based_authentication.aspx or google for "ISAPI referer filter". Cheers, Eric. <shahedshir***@yahoo.com> wrote in message Show quoteHide quote news:1154542088.487659.130870@s13g2000cwa.googlegroups.com... > Hi, > > This seems like an easy question. Has me stumped!! > > If I have a web site and I would like allow anon access, how can I > restrict it so that the client can't access a directory below the > parent directly, but has to go to the root index.htm say and then can > navigate to where ever from any links? Is this possible? > > I have a further question, but this one is the starter. > > Thanks so much > Can you please describe the end-goal that you are trying to achieve.
There is no valid authentication protocol which predicates access to one URL based on visiting another URL. By its very nature, such a protocol is easy to forge. You need to decide if it works for you. http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_direct_access_to_resources_using_Referer_based_authentication.aspx -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // <shahedshir***@yahoo.com> wrote in message news:1154542088.487659.130870@s13g2000cwa.googlegroups.com... > Hi, > > This seems like an easy question. Has me stumped!! > > If I have a web site and I would like allow anon access, how can I > restrict it so that the client can't access a directory below the > parent directly, but has to go to the root index.htm say and then can > navigate to where ever from any links? Is this possible? > > I have a further question, but this one is the starter. > > Thanks so much > Dear David,
Thanks for your reply. My real problem is that I have an asp.net program and I want to the signed in user to be able to link to my purely html site, using response.redirect I guess. I don't want the general public to have access to the html site but I want access to the html site via my link in the asp.net app only. But seems like I can't stop people from accessing the html site and allow access via my asp.net app. Any help is greatly appreciated. I've tried using virtual directories to no help. Thanks David Wang [Msft] wrote: Show quoteHide quote > Can you please describe the end-goal that you are trying to achieve. > > There is no valid authentication protocol which predicates access to one URL > based on visiting another URL. By its very nature, such a protocol is easy > to forge. You need to decide if it works for you. > > http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_direct_access_to_resources_using_Referer_based_authentication.aspx > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > shahed wrote on 3 Aug 2006 05:53:00 -0700:
> Dear David, Convert the HTML site to ASP.Net (rename all the files to .aspx and set up a > > Thanks for your reply. My real problem is that I have an asp.net > program and I want to the signed in user to be able to link to my > purely html site, using response.redirect I guess. > > I don't want the general public to have access to the html site but I > want access to the html site via my link in the asp.net app only. But > seems like I can't stop people from accessing the html site and allow > access via my asp.net app. Any help is greatly appreciated. I've > tried using virtual directories to no help. redirection in IIS for all .htm pages to the .aspx ones), and have each one check for a session variable set in the parent application (I'm still an ASP programmer, not ASP.Net, so I don't know if it handles #include, but you should be able to create a single file with the checking code in it and include it in the top of all the pages) - if the variable is not there redirect to the parent application, if it is allow the page to be displayed. Dan Hi Shahed,
I'm not sure if I got the exact picture of your problem. Correct me if I'm wrong: 1-You have a set of static HTML pages (let's name it R1) hosted on IIS server. 2-You have another set of ASP.NET pages (for now on R2) hosted on IIS server, either the same or other one managed by you. 3-Access to resources R1 should be allowed only if the visitor first has accessed a resource from R2. 4-Any type of direct access (typing the url in broser, bookmarking it, etc..) to resources in R1 should be denied (status 403 Forbidded ?). Also from what you described the "authentication" algorithm may be described as: 1-The client acces a resource R2 which create/receive a token T1 that should be present in further requests for resource R1. 2-Upon access, resource R1 will validate the token T1. If it's ok access is granted, otherwise denied. 3-The token T1 should expire after a certain condition (numer of access, time elapsed, end of session). The main problems here are: 1-the restricted resources R1 are static and therfore cannot verify anything by themselves. We need to delegate this to someone else. 2-The proccess used to create/store token T1 cannot be easly forged, predicted or spoofed by unauthorized clients. Fortunely IIS can be "extended" to perform this task. Since you already has some code in .NET framework I'll sugest a solution in this scope: To store the authentication token T you can use a non persistent cookie or a custom HTTP header. The cookie is preferable as it will go away as soon as the browser window's close. To avoid forgery the token MUST be dynamic generated (ie a HASH of something + timestamp, a GUID). You can use the ASP.net cookie session as suggested by Daniel. The application holding R1 must manage tokens. The list of valid tokens could be keept in memory or in disk (a database, a text file). I'll suggesta text file to begin since it's easy to be "debugged" by you (it only requires Notepad :)) The server hosting R1 must manage the expiration of valid tokens. If you use session cookies, this will be handled by ASP.Net. The server hosting the restricted resources R2 needs to be extended to validate token T1. You can write a custom HTTPHandler associate it to some unused extension (ie .abc, .shd ). set it to NOT check if the file exists. The handlers will receive the request, validate the token T and if it's ok, it will return a file with the same name requested in URL but replacing the fake extension (.shd) with real on (.html) This is a guideline for a generic and reusable solution. Some details will came up as you implement it, and will probably better answered in newsgroups related to .net programming. Also look into google and MSDN for hints on "HttpHandler" or "IHttpHandler". A search on IIS request pipeline came in hand to help you understand how IIS handles request and where/how you can extend it. Cheers, Eric. Show quoteHide quote "shahed" <shahedshir***@yahoo.com> wrote in message news:1154609580.571110.324790@m73g2000cwd.googlegroups.com... > Dear David, > > Thanks for your reply. My real problem is that I have an asp.net > program and I want to the signed in user to be able to link to my > purely html site, using response.redirect I guess. > > I don't want the general public to have access to the html site but I > want access to the html site via my link in the asp.net app only. But > seems like I can't stop people from accessing the html site and allow > access via my asp.net app. Any help is greatly appreciated. I've > tried using virtual directories to no help. > > Thanks > > David Wang [Msft] wrote: >> Can you please describe the end-goal that you are trying to achieve. >> >> There is no valid authentication protocol which predicates access to one >> URL >> based on visiting another URL. By its very nature, such a protocol is >> easy >> to forge. You need to decide if it works for you. >> >> http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_direct_access_to_resources_using_Referer_based_authentication.aspx >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> > 
Other interesting topics
Network/Web Site Authentication
iis problems with some xp clients - kerberos issue? Network service default permissions Virtual Directory On UNC Share Not Writable changing "CN" name Grant Users Permissions to Modify IIS without Having Full Admin Ri Domain Guests automatic login with current username and password Application Pool Identity IIS 5.0 vs IIS 6.0 |
|||||||||||||||||||||||
