> I am trying to limit access to folders in the web per user. I have tried two
> different approaches, neither of which I can get to work correctly. I have a
> windows 2003 r2 server, asp.net 2.0, front page extensions installed.
> My setup looks like this:
> /webvirtualdirectory/users/tom/..
> /webvirtualdirectory/users/bob/..
> etc.. where the webvirtualdirectory is an application.
>
> I am using forms authentication, using sql 2005. I want tom to be able to
> access files such as html, pdf, jpg, etc that he dynamically creates or
> upload to his folder, but not be able to access anything in bobs folder,
> including html files. Likewise for bob. The users are created dynamically,
> so I do not who they are ahead of time, nor could I manage them
> individually.
>
> Attempt 1:
> I have tried adding an additional application extension mapping in the web
> site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in the
> users folder (i.e. users/bob), a web.config is dynamically created when the
> user is created that gives the user rights to everything in that folder.
> This does not work, no pdf's (or other files such as html) are served by the
> server. I receive a
> a.. Error Code 64: Host not available
> a.. Background: The connection to the Web server was lost.
>
> Attempt 2:
> I have tried the web configuration tool, supplied with visual studio, to
> limit access to the folder for the user, such as bob. This appears to have
> no impact on limiting access to files that are not mapped to the
> aspnet_isapi.dll. So basically no security on files or folders.
>
> Now I also have some static content at the root level that I do want to
> allow anonymous access to, such as 1 pdf file and 1 html file. I believe the
> site wide security is set properly for the remainder of the pages because if
> I try to go an aspx page that is not explicitly allowed in the web.config,
> the anonymous user is automatically redirected to a login page, and the page
> is not shown.
>
> Not sure what I am missing here, any help is greatly appreciated, or if you
> think I should post to a different group.
>
> Thanks,
> Jeff

"David Wang" <w3.4***@gmail.com> wrote in message
news:1163288209.819284.189190@h48g2000cwc.googlegroups.com...
> What you want to do is technically impossible given your requirements.
> What is not clear is an understanding of how the IIS 6.0 and ASP.Net
> 2.0 request pipelines intermingle, so you will want to read and
> understand the following blog entries. I still have an unwritten blog
> entry to explain what is actually failing with your Attempt #1.
>
> http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/15/Why-Wildcard-application-mapping-can-disable-Default-Document-resolution.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/16/Why-Wildcard-application-mapping-is-not-catching-404s.aspx
> http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx
> http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO-Run-Console-Applications-from-IIS6-on-Windows-Server-2003-Part-2.aspx
>
> The closest hack to get what you want is to configure aspnet_Isapi.dll
> as a Wildcard application mapping.
>
> The underlying issue is this - your custom authentication/authorization
> protocol only applies wherever aspnet_isapi.dll applies, and
> aspnet_isapi.dll only applies at the IIS level, not File/Directory
> level. Thus, you must make sure that all resource access go through IIS
> (and aspnet_isapi.dll) and not through NTFS File/Directory or anything
> else on IIS.
>
> The insecurity of the custom AuthN/AuthZ protocol is permanent because
> its trusted computing base (TCB) is the process identity, which is
> shared between tom and bob. Thus, if tom has access to that process
> identity (such as by calling RevertToSelf() ), he can bypass your
> AuthN/AuthZ protocol to access bob's resources. And this bypass is
> by-design since the TCB is supposed to be able to access both tom and
> bob's resources; it is the additional AuthN/AuthZ protocol on top of
> the TCB that determines whether a tom can actually read bob's
> resources.
>
> The only way to have truly secured resources on a shared, multi-user
> system is to have real user logins (i.e. real Windows users) for each
> user. Because then your resources are locked to your own NT user token
> and not shared user token (TCB), so there is no way to bypass security
> protocol.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> Scanner2001 wrote:
>> I am trying to limit access to folders in the web per user. I have tried
>> two
>> different approaches, neither of which I can get to work correctly. I
>> have a
>> windows 2003 r2 server, asp.net 2.0, front page extensions installed.
>> My setup looks like this:
>> /webvirtualdirectory/users/tom/..
>> /webvirtualdirectory/users/bob/..
>> etc.. where the webvirtualdirectory is an application.
>>
>> I am using forms authentication, using sql 2005. I want tom to be able to
>> access files such as html, pdf, jpg, etc that he dynamically creates or
>> upload to his folder, but not be able to access anything in bobs folder,
>> including html files. Likewise for bob. The users are created
>> dynamically,
>> so I do not who they are ahead of time, nor could I manage them
>> individually.
>>
>> Attempt 1:
>> I have tried adding an additional application extension mapping in the
>> web
>> site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in
>> the
>> users folder (i.e. users/bob), a web.config is dynamically created when
>> the
>> user is created that gives the user rights to everything in that folder.
>> This does not work, no pdf's (or other files such as html) are served by
>> the
>> server. I receive a
>> a.. Error Code 64: Host not available
>> a.. Background: The connection to the Web server was lost.
>>
>> Attempt 2:
>> I have tried the web configuration tool, supplied with visual studio, to
>> limit access to the folder for the user, such as bob. This appears to
>> have
>> no impact on limiting access to files that are not mapped to the
>> aspnet_isapi.dll. So basically no security on files or folders.
>>
>> Now I also have some static content at the root level that I do want to
>> allow anonymous access to, such as 1 pdf file and 1 html file. I believe
>> the
>> site wide security is set properly for the remainder of the pages because
>> if
>> I try to go an aspx page that is not explicitly allowed in the
>> web.config,
>> the anonymous user is automatically redirected to a login page, and the
>> page
>> is not shown.
>>
>> Not sure what I am missing here, any help is greatly appreciated, or if
>> you
>> think I should post to a different group.
>>
>> Thanks,
>> Jeff
>

> Alright, I understand what you are saying, for the most part (I may have to
> re-read all of it again). What is confusing to me is the microsoft help
> documentation comes right out and says that I can limit access to a folder
> by user, using forms authentication. They even give an example of how to do
> it. Which is what I thought I did in example 2 below. I just re-read that
> and I can post it as well.
>  I am having a hard time believing that I am the only one out in the world
> that has read this and has tried it.
> Thanks for the input.
>
> Jeff
>
> "David Wang" <w3.4***@gmail.com> wrote in message
> news:1163288209.819284.189190@h48g2000cwc.googlegroups.com...
> > What you want to do is technically impossible given your requirements.
> > What is not clear is an understanding of how the IIS 6.0 and ASP.Net
> > 2.0 request pipelines intermingle, so you will want to read and
> > understand the following blog entries. I still have an unwritten blog
> > entry to explain what is actually failing with your Attempt #1.
> >
> > http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx
> > http://blogs.msdn.com/david.wang/archive/2005/10/15/Why-Wildcard-application-mapping-can-disable-Default-Document-resolution.aspx
> > http://blogs.msdn.com/david.wang/archive/2005/10/16/Why-Wildcard-application-mapping-is-not-catching-404s.aspx
> > http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx
> > http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO-Run-Console-Applications-from-IIS6-on-Windows-Server-2003-Part-2.aspx
> >
> > The closest hack to get what you want is to configure aspnet_Isapi.dll
> > as a Wildcard application mapping.
> >
> > The underlying issue is this - your custom authentication/authorization
> > protocol only applies wherever aspnet_isapi.dll applies, and
> > aspnet_isapi.dll only applies at the IIS level, not File/Directory
> > level. Thus, you must make sure that all resource access go through IIS
> > (and aspnet_isapi.dll) and not through NTFS File/Directory or anything
> > else on IIS.
> >
> > The insecurity of the custom AuthN/AuthZ protocol is permanent because
> > its trusted computing base (TCB) is the process identity, which is
> > shared between tom and bob. Thus, if tom has access to that process
> > identity (such as by calling RevertToSelf() ), he can bypass your
> > AuthN/AuthZ protocol to access bob's resources. And this bypass is
> > by-design since the TCB is supposed to be able to access both tom and
> > bob's resources; it is the additional AuthN/AuthZ protocol on top of
> > the TCB that determines whether a tom can actually read bob's
> > resources.
> >
> > The only way to have truly secured resources on a shared, multi-user
> > system is to have real user logins (i.e. real Windows users) for each
> > user. Because then your resources are locked to your own NT user token
> > and not shared user token (TCB), so there is no way to bypass security
> > protocol.
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> >
> > Scanner2001 wrote:
> >> I am trying to limit access to folders in the web per user. I have tried
> >> two
> >> different approaches, neither of which I can get to work correctly. I
> >> have a
> >> windows 2003 r2 server, asp.net 2.0, front page extensions installed.
> >> My setup looks like this:
> >> /webvirtualdirectory/users/tom/..
> >> /webvirtualdirectory/users/bob/..
> >> etc.. where the webvirtualdirectory is an application.
> >>
> >> I am using forms authentication, using sql 2005. I want tom to be able to
> >> access files such as html, pdf, jpg, etc that he dynamically creates or
> >> upload to his folder, but not be able to access anything in bobs folder,
> >> including html files. Likewise for bob. The users are created
> >> dynamically,
> >> so I do not who they are ahead of time, nor could I manage them
> >> individually.
> >>
> >> Attempt 1:
> >> I have tried adding an additional application extension mapping in the
> >> web
> >> site configuration, mapping .pdf to aspnet_isapi.dll (.net 2.0). Then in
> >> the
> >> users folder (i.e. users/bob), a web.config is dynamically created when
> >> the
> >> user is created that gives the user rights to everything in that folder.
> >> This does not work, no pdf's (or other files such as html) are served by
> >> the
> >> server. I receive a
> >> a.. Error Code 64: Host not available
> >> a.. Background: The connection to the Web server was lost.
> >>
> >> Attempt 2:
> >> I have tried the web configuration tool, supplied with visual studio, to
> >> limit access to the folder for the user, such as bob. This appears to
> >> have
> >> no impact on limiting access to files that are not mapped to the
> >> aspnet_isapi.dll. So basically no security on files or folders.
> >>
> >> Now I also have some static content at the root level that I do want to
> >> allow anonymous access to, such as 1 pdf file and 1 html file. I believe
> >> the
> >> site wide security is set properly for the remainder of the pages because
> >> if
> >> I try to go an aspx page that is not explicitly allowed in the
> >> web.config,
> >> the anonymous user is automatically redirected to a login page, and the
> >> page
> >> is not shown.
> >>
> >> Not sure what I am missing here, any help is greatly appreciated, or if
> >> you
> >> think I should post to a different group.
> >>
> >> Thanks,
> >> Jeff
> >