|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Access to external javascript file deniedjavascript file using a fairly basic script tag: <script src="DispatchRuleControl.js" type="text/javascript"></script> When running the application on the ASP.NET internal webserver everything works fine. When I try to host it on IIS7 however I get a syntax error in that *.js file and, upon closer inspection (using firebug) it appears that under IIS 7 what is returned is not the contents of the DispatchRuleControl.js file at all but instead the fully rendered Login page for the ASP.NET web appliction... So essentially it seems that access to that file is being denied by IIS 7... this causes ASP.NET to redirect to the login page and return this instead of the *.js file, which in turn causes the syntax error (the login page is not a valid javascript file)... but the root cause is that IIS is blocking access to this file for some reason. I can confirm this by entering the URL of the javascript file in the address bar for firefox/ie directly... I get sent straight to the following URL: http://localhost:8000/Login.aspx?ReturnUrl=%2fCMS%2fAdmin%2fDispatchRuleControl.js Which is, of course, the login page for the site. After logging in, the login page then redirects to the ReturnUrl (seen in the Query string above) and that in turn goes straight back to the login page... it's impossible to get the contents of this js file served up by IIS 7 - it's blocking access to it outright. Any idea why this might be or how I can debug further? Thanks in advance. Jimmy
Show quote
Hide quote
"NZ Jimmy" <NZJi***@discussions.microsoft.com> wrote in message Have you checked that IIS7 has permission to read the .js file? Have you news:3F2B02CB-FCEF-43F0-B243-9A503A30E84F@microsoft.com... > I have a page in an ASP.NET web application that includes an external > javascript file using a fairly basic script tag: > > <script src="DispatchRuleControl.js" type="text/javascript"></script> > > When running the application on the ASP.NET internal webserver everything > works fine. When I try to host it on IIS7 however I get a syntax error in > that *.js file and, upon closer inspection (using firebug) it appears that > under IIS 7 what is returned is not the contents of the > DispatchRuleControl.js file at all but instead the fully rendered Login > page > for the ASP.NET web appliction... > > So essentially it seems that access to that file is being denied by IIS > 7... > this causes ASP.NET to redirect to the login page and return this instead > of > the *.js file, which in turn causes the syntax error (the login page is > not a > valid javascript file)... but the root cause is that IIS is blocking > access > to this file for some reason. > > I can confirm this by entering the URL of the javascript file in the > address > bar for firefox/ie directly... I get sent straight to the following URL: > > http://localhost:8000/Login.aspx?ReturnUrl=%2fCMS%2fAdmin%2fDispatchRuleControl.js > > Which is, of course, the login page for the site. After logging in, the > login page then redirects to the ReturnUrl (seen in the Query string > above) > and that in turn goes straight back to the login page... it's impossible > to > get the contents of this js file served up by IIS 7 - it's blocking access > to > it outright. > > Any idea why this might be or how I can debug further? > > Thanks in advance. > > Jimmy also checked that the MIME settings allow .js files to be served? -- Dan Yeah, I've got another file in another directory that I can load fine:
http://localhost:8000/Components/WarehouseSelectorControl.js Punching in the above URL shows the contents of the WarehouseSelectorControl.js script file as expected. However when I try to navigate to the following: http://localhost:8000/CMS/Admin/DispatchRuleControl.js I'm getting redirected to the login dialog. The file permissions on the DispatchRuleControl.js file are identical to the file permisions on DispatchRuleControl.aspx (sitting in the same directory) and the aspx content is getting delivered to the browser just fine (via ASP.NET of course). I'm wondering whether this is an ASP.NET security issue rather than an IIS security issue, but it seems strange that ASP.NET serves the javascript file up fine on the Visual Studio development webserver in this case... which is the reason I suspected IIS first and foremost. Jimmy Show quoteHide quote "Dan" wrote: > Have you checked that IIS7 has permission to read the .js file? Have you > also checked that the MIME settings allow .js files to be served? > > -- > Dan > > . > OK so this is getting bizarre. In the directory where the offending *.js file
is located, I have an ASP.NET web.config file that contains the following: <authorization> <allow roles="Administrator" /> <deny users="*" /> </authorization> If I replace that <deny users="*" /> with a <deny users="?" /> then I can get at the javascript file just fine. HOWEVER that also means that logged in non administrative users can then access all of the files in this directory (definitely not what I want). If I leave <deny users="*" /> then when I'm logged in as an administrator I can get at any *.aspx and *.ascx files in that directory, but not any *.js files ??? This seems pretty messed up. Jimmy
Show quote
Hide quote
"NZ Jimmy" <NZJi***@discussions.microsoft.com> wrote in message I haven't played with ASP.NET yet, but doesn't it only process .aspx, .ascx, news:C729236E-66C0-4139-9B0C-D7FD877E430B@microsoft.com... > OK so this is getting bizarre. In the directory where the offending *.js > file > is located, I have an ASP.NET web.config file that contains the following: > > <authorization> > <allow roles="Administrator" /> > <deny users="*" /> > </authorization> > > If I replace that <deny users="*" /> with a <deny users="?" /> then I can > get at the javascript file just fine. HOWEVER that also means that logged > in > non administrative users can then access all of the files in this > directory > (definitely not what I want). > > If I leave <deny users="*" /> then when I'm logged in as an administrator > I > can get at any *.aspx and *.ascx files in that directory, but not any *.js > files ??? > > This seems pretty messed up. > > Jimmy and other pre-configured file extensions only? If so, then that means IIS is handling permissions for the .js file, so it will need different permissions than the ASP.NET files - the ASP.NET files will be handled by the user permission that ASP.NET is configured with, the other files will be using the IUSR_ account permissions, or those of the authenticated user in the case of integrated auth. It's certainly possible that you just need to adjust the permissions for the ..js files for the IIS user account. -- Dan "Dan" wrote: In theory I'd agree with you... if that's the case though, why does changing > I haven't played with ASP.NET yet, but doesn't it only process .aspx, .ascx, > and other pre-configured file extensions only? If so, then that means IIS is > handling permissions for the .js file, so it will need different permissions > than the ASP.NET files - the ASP.NET files will be handled by the user > permission that ASP.NET is configured with, the other files will be using > the IUSR_ account permissions, or those of the authenticated user in the > case of integrated auth. the authorization block in the ASP.NET web.config file alter whether or not I can access this file? That said, why is it only when hosting the application under IIS7 that I run into this problem? It simply doesn't seem logical. I can work around this problem by adding the following in the web.config file that resides in the Admin folder: <system.web> <authorization> <allow roles="Administrator" /> <deny users="*" /> </authorization> </system.web> <location path="DispatchRuleControl.js"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> Essentially I'm adding an explicit exception to allowing all logged in users to access the DispatchRuleControl.js file... since I AM logged in to ASP.NET as an administrator, this seems a little peculiar and it's a pain to have to explicitly override the permissions for every *.js file that is in a secure folder in the web application. There must be some way to tell IIS to use ASP.NET authentication for js files... I've done this for asp files on sites where we had a mix of classic ASP pages and ASP.NET pages: http://weblogs.asp.net/scottgu/archive/2007/03/04/tip-trick-integrating-asp-net-security-with-classic-asp-and-non-asp-net-urls.aspx Attempting the same trick for js files doesn't seem to work though. Jimmy About the .js not been served by IIS, I found this:
http://techvins.wordpress.com/2010/06/07/solutions-to-problems-setting-up-virtual-directory-in-iis-7-2/ Adding the handler for .js did solve the problem. Hope it helps other with the same problem. 
Other interesting topics
Installing IIS on a domain controller.
IIS SMTP with STARTTLS certificate question IIS permissions while accessing a database from a CGI application IE messgae "This page contains both secure and nonsecure items" Penetration test and request Host header IIS Security - Default installations on Vista Why does IIS ask for a password when I type http://localhost? how do I manage IIS? IIS and Public Internet Website |
|||||||||||||||||||||||
