Re: ASP.Net Web.config security question

From: "Patrice" <nobody@xxxxxxxxxxx>
Date: Wed, 25 May 2005 17:25:16 +0200

AFAIK this is expected as HTML files are not handled by ASP.NET. A possible
solution could be to rename those files...

Patrice

--

"ASP.Net programmer" <me@xxxxxxxx> a écrit dans le message de
news:42948f5c$0$143$e4fe514c@xxxxxxxxxxxxxxxxx
> For some *very* annoying reason reason the security settings only work
when
> an aspx page is requested. The security settings are completely ignored
> when an HTML file is requested. Even when I applied the security settings
> specifically to the html file!
>
> "ASP.Net programmer" <me@xxxxxxxx> wrote in news:42944b94$0$153
> $e4fe514c@xxxxxxxxxxxxxx:
>
> > I have a weird problem securing my ASP.Net application. I know it's
> > probably my fault, but I just don't get it to work.
> >
> > - Anonymous access is disabled on the IIS Server.
> > - Integrated Windows security is enabled on the IIS Server.
> >
> > Web.config (excerpt, slightly edited):
> > <?xml version="1.0" encoding="utf-8" ?>
> > <configuration>
> >
> > <location path="admin">
> > <system.web>
> > <authorization>
> > <allow users="Domain\admin_account"/>
> > <deny users="*" />
> > </authorization>
> > </system.web>
> > </location>
> >
> > <system.web>
> > <authentication mode="Windows" />
> > <authorization>
> > <allow roles="Domain\Domain Users" />
> > <deny users="*" />
> > </authorization>
> > </system.web>
> > </configuration>
> >
> > The problem is: I (as a normal user) can access the normal pages as
> > expected, but also the admin directory.
> >
> > I enabled trace and the only status-code for a request is 200. I know
> > there also should be a 400 (or 401) for the authentication, but it just
> > isn't there.
> > The LOGON_USER property of the trace shows my account.
> >
> > My question is: what did I forget?
>

.

Follow-Ups:
- Re: ASP.Net Web.config security question
  - From: ASP.Net programmer

References:
- Re: ASP.Net Web.config security question
  - From: ASP.Net programmer

Prev by Date: Re: Session Lost
Next by Date: Re: XML Serialisation problem - sending a business object over a w
Previous by thread: Re: ASP.Net Web.config security question
Next by thread: Re: ASP.Net Web.config security question
Index(es):
- Date
- Thread

Relevant Pages

Re: ASP.Net Web.config security question
... For some *very* annoying reason reason the security settings only work when ... The security settings are completely ignored ... when an HTML file is requested. ... > I enabled trace and the only status-code for a request is 200. ...
(microsoft.public.dotnet.framework.aspnet)
Re: WinXP SP2 security
... >>> opening ... >>> an HTML file which I hold on my comp. ... Change the security settings in Internet Options. ... Conor ...
(uk.comp.misc)
Re: Dropper in web page?
... > I download a zipped file from the Usenet. ... > look at an html file with my browser. ... It is a matter of the security settings the html content is allowed to ... resides in the "My Computer" zone of some Windows versions ...
(alt.computer.security)
Re: Dropper in web page?
... > I download a zipped file from the Usenet. ... > look at an html file with my browser. ... It is a matter of the security settings the html content is allowed to ... resides in the "My Computer" zone of some Windows versions ...
(comp.security.misc)
Re: get_aspx_ver.aspx ???
... If the defaultRedirect attribute is set to an HTML file or to ... an ASP file, the request for the Get_aspx_ver.aspx file does not return the ...
(microsoft.public.dotnet.framework.aspnet)