Re: IIS 6 security - anyone can explain this for me ?
- From: "Michael Tsai" <huanlin.tsai@xxxxxxxxx>
- Date: Fri, 19 Aug 2005 11:05:58 +0800
Juan, thank you very much for the information.
I've read them quickly and I still confused,
maybe I didnot describe my question clearly.
In Fritz's "Essential ASP.NET with Examples",
section 3.1.5, he said:
"IIS is always listening for requests and dispatching
them to the ASP.NET worker process if they are
ASP.NET requests. This is important to realize because
the configuration settings in the IIS metabase are applied
<i>before</i> the request to the ASP.NET worker process
is dispatched.
....
For example, if you specify in the IIS metabase that users
must be authenticated using Windows authentication, but
in your ASP.NET application application web.config file
you have granted anonymous access, user will always be
required to authenticate before thay can access pages.."
I experiment it both with IIS 5 and IIS 6, and I get the same
result as Fritz said. But why? All the documents say that in
IIS 6, HTTP.sys is only a "gate" to pass requests to w3wp.exe,
so in the above example, when and who checked the IIS
metabase for the authentication? Is it WAS or aspnet_isapi.dll
in w3wp process? This is what I really want to know.
Hope I made my question clear (English is not my mother tongue).
Michael
"Juan T. Llibre" <nomailreplies@xxxxxxxxxxx> wrote in message
news:OczamNGpFHA.2916@xxxxxxxxxxxxxxxxxxxxxxx
>I should have added these 2 links. They have additional info.
>
> "HTTP Protocol Stack (IIS 6.0)" :
> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cbac25c6-6db4-4048-a8a8-6372cda661b4.mspx
>
> "Http.sys.doc" (Changes to HTTP API in Windows Server 2003 SP1) :
> http://download.microsoft.com/download/b/5/9/b59f845a-9fe5-4be6-b578-18ca88e60566/HTTP.SYS.doc
>
>
>
>
> Juan T. Llibre
> ASP.NET MVP
> http://asp.net.do/foros/
> Foros de ASP.NET en Español
> Ven, y hablemos de ASP.NET...
> ======================
>
> "Juan T. Llibre" <nomailreplies@xxxxxxxxxxx> wrote in message
> news:ehaEjIGpFHA.2156@xxxxxxxxxxxxxxxxxxxxxxx
>> Michael, what do you find odd in that ?
>>
>> http.sys does *not* load any application code,
>> it only parses and routes requests.
>>
>> Please review these documents :
>>
>> "Security Enhancements in Internet Information Services 6.0" :
>> http://download.microsoft.com/download/a/4/c/a4c57604-f17c-4214-9d64-53084036922e/IISEnhance.doc
>>
>> "Technical Overview of Internet Information Services (IIS) 6.0" :
>> http://download.microsoft.com/download/8/a/7/8a700c68-d1af-4c8d-b11e-5f974636a7dc/IISOverview.doc
>>
>> They will be of use in understanding how http.sys works within IIS.
>>
>>
>>
>> Juan T. Llibre
>> ASP.NET MVP
>> http://asp.net.do/foros/
>> Foros de ASP.NET en Español
>> Ven, y hablemos de ASP.NET...
>> ======================
>>
>> "Michael Tsai" <huanlin.tsai@xxxxxxxxx> wrote in message
>> news:%23Q6Je1FpFHA.2720@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hi,
>>> It said that IIS 6 use HTTP.sys as the front end for
>>> handling HTTP request, and pass ASP.NET requests
>>> to w3wp.exe, but after some simple experiments,
>>> I found the security settings (e.g. Authentication method)
>>> in IIS metabase is still applied before the HTTP request
>>> reach my ASP.NET application.
>>>
>>> Anyone one can explain this for me? or point to an
>>> article that explains: when a user requests an ASP.NET
>>> page, what happened between HTTP.sys and IIS metabase?
>>>
>>> Michael
>>>
>>>
>>
>>
>
>
.
- References:
- IIS 6 security - anyone can explain this for me ?
- From: Michael Tsai
- Re: IIS 6 security - anyone can explain this for me ?
- From: Juan T. Llibre
- Re: IIS 6 security - anyone can explain this for me ?
- From: Juan T. Llibre
- IIS 6 security - anyone can explain this for me ?
- Prev by Date: Re: Retrieving values from HTTP POST
- Next by Date: RE: Page has Expired - using html input control (type=file)
- Previous by thread: Re: IIS 6 security - anyone can explain this for me ?
- Next by thread: User Control & member vars
- Index(es):
Relevant Pages
|
