Re: how does the app_data folder work

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi, Andy.

re:
!> so surely there must be some magic going on behind the scenes somewhere?

Not quite "magic" but, yes, any data files you put
in the App_Data folder will be protected by default.

No external http requests for any file there will be honored.

What I tried to say was that the mechanism has nothing
to do with "reserved names", as you suggested it might.

There *is*, however an internal check for the source of the request.
If the request for a file in App_Data is external to the server, the file won't get served.

re:
!> inside each folder I place a file with an unknown extension
!> not mentioned in the global web.config - say foo.bar

If you want *.bar files protected, you'd have to add :

<add path="*.bar" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />





Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <ajfish@xxxxxxxxxxxxxxxx> wrote in message news:e3jcp$F9HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the reply, but I still don't really get it

let's say I create a new web site (just using explorer and IIS admin - not visual web developer) with a one folder
called foo and one called app_data

inside each folder I place a file with an unknown extension not mentioned in the global web.config - say foo.bar

I can access http://localhost/mysite/foo/foo.bar but not http://localhost/mysite/app_data/foo.bar even though the file
permissions are the same

so surely there must be some magic going on behind the scenes somewhere?

Andy

"Juan T. Llibre" <nomailreplies@xxxxxxxxxxx> wrote in message news:%23hlFuX88HHA.464@xxxxxxxxxxxxxxxxxxxxxxx
re:
!> is app_data a reserved name for IIS and ASP.Net

No, it's not.

The files which are not served are set in the master web.config file, in the
<httpHandlers> section, managed by System.Web.HttpForbiddenHandler.

That m,aster web.config file is located at :
drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config

Examples :

<add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

You can add any other file extensions you don't want
ASP.NET to serve directly by following that format.

re:
!> is there some jiggery pokery going on behind the scenes with file permissions or virtual roots?

There's also some jiggery pokery going on behind the scenes with file permissions or virtual roots.

If you create a Web site in Visual Web Developer (whether the standalone or the VS IDE),
VWD creates a folder named App_Data below the current root folder.

The folder is designed to be a store for application data of any type.

The App_Data folder is also used by ASP.NET to store databases that the system maintains,
such as the database for membership and roles.

When VWD creates the App_Data folder, it grants Read and Write permissions
for the folder to the ASPNET or NETWORK SERVICE user account.

So, if a request is made from an external browser for a forbidden file,
the account requesting it won't be the ASPNET or NETWORK SERVICE accounts,
which are the only ones which are allowed access to those files.

There's no "unexplained magic" involved.
It's all pretty much straightforward.




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <ajfish@xxxxxxxxxxxxxxxx> wrote in message news:uKpdqy78HHA.980@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

From what I can gather, under Asp.Net 2.0, it is safe to put data and config files underneath the app_data in the
web root and they will not be served directly to the browser from a URL.

Can anyone explain just how this feature works. is app_data a reserved name for IIS and ASP.Net, or is there some
jiggery pokery going on behind the scenes with file permissions or virtual roots?

It's not that I don't trust Microsoft; it's just that .... well.... I guess I don't trust Microsoft - especially
where bits of unexplained magic are concerned :-)

TIA

Andy








.

Relevant Pages

  • Re: how does the app_data folder work
    ... There's also some jiggery pokery going on behind the scenes with file permissions or virtual roots. ... VWD creates a folder named App_Data below the current root folder. ... is app_data a reserved name for IIS and ASP.Net, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: MUD folder
    ... > I'm not so interested in what happens behind the scenes, ... Entourage X, not Entourage 2004. ... So can you find the folder: ... > I found the MUD folder and put it under privacy in Spotlight. ...
    (microsoft.public.mac.office.entourage)
  • RE: Adminstrative Tools "Access Denied" Messages
    ... Neither System 32 Folder nor individual *.msc File Permissions are are an ... The same Access is Denied message appears regardless of whether Simple ... another MMC I've created, I get an Access Denied" dialog box. ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: how does the app_data folder work
    ... visual web developer) with a one folder called foo and one called app_data ... http://localhost/mysite/app_data/foo.bar even though the file permissions ... is app_data a reserved name for IIS and ASP.Net ... permissions or virtual roots? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Eudora on OS X
    ... Eudora folder, ... First I changed the file permissions, ... Eudora, with its clumsy handling of attachments, doesn't ...
    (comp.mail.eudora.mac)