Re: file security with anonymous log in
- From: "David Wang [Msft]" <someone@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 20 Apr 2005 23:59:21 -0700
Let me make sure I understand your setup.
1. You only have anonymous access enabled.
2. On each web page, it checks to see if the authorization token is present;
if not, it redirects to the login page; if it exists, it continues on
3. Your login page talks to SQL to do username/password check; if
successful, set the authorization token (and possible redirect to original
web page of #2); if fail, show error (and possibly redirect to login page)
If correct, then your problem is that your code that executes Excel Pivot
Tables does NOT verify the authorization token prior to execution. If it
did, then the random anonymous user wouldn't be able to get it to do
anything before authenticating.
I'm guessing your problem is that .xls is directly accessible via URL (you
scriptmapped it to Excel [another bad thing to do on the server, just so
that you know -- it can hang IIS] ), and your web pages make direct URL
links to it to generate the content, hence the .xls file is directly
accessible to anonymous user (because of #1 above) yet it cannot perform #2
above.
Basically, your problem is that you are writing your own custom
authentication/authorization scheme, and you haven't written all of the
necessary software. In particular, you haven't written the many-to-one user
token mapper which runs on every single request. That particular piece of
code requires an ISAPI Filter written in C -- people have written and sell
such software on IIS5.
A possible alternative could be to use ASP.Net's forms authentication and
extensible membership/roles system. It makes all this stuff a piece of cake
because it is basically a fully written and customizable
authentication/authorization scheme provided by Microsoft for free with
ASP.Net. It would work even better if run on IIS6 as it can be extended to
capture all request types, not just ASP.Net specific.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Fred" <Fred@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F745E291-64C4-4B82-B205-D333E2C961DC@xxxxxxxxxxxxxxxx
I have a MS IIS 5 web site running on Win2K server that uses MS SQL 2000
based table to authenticate log in, then passes authorization token for each
page to check and accept or redirect. The NT user is the anonymous
IUSER_computername. Problem is, I want to execute excel pivot tables as
menu
items on the site, therefore IUSER must have rights to the executable (xls)
files. If the path to the xls file is known, IUSER can execute via the URL,
bypassing the authentication process. Is there a way to log in to a common
NT user as part of the web security check, and remove IUSER's access to
executables?
--
Fred
--
Fred
.
- Follow-Ups:
- Re: file security with anonymous log in
- From: Fred
- Re: file security with anonymous log in
- Prev by Date: Language Problem
- Next by Date: Re: file security with anonymous log in
- Previous by thread: Language Problem
- Next by thread: Re: file security with anonymous log in
- Index(es):
Relevant Pages
|
