I need to restrict access to static HTML files in several ASP.NET applications. As those applications implement their own authentication mechanisms it looks like I need just to get those files to go through the ASP.NET request processing pipeline instead of the "standard" IIS static content handling. Some of applications are relatively modern ASP.NET MVC applications and use integrated pipeline on IIS 7.5 and it looks like it is not a big deal to do what I need for them. But others are legacy ASP.NET web sites working on the classic pipeline mode (IIS 7.5) and at the moment it is not possible to move them to the integrated pipeline for certain reasons.
UPD: The issue is that applications contain some static files (help pages) and unauthorized user can see them if they type the direct URL. And my task is to make the application show the login page in such a case.
Adding a handler into Web.config:
<add name="StaticHTMLHandler" path="*.htm*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv4.0,bitness32" />
caused me just to get this exception:
[HttpException (0x80004005): Failed to Execute URL] System.Web.Hosting.ISAPIWorkerRequestInProcForIIS6.BeginExecuteUrl(String url, String method, String childHeaders, Boolean sendHeaders, Boolean addUserIndo, IntPtr token, String name, String authType, Byte entity, AsyncCallback cb, Object state) +4136452 System.Web.HttpResponse.BeginExecuteUrlForEntireResponse(String pathOverride, NameValueCollection requestHeaders, AsyncCallback cb, Object state) +653 System.Web.DefaultHttpHandler.BeginProcessRequest(HttpContext context, AsyncCallback callback, Object state) +279 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +12551795 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288
So what am I doing wrong? Can anybody point me to the right way?
I've never tried your methods, but I also have some FW 1.1, classic asp. and modern web apps mixed on my web servers. What I do is create a seperate app pool per framework. I run 1.1 on 1.1 classic mode app pool that I create, and run modern apps on another app pool: integrated fw 4.0. The classic asp stuff is out of scope for this question. Each app pool is it's own process, so there's no real downside to using more app pools, 1 app pool per application is a perfectly acceptable security policy for example.
User contributions licensed under CC BY-SA 3.0