Securing XML documents on a ASP.net site....

[Johan Pingree]

HOW in the world is this accomplished! I have an internet site I am
prototyping and I need to be able to prevent "casual" browsing of XML
documents. Using the web.config forms based authentication does nothing to
prevent XML documents from being browsed. We obviously are not interested in
turning on digest or basic authentication for this project. Every attempt to
use ACL's has resulted in aspx pages having issues in reading and writing to
the XML files. I have read NUMEROUS documents and publications over the
weekend and have yet to find anyone that addresses this issue specifically!!
Are we the only ones attempting to do this? Can anyone point me to a
document the spells this out for this lame-brain programmer!

We are on WinXP Pro as the developement plaform running Framework 1.1 and VS
2003.

Thanks,
Johan.

 

[Chris Botha]

We obviously are not interested in turning on digest or basic
authentication for this project.

Every attempt to use ACL's has resulted in aspx pages having issues in reading and writing to
the XML files.

The above takes you half way, if you then use impersonation, the issues with
reading and writing will be solved.
There is also integrated windows authentication, which may be better than
basic authentication, as with basic the password is sent in clear text. For
impersonation to work, switch off anonymous access to the virtual directory
and see the following for the impersonate syntax entry in the web.config
file
http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetimpersonation.asp

 

[Hugo Wetterberg]

You could use a http-handler for xml-files that either redirects the
user to the page that is supposed to be generated from the data that
the user tries browse, or presents the user with an access denied
screen.

Then you can make the reaction conditional. Show xml source if
debugging or local host or specific IP, and so on.

Hugo

 

[Rick Spiewak]

See:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh19.asp

 

[Patrice]

You could also store these docs outside your web site so that the user can
only browse them through an apsx page that streams them to the navigator...

Patrice

 

[Johan Pingree]

Thanks all for the quick responses and directions.
IMHO:
I now truly understand why many developers complain about the security
features in dot net. I have seen spaghetti code, however, this is my first
experience with spaghetti security. I personally think that MS made things
much more difficult than was necessary. Such a simple task of not allowing
browsers to have access to the XML files took me the several hours of
research and testing to find a decent solution.
It looks like I will need to write an IHttpHandler class (which I admit I
will most likely take advantage of for other purposes) in order to
accomplish my requirement. I personally believe that this kind of security
should not need the type of "surgery" that I will be implementing!

I wish I had time to put together a little article on this experience.

BTW, for a really good article and sample code see:

http://msdn.microsoft.com/asp.net/u...l=/library/en-us/dnaspp/html/URLRewriting.asp


Regards,
Johan.

 

[Johan Pingree]

Please explain "outside your web site"....
Thank you.

 

[Patrice]

I meant not below your web site root ie. those documents are not accessible
using a URL. As they can't be accessed directly, there is an APSX page whose
goal is to read these documents to stream them to the navigaotr.

Of course, it depends upon your exact requirements (from yourr first post,
it looks like you just want to prevent direct browsing and are not
interested directly in authenticating/authorizing users bu t just as a
possible mean to prevent this ?)

Patrice

 

[Johan Pingree]

Your on the right track. I need my aspx pages to work with these XML
documents (read & write). There will be some information in these XML
documents that I do not want someone to be able to "glean" by browsing. So,
I need to prevent direct access via a browser to the XML documents. I do
plan on using forms authentication, however in my testing this does not
prevent someone from directly accessing the XML files (to bad, as I think it
should!). So, I next tried authorization settings with a web.config file in
the folder with the XML docuemtns. This however lead to other problems such
as corruption of the XML files when attempting to write to them.
Impersonation did nothing to solve my problem and besides impersonation has
scalablility issues when dealing with database access (which we will have).
I need this to be simple and most of all easy to manage. I need to deploy
this web application to remote servers. I do not want to have to jump
outside of the development enviroment to manage special permission issues or
incure other IT management costs, if at all possible.

All-in-all this has been a very fustrating experience.

Something so simple turing out to be so riddled with complexity. What a
shame!

 

[Guest]

Have you protected the XML documents by adding them to the ISAPI filter

In your Web site, chose PROPERTIES|DIRECTORY|CONFIGURATION.... This should give you the IASPI Filters screen. Chose ADD, use the C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll as the executable and XML as the extension. Note: v1.1.4322 is my framework version, yours may be different if you are using the 1.0 .NET Framework. More explanation is provided by MSDN: http://msdn.microsoft.com/library/d...dEditApplicationExtensionMappingDialogBox.asp

I think that this must be done BEFORE the ASP.NET framework will handle the requests based on security. You can read more about this also in "IIS 6.0 Administrator Guide" under the Configuring Applications|Setting Application Mappings. By default, XML is not a type of file handled by the ASP.NET framework

Respectfully

Andrew Corley, MCSD, MCDB

----- Johan Pingree wrote: ----

HOW in the world is this accomplished! I have an internet site I a
prototyping and I need to be able to prevent "casual" browsing of XM
documents. Using the web.config forms based authentication does nothing t
prevent XML documents from being browsed. We obviously are not interested i
turning on digest or basic authentication for this project. Every attempt t
use ACL's has resulted in aspx pages having issues in reading and writing t
the XML files. I have read NUMEROUS documents and publications over th
weekend and have yet to find anyone that addresses this issue specifically!
Are we the only ones attempting to do this? Can anyone point me to
document the spells this out for this lame-brain programmer

We are on WinXP Pro as the developement plaform running Framework 1.1 and V
2003

Thanks
Johan

 

[ericmalcore]

HOW in the world is this accomplished! I have an internet site I am
prototyping and I need to be able to prevent "casual" browsing of XML
documents. Using the web.config forms based authentication does nothing to
prevent XML documents from being browsed. We obviously are not interested in
turning on digest or basic authentication for this project. Every attempt to
use ACL's has resulted in aspx pages having issues in reading and writing to
the XML files. I have read NUMEROUS documents and publications over the
weekend and have yet to find anyone that addresses this issue specifically!!
Are we the only ones attempting to do this? Can anyone point me to a
document the spells this out for this lame-brain programmer!

We are on WinXP Pro as the developement plaform running Framework 1.1 and VS
2003.

Thanks,
Johan.

Are you trying to change your nationality ? do you need work papers ? do you want travel ? do you need papers you cant have ?if yes , then you are in the right place at the right time

We are an independent group of specialized IT professionals and data base technicians who are specialized in the production of quality documents such as passports,drivers license,id cards,stamps,visas,diplomas of very high quality and other products
for all countries: USA, Australia,UK, Belgium, Brazil, Canada, Italian, Finland, France, Germany, Israel, Mexico, Netherlands, South Africa, Spain, Switzerland, . This list is not full.contact General support: ( (e-mail address removed) )
To get the additional information and place the order just call or contact us via email mobile.

SKYPE US ................. fandena.fandena (Bureau Fandena)

Contact; (e-mail address removed)

Key words
----------------
Canada
Cards
United States Cards
Student Cards
International Cards
Private Cards
Adoption Certificates
Baptism Certificates
Birth Certificates
Death Certificates
Divorce Certificates
Marriage Certificates
Custom Certificates
High School Diplomas
G.E.D. Diplomas
Home School Diplomas
College Degrees
University Degrees
Trade Skill Certificates
Social Security
Validate SSN Number
Driver License Search
Spy Products
Voice Changers
Listening Devices
Invisible Ink
DMV Record Inquiry
Background Check
Investigate Anyone

Contact; (e-mail address removed)