I have the need to secure an entire folder of static HTML files. The intention is that a user cannot access these files unless they are authenticated and have the necessary role.
We've got cookie-based authentication set up using OWIN, but no matter what I try I can't seem to figure out the correct combination of changes to make to require authentication on the folder.
The first problem is that IIS is skipping ASP.NET completely and just serving the files. I think there's probably a way around that by setting runAllManagedModulesForAllRequests to true. But where do I go from there?
I've tried stuffing elements in the Web.config to require the proper roles, but it just results in EVERY request getting denied (presumably because it's not inspecting the proper cookie or something).
I've spent my entire day on this and I'm about to lose my mind.
Has anyone solved this problem?
IIS is serving static files , if you want to stop this you can remove default static file handler and than every request is
serverd by MVC/OWIN.
Than make static file handling and authorization in your controller
: listen/map route where static files are located
to remove default static file handler add this to web.config file:
<configuration>
<system.webServer>
<handlers>
<remove name="StaticFile" />
</handlers>
</system.webServer>
</configuration>
Related
I have a ASP.Net MVC 4.5 WebAPI controller (IIS8) that can serve static images files from a repository. The URLs I want to use are like;
http://example.com/blob/image/123412341324.jpg
The trouble is '.jpg' here appears to be going through the static file handler, which for the most part is what I want to keep. I don't want all static files to go through ASP.Net just the ones on this URL path.
Is there any way I can configure ASP.Net to serve up these files without runAllManagedModulesForAllRequests and without modifying the url such as removing the file extension? Ideally, an IIS routing mechanism that looked at the folder path /blob/image/;
http://example.com/blob/image/123412341324.jpg -- route through ASP.Net WebAPI
http://example.com/staticimages/123412341324.jpg -- do not route through ASP.Net
http://example.com/anywherelese/123412341324.jpg -- do not route through ASP.Net
I know I could write a separate 'IHttpHandler' but I'd like to route it through the MVC WebAPI controller if possible.
So it turns out this is quite easy to do with handler mappings. I tried a few wildcards but although *.jpeg works blob/image/*.jpeg does not. Eventually, with a little help from this post I came up with the following entry in my app's web.config which does what I need and routes all requests for this controller;
<system.webServer>
<handlers>
...
<add name="my-blob-jpeg-ExtensionlessUrlHandler-Integrated-4.0" path="blob/image" verb="GET,HEAD,POST,DEBUG,DELETE,PUT,PATCH" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
...
</handlers>
</system.webServer>
It's not specific to image files but I don't plan on putting any other static content along that path so I'm good.
I'm looking for a more precise solution to handle requests for static contents by the ASP.NET lifecycle without setting runAllManagedModulesForAllRequests to true.
As far as I know is the effect of runAllManagedModulesForAllRequests = "true" that the precondition attribute of each module will be set to "".
The problem:
I have to protect static content in a subfolder of a web application against unauthorized access
To include requests to those static contents in the ASP.NET lifecycle and therefore having some events fired, I set runAllManagedModulesForAllRequests to true in web.config.
Because this solution turns the big wheel and all managed modules are affected for the whole application, I'm looking for a more adapted solution restricted to the subfolder where this behavior is required.
I need a solution for IIS6 and II7
Question 1:
The preconditon of which modules have to be resetted (precondition = "") to fire global.asax.cs events (e.g. Application_BeginRequest) for requests for static contents?
Question 2:
Is it possible to limit this request handling to requests to a single subfolder (e.g. perhaps by placing an adapted web.config in this subfolder, tweeking the main web.config, ...)
Any suggestions would be appreciated. Thanks.
Have you thought in the direction of registering a custom HttpModule for the right event of global.asax, and then enabling the HttpModule only for the sub directory using location attribute in the main web.config itself? It is just a thought of a possible solution - I havent thought through it..
<location path="subDirectoryPath">
<system.web>
<httpmodules>
<add type="MyCustomModule.Name" name="MyCustomModule" />
</httpmodules>
</system.web>
</location>
EDIT:
You may have to override your web.config, and bring in all the httpModule section in this, and then insert the custom module at the right place, with the right precondition.
This is to avoid setting runAllManagedModulesForAllRequests to true
According to Ultra-Fast ASP.NET: Chapter 3 - Caching:
Files that the browser retrieves from the server should be stored in
the browser’s cache as long as possible to help minimize server
round-trips.
But how does IIS know what a static content actually is and is not?
Is it just images, CSS, JS and not ASPX, ashx...?
Where can I see in IIS what is already considered to be static and what is not ?
What about the scenario where a page has been declared with <%# OutputCache header (without location)? Are the images, CSS and JS source files inside of it also being output cached with the same properties?
As a best practice, I should set one year into the future as the maximum expiration time. I should use that as the default for all static content on the site
So I did this :
But later, after pressing OK, I can't find any summary menu which shows me: to whom I already put a response header (in this case: the css folder).
Currently, in order to see that css folder has been applied with response headers - I have to go to the css folder again --> Http Response Header-->Set Common Headers --> and then I see it. It isn't written in the web.config.
But if I do it for a file (Login.aspx for example): I do see it in web.config:
<configuration>
<location path="Login.aspx">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseExpires" cacheControlMaxAge="1.00:00:00" httpExpires="Fri, 15 Feb 2013 00:00:00 GMT" />
</staticContent>
</system.webServer>
</location>
</configuration>
I understand your situation. Sometime its confusing how IIS handles a file. Its also different for IIS 6 vs IIS 7 and different for Classic App Pools and Integrated mode app pools. My experience is mostly with Integrated App Pools on IIS 7.5, so thats the environment I can comment on most accurately.
First Question
But how does IIS knows what is actually a static content and what is
not?
Is it just images , css , js and not ASPX , ashx...?
Where can I see in the IIS what is already considered to be static and
what not ?
You can inspect the list of file handlers in IIS by navigating to your website and then click 'Handler Mappings'. By default these are inherited from the .Net base web.config which is in a different location depending on your .Net framework version.
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config
If a file being requested isn't already explicitly mapped to another handler it falls to a catch all handler (*) as the last option (System.Web.DefaultHttpHandler) which determines if it is a static file or a directory browsing request. So Static files are simply files not bound to another handler already. For example you'll see that *.aspx is already mapped to System.Web.UI.PageHandlerFactory prior to this default handler. So its going to be processed by that handler and not be considered a static file. If you removed that mapping you could technically serve *.aspx as a static file if you really wanted to (just for proof of how it works).
But you can also explicitly list a file type as a static file by adding an entry in your web.config's httpHandlers section mapping the file extensions to System.Web.StaticFileHandler in IIS. For example:
<configuration>
<system.webServer>
<handlers>
<add name="StaticHandler" verb="*" path="*.zip" type="System.Web.StaticFileHandler" preCondition="integratedMode" />
</handlers>
</system.webServer>
</configuration>
This example is using the <system.webServer> config section, so its for an App Pool running in Integrated Mode.
Second Question
What about the scenario where a page has been declared with <%#
OutputCache header(without location) . does the images,css,js src
files inside of it , are also being output cached with the same
properties?
No. Because the page is being server as a separate request (maybe even by a separate handler) it can have totally different cache headers/hints. The host page and the resources it may use are not related from a caching perspective.
In fact you may even want to have a shorter cache period for *.html and a longer cache period for *.jpg or *.png? Something to consider.
Third Question
As a best prcatice , I should set one year into the future as the
maximum expiration time.I should use that as the default for all
static content on the site
Hmm... I might not go as far as one year. How about one month? I would set a global policy like this:
<configuration>
<system.webServer>
<staticContent>
<!-- Set expire headers to 30 days for static content-->
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
This is the same as the sample you showed above, but is not inside a <location> element, instead it is right in the root <configuration> element so it is the default policy. Again this is for an App Pool running in Integrated Mode. Sometimes you also need to turn on:
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<!-- stuff -->
</modules>
</system.webServer>
<system.webServer>
This just makes sure that static files are processed through the managed static file handler which respects the above configuration elements.
Edit to Address Comments
The documentation for the configuration dialog you posted above is located here: Configure the HTTP Expires Response Header (IIS 7)
Apparently these settings are saved in C:\Windows\System32\inetsrv\config\applicationHost.config
I do not have IIS7 and personally develop on IIS 7.5 now. So please post a comment if you can verify this location is accurate!
The static content is the one that IIS is read and send to the browser with out any processing. There you can setup IIS to include some Cache-Control Header to cache it on clients browser computers.
You can do that ether by direct setup IIS, ether by commands on web.config as you say. The commands that you add on web.config and concern the IIS, did not have to do with asp.net it self, but the IIS, and IIS saves his configuration on a different file, so when you change that cache control headers direct on IIS you do not see them on web.config.
Now for the static content like images, CSS, JavaScript, and other similar files they say that you can follow the "never expire" policy by adding 10 years expire.
The issue here is that if you can not change the content of the static file, if for example you cache a javascript file with 10 years, and you make a small change on it, then you need ether to change the file name, ether to add some parameter at the end of it.
Now the <%# OutputCache on a control is referred to the server cache and not to the client, and what is actually do is to cache the render of the control on the server so the next time you ask it to not lose time to renders it again but read it from cache - is still send it to the browser.
And you can also read this answer for some more: What are difference between IIS (Dynamic and Static) cache,OutPutCache and browser cache
Why does a request for a .gif image cause the session_start event to fire in my asp.net application?
In my local IIS I tried setting up a module mapping for *.gif pointing to StaticFileModule thinking that would prevent IIS from routing the request through asp.net, but for some reason my session start event is still firing when just requesting this single image.
Can anyone advise what needs to be set in IIS to prevent this from happening?
Thanks
I think you may also have to disable Session State for those folders:
https://serverfault.com/questions/77852/is-it-possible-to-set-a-folder-as-cookieless-in-iis7
Do you have a modules section within your web.config which has runAllManagedModulesForAllRequests set to true? This causes all requests (including .gif, .jpg, etc) to go through asp.net, not just managed ones.
Anything like this:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
Or alternatively, have you defined any custom <httpHandlers> within your web.config?
It sounds like your CRM might be causing the asp.net runtime to handle the request (is it a seperate .NET app? and if so, what about it's web.config?)
I have an IHttpHandler registered like this:
<httpHandlers>
<add verb="*" path="*" type="MindTouch.Dream.Http.HttpHandler, mindtouch.core"/>
</httpHandlers>
Which catches /foo, /foo/bar, etc. just fine, but on / the Visual Studio built-in server does not hit hit either the HttpApplication or my handler.
That's the way to do it. Your web server/site will have a setting which specifies the default document to serve for a directory. If not present or not set, the web server will attempt to serve either the directory listing which should be turned off for security, a security error if the listing is not available, or nothing.
So in your case prior to the default document existing, "/" was not actually making an application request.
I fixed it and I think I recall this being an ancient ASP.NET issue:
I created a file called Default.htm, which ASP.NET will try to resolve the / path to and since there is now a real path to resolve to, the HttpApplication gets called, incidentally with a path of /default.htm.
Is there a less hacky solution to this? Gladly would accept a different answer than my own :)