ASP.NET ascx.cs via GET - asp.net

Say I have this url:
http://site.example/dir/
In this folder I have these files: test.ascx.cs and test.ascx
Just to be clear, I am not a .NET developer.
From a security point of view - why can't I access http://site.example/dir/test.ascx.cs and how secure is it to keep those files there?
I assume IIS filters out request that query these kind of files, but can someone explain me this?
Thank you.

You just explained it yourself. IIS won't serve those files.

When you register ASP.NET with IIS (aspnet_regiis.exe) it will add common extensions and associate them with the ASP.NET handler. As far as the .cs extension is concerned it is filtered and not served by IIS. It is absolutely safe to have these files there, but I would recommend you to use an ASP.NET application project (in contrast to ASP.NET website) which is precompiled and you don't need to deploy source code files on your server.
(source: wewill.cn)

Related

publish asp.net webapplication in single files

I have an ASP.NET WebApplication (not Website) that was written with C#.
I want to publish and deploy this application for more than 50 sites in my server.
I would prefer to make some dlls and put them in GAC of my server so all sites will use dlls from GAC and then I can update all my sites just with replacing some dlls in GAC.
When I publish my application I get a single dll for all .cs files but all .aspx files remain.
I want to merge .aspx files to single assembly too.
Is there any way?or any other idea for my case?
in your web project properties:
package/publish web
check - precompile this application before publishing
advanced - merge all output to a single assembly
When you go to the publish settings there is an option to 'make site updatable', if you untick that all the cs code will be merged into the app_web.dll.
You will still have all the seperate aspx pages, since those define the entry point into the code. To my knowledge the only way to merge those would be to copy/paste all the seperate aspx pages into the default.aspx, and wrap them in <asp:Panel ID="HomePage" Runat="Server" Visible="False"> and then set the right panel visible in the Page_Load depending on the QueryString. You can use URL rewriting to still get nice URLs.
Depending on how many pages you have, and how big they are in code, I would probably not do this myself. But if you find the result of having 1 page outweighs the rest, it is technically possible.
Download IIS Module: http://www.iis.net/downloads/microsoft/url-rewrite
Making rules: http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
Another option, maybe, is to just host the application on a subdomain and iframe it where it is needed. This might not be possible due to cross-origin problems, depending on your setup, but it would be a 'cleaner' way to work.
Hope this helped.

WebService on IIS with IIS-Manager

I just created a simple test WebService with Asp.net called
MyWebService.asmx
I can't access it from exteriour, cause Visual Studio don't allow this..
So I wanted to make a own IIS Webserver to host my Webservice, but
how do I add my "MyWebService.asmx" to the IIS with the IIS-Manager?
Hope someone can help me.. Google didnt help me a lot
You have to publish this WebService (right click on the project -> Publish) and host it using IIS like a regular Web Application.
Just create a new application, as you would do if you create a "real" ASP application
put, for completeness and to be sure the app is running a default.aspx into the root dir, which says something like "app is running!"
put the ASMX file into the directory (i think it will be place in the APP_CODE directory, but i'm not sure 100%)
config your webservice in the global.asax, without it nothing will happen (hint: also configure the help page for webservices, otherwise users accessing it will get the interface description in the browser)
A longer description of that can be found here: http://msdn.microsoft.com/en-us/library/8wbhsy70%28v=vs.80%29.aspx

ASP.NET - IIS Custom Mapping Extensions - How?

I am wondering how one goes about creating/rerouting my custom developed .ASPX pages on IIS 6.0 pages to something totally custom w/o the .aspx extension, say, .vato? For example, instead of my page saying: Default.aspx?ID=123, I would like users to see: Default.vato?ID=123.
What concept is? Is this doable? Where can I research more on this topic?
Yeah, read this:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4c840252-fab7-427e-a197-7facb6649106.mspx?mfr=true
Create a new entry for your new extension and map it to the same executable as the .aspx handler.
The common one is to add a wildcard. This allows you to have URLs without extensions at all. IMO, that's much preferred because extensions make little sense on the internet.
It's not so much a .net question as it is an IIS question.
Basically, IIS looks at what extension is being requested and responds accordingly.
There is a list of all file extensions and what actions should be taken when these are requested. In terms of .net, these are .aspx, .ascx, asmx, etc. These are basically ISAPI filters.
Depending on your version of IIS. If you open IIS Manager, choose the website in question, go to Properties, then Home Directory, then Configuration, under Mappings you will see all file extensions and the application that will be called to action this request.
Therefore, if you add an entry for .vato, and point it to your version of .net, such as C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll then the .vato file will then be treated the same as a .aspx files.
In IIS (6.0) click on "Configuration" on your Web Site page and you can add mappings there. It must reference the same ASP.NET ISAPI DLL as for example the ASPX pages.
You can also add * and have all requests route to a HTTP module but that's a little more advanced and useful for the likes of REST.

using system.web.authorization settings in web.config to protect classic asp files?

I've got a virtual directory with a vast subfolder hierarchy and thousands of classic ASP files, all of which have varying permissions set at the NT folder level (don't ask.. shakes head).
Is there any way to setup all these virtual directories with their own web.config so i can control access via configuring system.web.authorization parameters therein and doing away with folder level permissions?
I've tried and so far have only been able to have this work on asp.net files, not classic ASP.
If it isn't possible, can someone offer some alternatives?
Because clasic ASP has no idea about the ASP.NET runtime due to the fact that it is a) classic and 2) isn't .NET, you can't use the .NET configuration to manage the permissions.
Your options though would be:
Upgrade to IIS7
Rename all you asp pages to aspx
Change your asp handler to aspnet_isapi.dll (which is the .net handler)
While 2 and 3 may work you will need to completly test these pages to make sure that they still work as intended.
I would say the best bet would be to just use the file system ACLs to control who can access the folders. Just because you don't understand them doesn't mean that they don't have their place.
You can use wildcard mapping so that all file types will be handled by the ASP.NET runtime in IIS6; however, even with this turned on permissions are not handled through the web.config. Windows authentication in both classic and .NET uses the file permissions to determine access.

ASP file being caught by .NET isapi

I need to serve up a few .asp pages from within my ASP.NET site.
This ASP.NET site has a handler that allows us to serve up pages out of the database instead of finding them on disk (where the .asp files are located).
The problem appears to be that the .NET isapi (C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll) is catching my request... at that point, it is going to the database and not finding the file.
My question: why is ASP.NET catching my request? I would think it should come in and use the proper extension mapping for .asp (C:\WINDOWS\system32\inetsrv\asp.dll).
Is there a way to tell ASP.NET to leave the .asp files alone?
one alternative is to set up a virtual directory which only can execute .asp and without asp.net support.
It sounds like you have a wild card script mapping in your application configuration forwarding all requests into the aspnet_isapi.dll. Is the a .asp mapping to asp.dll?

Resources