Where does Railo store files created by when using the file attribute?
I.e.
<cflog file="mylogfile" text="SOME ALERT HERE">
The 'Tag Reference' in the Web Administrator does not give an indication, and neither does http://wiki.getrailo.org/wiki/3-1-Tags:CFLog
I tracked it down with a find command:
/opt/railo/webapps/ROOT/WEB-INF/railo/logs/
The /opt/railo/ part will vary depending on where railo was installed.
Railo stores log files in the Web-Inf directory for each web context if multiple contexts are allowed in your settings (Tomcat for example). Otherwise, they are stored in the main installation.
Related
I've had a very frustrating experience on putting an MVC 5 app on Azure. I have been reading the following page: http://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
But what I haven't managed to put in my head is the following:
Security Warning: Do not add your secrets .config file to your project or check it into source control. By default, Visual Studio sets the Build Action to Content, which means the file is deployed. For more information see Why don't all of the files in my project folder get deployed? Although you can use any extension for the secrets .config file, it's best to keep it .config, as config files are not served by IIS. Notice also that the AppSettingsSecrets.config file is two directory levels up from the web.config file, so it's completely out of the solution directory. By moving the file out of the solution directory, "git add *" won't add it to your repository.
And:
Security Warning: Unlike the AppSettingsSecrets.config file, the external connection strings file must be in the same directory as the root web.config file, so you'll have to take precautions to ensure you don't check it into your source repository.
The problem is the following: When I upload the Web.config file with the external files without being included I get hit by "The System cannot find the file specified", so for it to go away I must include the .config files defeating the purpose of Microsoft's post.
I really really really do not understand. I have added the connectionStrings and appSetting's keys in Azure's portal. What is the correct and secured way of putting my passwords and secrets online? What am I missing? Is it because I'm running in Debug mode?
According to this:
How can I secure passwords stored inside web.config?
There is nothing to worry about accessing the Web.config file...
But that just defies Microsoft's post.
Thanks.
I find the following technique to be the easiest way to do this.
Instead of putting the deployment values of these settings into the web.config, I keep the test values in there instead. I then put the deployment values into the Application Settings section of the Azure Website via the Azure Portal:
When the website runs, these settings will take precedence over what is in the web.config. This helps me avoid externalized files, allows me to keep sane development configuration that the team can share, and makes deployment very easy.
The best way is to set your secrets in the Connection Strings section of the portal. Any values set there will override values you specify in your web.config file.
This way they are only exposed to people who have admin access over the site itself. Having full access to the source won't even be enough to get the secret values.
More details here
I've written an ASP.net web application. In the interest of following the advice in "The Pragmatic Programmer" to put application logic in configuration, I wrote a large XML file that describes various business rules.
When I test the application on my local development workstation, I copy the file to c:\xxxxx\myfile.xml and then write the code to read the file from this location.
What is the correct way to deploy this xml file as part of my web application so that it gets read from the directory in which the web application is deployed?
Update: The XML file in question is for server-side configuration and should never be available for download to the end-user.
If you're not embedding this as a resource, you should:
Create a directory under which this file will reside.
Create the file and set its Build Action to Content.
Create a web.config file in that directory which forbids access to the directory so you don't expose your business rules to the Internet.
Add a setting in your application's main web.config that gives the path to this file relative to the root of the application, i.e. "~/MySecureFolder/MyBusinessRules.Xml".
Have some code that calls HttpServerUtility.MapPath Method to convert the value from the setting in web.config to a virtual path.
I don't know if this is what you want - Click on the XML file, then open the Property Window and find the "Build Action" property. Set the value to "Embedded Resources"
I think what you need to do is:
Add the XML file to your web application project in Visual Studio
Right click on the file and select 'Properties...'
Set the Build Action to 'Content' and Copy to Output Directory to 'Do not copy'
this will ensure that your XML file is deployed along with the rest of your web app.
If you want to make available your XML file from http requests to your server, you should
place it in your web publication folder.
This ASP instruction should help you to find your publication path:
Request.ServerVariables("APPL_PHYSICAL_PATH")
how can we find the path of browser default downloads folder in c# / asp.net?
For example I can get the path of user desktop like :
Environment.GetFolderPath(Environment.SpecialFolder.Desktop)
Thanks..
You can't find that out in a web application. It's up to the user to decide which browser to use and how to configure it and where to save downloaded files by default and you have absolutely no way of interfering or even knowing his choices from a web application.
First of all looking at MSDN on Environment.SpecialFolder there is no download folder, and the reason is that this is different for every browser.
http://msdn.microsoft.com/en-us/library/system.environment.specialfolder.aspx
And there have nothing to do with asp.net, if you look it from the server side you just get a directory on nowhere, meaning that this have nothing to do with the web application that run under the pool.
What you can do
You can use the HttpRuntime.AppDomainAppPath and use it to know where your site lives, and there place a "download" directory and use this full path:
HttpRuntime.AppDomainAppPath + "download/"
for download/upload files.
The server is IIS7.
Is there a way to disable web.config files in subfolders?
I am asking because, I have a folder on the web server that is for uploads. When someone uploads files, a new folder is created for the user's session and the files they upload go in the folder.
So the path to uploads would be like this:
~/uploads/3F2504E0-4F89-11D3-9A0C-0305E82C3301/somefile.txt
In the ~/uploads/ directory there is a web.config file that removes all http handlers except the static file handler and adds a wildcard mime type. So every file that a user uploads will only ever be served statically.
If a user uploads a web.config file, I want to disallow any of the settings in that file from being applied.
How can I do this?
EDIT
Could I just make the upload folder an application that is a member of an application pool configured to run in Classic mode instead of Integrated Pipeline mode? That way it wouldn't even care about a web.config file.
EDIT 2
Is there another type of webserver I could install for serving all files statically? I could just access the files through a different port. Is there some software that I can be sure wont run any scripts and is safe.
I simply wouldn't allow them to upload a file with that name. In fact, I normally wouldn't trust any filename that the user gave me... makes a great candidate for an injection-style attack.
Ok I have a different angle on this...
What if your uploads folder was not part of the website and instead part of the file system? This way ASP.NET is not processing requests to the folder and thus web.config wouldn't be loaded by the ASP.NET runtime.
You'd have to give your app pool's account read/write access to the file system where these files are stored, but I think it better fits what you're trying to accomplish.
Obviously it could be done in code.
If the folders always exist, you could pre-populate with a web.config with no (significant) content and an ACL to ensure it cannot be overwritten, but looking at the path it I suspect you create the upload folders dynamically which means this would not work.
I don't believe there is a way to tell IIS not to use a web.config (but I could be wrong). Personally, I would add a check to my save code and rename the file.
Why not just check the filename first to prevent the user from uploading a file named web.config? You're probably going to want to check for other things too before allowing the upload - files that are too big, etc.
I have an application with 2 directories (books and export).
If we create a book or a page of a book in the application a directory is added with the id of the page (this is for uploading resources).
If we delete a page, the page (and it's directory) is removed from the database and the filesystem.
However this resulted in a session loss (even an application restart). I've looked up some thing on google and found the following link.
It seems to be a problem in ASP.NET 2.0 (and 3.5).
We are now thinking about writing a service that will clean up the directories at night.
But there has got to be another solution for this no?
Oh and putting the directory outside the virtual directory is not an option.
Try disabling the monitoring of File System. This will prevent your session alive.
This article may be usefull for you.
Oh and putting the directory outside
the virtual directory is not an
option.
Putting the directory outside the virtual directory is the only solution I found (so far). What you can do, is to create a link (junction) in the file system so that the directory appears to be inside the virtual directory, e.g:
Our web site (virtual directory) is located at C:\projectX\website
the data directory (where we create/delete files and folders) is located at C:\projectX\data
then we create a link which makes the data folder available as C:\projectX\website\data
The link is created using the program Linkd.exe (available in the windows resource kit), with the following command:
linkd c:\projectX\website\data c:\projectX\data
Now c:\projectX\website\data is a link/junction which points to the real data directory. You can work with the link as if it were a physical directory.
E.g. in your web site you can access it using this code:
Server.MapPath("~/data")
And you can also used the windows file explorer and browse to C:\projectX\website\data. It appears just like a real directory.
There seems to be a supported hotfix which achieves the same as the article Sachin mentioned (turn off the file change notifications in a web site).
Check this article in the microsoft KB for more information.
But since you mentioned in a comment, that you do not have access to the server, I guess this will also not help in your case.
For storing data files that are frequently updated, created and deleted you need to use App_Data folder in the root of the web site. MSDN for App_Data folder states:
Contains application data files
including MDF files, XML files, as
well as other data store files. The
App_Data folder is used by ASP.NET 2.0
to store an application's local
database, which can be used for
maintaining membership and role
information.
Also check Q&A section for App_Data folder usage: App_Data folder question
I had the same problem. The solution is to externalize the session handling by using the ASP.Net State service. The only draw back is that every object you place in the session needs to be serializable, as it is transferred to the state service and back.
I currently do not have the possibility to provide further links, but google will help you, now that you know what to search for.