Different security behavior embedded server vs. IIS

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
12/2/2008 12:05:09 AM
gardea
Gravatar
Total Posts 1
View Posts

Different security behavior embedded server vs. IIS

I am trying to securely publish some htmls (autogenerated) along with regular mojoPortal content. So I’ve created a folder structure under root (like secure/fiscal08) and copied the entire html under secure/fiscal08. In this folder I also put a web.config with only location/authorization/etc. to restrict access (authenticated users only).
When using the embedded server everything works as expected: when trying to access a page under secure/fiscal08, the user is redirected to the login page, and then, after login, to the page initially requested.
However, after deploying same thing to IIS, all the content is wide open. Any idea why is there a different behavior? Thank you.
 

12/2/2008 4:48:18 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Different security behavior embedded server vs. IIS

Its because using the VS web server, .NET handles requests for all files including .html .css etc, but in IIS this is not the case, so those kind of files can't be secured by .NET on IIS without special configuration of IIS, because by default IIS handles those requests directly and .NET is not involved. In IIS 6 you would need a special isapi handler, in IIS 7 it may be easier with some of the new modules they have.

Hope it helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.