Results 1 to 2 of 2

Thread: [RESOLVED] ASP.NET application local directory security question.

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Feb 2008
    Location
    Texas
    Posts
    1,288

    Resolved [RESOLVED] ASP.NET application local directory security question.

    So I have an internet application that multiple users can access (anonymous).
    I also have an intranet application that only certain domain groups/users have access to.

    I'm using the membership class for user authentication/authorization for the internet site.
    When a certain user is give access to a certain folder, a database record is written (for the page display)
    and then I'm also writing a <location> tag to the public site's web.config to only allow that user and also any others that have db records having access.

    So if John, Joe and Paul all have access to Directory1/* then:

    <location path="Directory1">
    <system.web>
    <allow users="John,Joe,Paul" />
    <deny users="*" />
    </system.web>
    </location>

    The only problem is, if multiple admins are planning to use this page, concurrency will be an issue. Is there a way to authenticate on the directory level through some sort of httpmodule or something that is secure and has the same effect?

    I want to lock them down not only on the application level, but also the folder (NTFS?) level.

    Thanks,

    Justin
    You down with OOP? Yeah you know me!
    MCAD and MCMICKEYMOUSE (vb.net)

    ----

    If it even kinda helps... rate it : )

    Edit a Multi-page .tif file and save.

  2. #2

    Thread Starter
    Frenzied Member
    Join Date
    Feb 2008
    Location
    Texas
    Posts
    1,288

    Re: ASP.NET application local directory security question.

    I'm already logging file access in an httpmodule on the AuthenticateRequest event I believe. I'm storing the directory that the user has access to (hashed casenumber) I guess I could just get the parent directory of the file and see if the current httpapp.user. actually has access to that folder name in the db. Is there any type of attack that can circumvent this approach?

    Justin
    You down with OOP? Yeah you know me!
    MCAD and MCMICKEYMOUSE (vb.net)

    ----

    If it even kinda helps... rate it : )

    Edit a Multi-page .tif file and save.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width