I Have a application in my IIS but its paths, files are open to anyone that request them. I used url rules to block the access, but my application don't have access too when i do this. How I do to block access for external clients but not to my application? (My application access yours files like a client too Ex: The url to my application is www.example.com/app, but if the user type www.example.com/app/users.xml is possible access it. When I block, its not possible access xml file, but the application don't have access too, but i don't want this).
Please help me!
Put sensitive files in App_Data subfolder, all files in that folder will not be published on web server.
Related
I have a bunch of 3D models on my web app and they are accessible to public to see but I don't want anyone to download them. I use Amazon S3. Is there any way to achieve this?
In the default web app - as already commented - if the client can "see" the resource, it is already on the client's side.
There are two aspects of the question. You want to prevent accessing the models from the public (unauthenticated) client or even the authenticated.
To prevent unauthorised access to S3 resources used for web apps, the common option is using the pre-signed S3 url. The application generates temporary resource link only for authorized users.
If you want to prevent access to resources even authorized users, to you can render the view on the server side e.g. see AWS AppStream
I'm working on a web portal where a user is authenticated by LDAP through a perl CGI form. The authentication process uses the Net::LDAPS module. When logged in, the system keeps the user's authenticated status and creates a CGI cookie and the user can perform various actions through the portal, mostly interactions with a database, until the user logs out.
On the same server there's a directory with some files. I want a user to be able to log in to the web portal and then browse the file directory and be able to download those files.
The simplest way I can think of is placing an htaccess file with "Options +Indexes" and ldap authentication into the directory, but that would require another login that's not linked with the web portal.
Is there a way to link the web portal cgi-based ldap authentication to htaccess file?
You mention that the user can log out and then no longer use the portal. But there is no portable way for logging out a user with basic authentication. They will be able to continue browsing the directories.
Instead of your CGI script that authenticates the user, you can simply configure LDAP authentication for both the data directories and the portal. Ugly, but it would work.
The better and cleaner option for you will be to provide access to the data directories not directly but through the portal only. If you use Apache's path info feature (https://httpd.apache.org/docs/2.4/de/mod/core.html#acceptpathinfo) you don't even have to bother about checking the path for malicious "../../.." constructs and the URIs will look very natural to your users.
In IIS 7, how do you configure folder access for basic authentication against domain?
I've done the following:
Enabled Authentication - Basic Mode.
This seems to work for regular folders, but once I convert the folder to an Application in IIS, users get rejected unless I add them specifically to the Security item in Windows. Do I need to do this for every single user?
What if I need all members of domain to access a given url?
I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites,
on different folders of the web server, but which have no server side code(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site,
and will enter his credentials only once, or once a day.
Restrictions:
I don't want to modify the target web site javascript code at all, e.g. to query a web service.
The user should be granted access using any browser,
so I assume I cannot use cookies.
If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.
The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)
What information does the user have to identify themselves? How do you guarantee the user is who they say they are?
The whole point of authentication is to establish the user is who they say they are and that may create a session so that users need not reauthenticate.
If you want the user to authenticate in a single location and then reuse that "session" or set of credentials elsewhere, what you are looking for is single-sign-on / identity federation.
For instance, take airbnb.com. I do not need to authenticate there. All I have to do is authenticate with a third-party e.g. Google or Facebook. As a matter of fact, SO works in the same way.
One of the standards behind this technique is called Open ID Connect. Look into that. If you are willing to dish out money, you can look into commercial solutions e.g. Ping Identity. There is an open source implementation provided by Mitre / the MIT. It's available here.
In fact it occurs to me I can use simple routing.
In the top level folder have php code that does the authentication.
If the user is authenticated, route/redirect to the requested target site,
based on the requested url.
The url should be for example http://mysite/site1, where the authentication code is in the folder mysite, and site1 is not directly accessible.
Perhaps I can use something like php-express to reuse the same php code on node.js.
A developer posts their code from a staging site (which requires authentication) to the live public site (which should not) and suddenly the live site is requiring authentication (which is not good).
They don't have permissions to change any settings on the server(s) and there is no call from the code on the live site to anything on the staging site, that I can locate. (No forgotten calls to an image on the staging site or anything)
Can the group think of some file that might have been removed/changed that could cause this to happen? I checked this question as well - [HTTP Authentication in ASP Classic via IIS] - but none of those methods are being used.
App is Classic ASP, IIS6.0 server.
Security Settings - Anonymous Access permitted on the live site. Account for anonymous internet users allowed read access to the directory where the site is located - user is unable to change directory or site permissions on the server.
Thanks!
Did the files retain their security permissions from the folder they were copied from? Reset the permissions on the files.
Are you using a four-part URL to get to the site (http://www.somesite.com/)? That will default to the Internet zone and not intranet, prompting for authentication.
User will get challenged when Anonymous Access is turned off in IIS. What are the security settings? Without that information, we will not be able to help much.