Block Direct Access To .aspx Pages Using IIS7's URLRewrite Module?
Mar 30, 2011
I am using IIS7's URLRewrite feature to hide the .aspx extension in my ASP.NET WebForms application's URLs.
I'm using the following configuration:
[code]....
I can now browse to:
[URL]
and this is rewritten to:
[URL]
This preserves the "pretty" url in the browser address bar. I have also updated all my links on the site to use the extensionless URLs.
The problem is that the underlying .aspx pages can still be accessed directly and I'd like to prevent this.
If a user browses to [URL] I'd like it to either redirect/rewrite to [URL], or at the very least just return a "Page not found".
Update:
I managed to get this working by redirecting all .aspx pages to the home directory. This isn't ideal as I'd prefer to send them to the non-.aspx version, but it will do for now.
In one of my website I need to prevent direct access to non .aspx pages in a protected folder. Authentication works fine if I am going to [URL] but in one case my users are uploading html pages in that folder and if somebody cut and paste [URL]the page can be seen without the authentication process to be activated.
I have a ASP.NET page called admin.aspx that needs to be protected from direct access.
I want it to be accessed only when the user enter his name & password in another page called login.aspx I'm working in ASP.NET with Visual Basic .NET 2008,how to do it.
I have certain pages in my application that are designed to be accessed only by redirect from other pages, and not directly(i.e they must get a query string from other page, otherwise there is an exception).
So I want to prevent users from accessing them by typing the URL, but I want them to be available by redirect.
I have a security issue in my web application where user can enter malicious data/can change the page path directory. To avoid these i want to restrict the user by accessing/typing in the URL.
There is a strange behaviour with my web app which resides on the deployment server. This problem does not appears on the production enviroment (using the VS build-in development web server)
I am using URLRewriter and forms authentication on my web app. URL rewriting is performed by an http module on AuthorizeRequest. Also, runAllManagedModulesForAllRequests is enabled.
When I am trying to access some specific pages (NOT ALL OF THEM) with a rewriten url, IIS 7 returns me an 404 error.
Here are some of the rewriting rules:
Can be accessed BOTH rewritten and original url: <rewrite url="^/home.aspx" to="/ASPX_FILES/home.aspx" processing="stop" /> <rewrite url="^/product/(.*).aspx" to="/ASPX_FILES/item_details.aspx?id=$1" processing="stop" />
I am working on the migration of the server. Our new server is Windows server 2008 with IIS7.0 I have a great difficulty in browsing the pages hosted in virtual directories. I have followed the proper steps of creating a virtual directories and converting them into applications. But when i try to browsing the pages of the virtual directory, i get the 404 error. Note: The .Net Framework 4.0 is installed on the server and the web applications which i am trying to configure in the virtual directories are developed in Visual Studio 3.0. Even the http://localhost also don't work.
in every page would be painful. I am thinking if there is anyway we can set this in IIS7 (add this header to aspx pages, but not images/css/js). Is it possible ?
Here are the structure of my web site:Login.aspx in the root pathUserInfor.aspx and 1.txt in the sub-directory folder named 'Restricted' Authenticate this website with form authentication configured in IIS, and does not allow anonymous to get into the Restricted folder with the web.config file.I think it should work this way, if I manually access the 1.txt in the browser, I should be able to view the content, and if I go to the modules configuration for this applicaiton in IIS7, find the 'UrlAuthorization' module, and cancle the listbox for 'invoke for requests to asp.net ...', I should be directed to the loginurl setting in the root web.config file when I access the 1.txt file without logging, however, I still can see the content of 1.txt.
I have web services built with ASP.NET and ASP.NET clients consuming them. When consuming the webservices, how would I to force the clients to use https?
I don't want to force the whole site to use https by turning on require SSL in IIS.
Can I use the IIS7 URL rewrite module to re-route http requests to https?
I've used the UrlRewriting.Net module for a couple years now without any problems in Windows XP and Windows 2003. I just recently upgraded my home PC to Windows 7 and started developing a new website.The plan was to use .html extensions and rewrite them to their .aspx counterparts using the UrlRewriting.Net module. Everything works flawlessly in VWD 2008, but when I try running it through IIS7 it is a different story.
When I try to access a page via the .html rewrite I can no longer access Page.User; it keeps returning null. If I hit the page using it's .aspx extension, Page.User is correctly populated. I should also mention that I have a LoginView controller in my Master Page and it suffers from the same symptoms: When accessing via .html extension it shows the AnonyousTemplate; When using .aspx extension it properly shows the LoggedInTemplate. I'm guessing the two are related.
[Note: I've also tried extensionless URLs and they exhibit the same problem]
The only way I've gotten it to work is to switch the application pool to Classic, which then requires me to add an ASP.Net ddl handler for the .html extension [otherwise it is handled by the StaticFileHandler and comes up as a 404 error]. However, I'd like my web app to run properly for people without having to fiddle around with IIS.So I am left with several questions:Does anyone have ideas as to why Page.User always equals null for .html => .aspx rewritten pages?
Why does it work in VWD 2008, but not IIS7?
What changed from IIS6 => IIS7 that could have caused this?
[Note: I just tried a .aspx => .aspx rewrite and it did not exhibit the problem. Not really what I want, but thought I should mention it.]
For example when a user enters www.homeforhire.com they should be redirected to default.aspx (for operational reasons the user is then redirected to www.homeforhire.com/home.aspx).
Instead an error is caught in the Rewrite module (which should not be activated). I am using an http module to perform URL rewriting.
It appears as if the default document setup is not working correctly, and the requested page ~/ is being sent to the Rewrite module, causing an error (which is then caught by my error handler and the user is redirected to the home page).
Entering www.homeforhire.com/default.aspx works correctly.
Can anyone tell me why the default document settings in the web.config do not appear to be working?
http://mysite.com -> https://www.mysite.com OK http://www.mysite.com -> https://www.mysite.com NOT WORKING
I guess the condition is not being satisfied when I enter www.mysite.com in the browser, so there's no redirect and the page serves as HTTP instead of HTTPS.
I think I just need to modify the condition pattern, but I have almost nothing regex knowledge and I need this asap.
Using VS 2010 RC, VB, and Forms authentication to allow access to the site, depending on the login rights of a user, I want to turn on and off access to certain pages. I can turn on and off buttons to access the pages, but a user can type the page into the url, and it will still go to them.
[FYI - Posted the same thing over at StackOverflow]I've used the UrlRewriting.Net module for a couple years now without any problems in Windows XP and Windows 2003. I just recently upgraded my home PC to Windows 7 and started developing a new website.The plan was to use .html extensions and rewrite them to their .aspx counterparts using the UrlRewriting.Net module. Everythingworks flawlessly in VWD 2008, but when I try running it through IIS7 it is a different story.
When I try to access a page via the .html rewrite I can no longer access Page.User; it keeps returning null. If I hit the page using it's .aspx extension, Page.User is correctly populated. I should also mention that I have a LoginView controller in my Master Page and it suffers from the same symptoms: When accessing via .html extension it shows the AnonyousTemplate; When using .aspx extension it properly shows the LoggedInTemplate. I'm guessing the two are related.[Note: I've also tried extensionless URLs and they exhibit the same problem]The only way I've gotten it to work is to switch the application pool to Classic, which then requires me to add an ASP.Net ddl handler for the .html extension [otherwise it is handled by the StaticFileHandler and comes up as a 404 error]. However, I'd like my web app to run properly for people without having to fiddle around with IIS.
So I am left with several questions:Does anyone have ideas as to why Page.User always equals null for .html => .aspx rewritten pages?Why does it work in VWD 2008, but not IIS7? What changed from IIS6 => IIS7 that could have caused this? Any other thoughts on workarounds?[Note: I just tried a .aspx => .aspx rewrite and it did not exhibit the problem. Not really what I want, but thought I should mention it.]
I need to restrict access to pages based on permission given to roles based user .Roles created dynamically so that i can't restrict thru the WEB config file .i am using the custom sitemap so menu is showns correctly based on roles , but if we enter direct url in address bar we can access that page although its not permitted for the user .is there any other way to redirect to common access restrict page .
Here is my dilema, on my site i have a WordPress Audio player (http://wpaudioplayer.com/standalone) that plays my mp3's.
It loads the Mp3's in by javascript...example below:
AudioPlayer.embed("audioplayer_7", { soundFile: "/Files/Music/[name of file].mp3" });
This file name is clearly visible in the browser source. Not a problem, however this means that any user can legitimately browse to the file directly and download it.
Now i still need the mp3 player (which is flash) to have access to the file but if a user was to try accessing the file directly, they would not be allowed access to it.
I am not sure how to go about this, i am circling the idea of a httphandler but not sure if this is sufficiant to stop the direct access to the file.
My ASP.NET application logs transactions (both inside AND outside of databases), and therefore needs read/write access to text files within various directories within the root of the website - in ADDITION to the normal database access.
In this scenario, how can I safely allow my ASP.NET application to write data to the web folders? I have a thread-safe DLL that performs the actual work, so I don't believe I need to worry about multiple sessions writing to the log files at the exact same time - assuming my DLL will only be running in a single instance/process that will be shared between numerous ASP.NET instances/processes/threads.
But I'm more concerned about file access permissions. I've heard that ASP.NET applications generally aren't allowed access to the webserver's local file system, and that this may even restrict my DLL from getting the correct file access. Can I grant my application file-access to the web-driectories?
Id like for people only to access the content via default.aspx and not the dynamically generated content generateimage.aspx. Any attempt to browse here directly should be redirected to an error page
So i would like that the page "pag1.aspx" is reached bypassing the "main.aspx" so If I try to digit directly on the server http://localhost/forms/pag1.aspx?C=159 ......correctly appears the login page....and the URL became..
http://localhost/Forms/LogIn.aspx?ReturnUrl=%2fForms%2fpag1.aspx%3fC%3d151&C=159 and after login I can see correctly the page1.aspx . when I try to reach the page from my browser..I digit
http://myserver/forms/pag1.aspx?C=159 .... the login page appears...but the url became..
http://myserver/Forms/main.aspx
and after login I cannot see the page1.aspx....but main.aspx
I am an experienced developer but I am new to web application development. Now I am in charge of developing a new web application and I could really use some input from experienced web developers out there.
I'd like to understand exactly what experienced web developers do in the code-behind pages. At first I thought it was best to have a rule that all the database access and business logic should be performed in classes external to the code-behind pages. My thought was that only logic necessary for the web form would be performed in the code-behind. I still think that all the business logic should be performed in other classes but I'm beginning to think it would be alright if the code-behind had access to the database to query it directly rather than having to call other classes to receive a dataset or collection back.
