HTML content authorization inside asp.net web application

Question

I have a colleague that made a web site in plain html with little bit of css and javascript. I have a special task to prevent this page with simple login form. My colleague will continuouslly work on his html, but he is not allowed to write any asp.net or to publish content on remote servers.

I am an asp.net developer and my first idea was to include all his content inside web aplication project's folder named 'Content'. Then I've made simple login form (login.aspx), and inside web.config I've put authentication (with login.aspx as loginUrl) and authorization tags. After that I've published whole project to remote server and I am going to share 'Content' folder with this user. He'll have access to all html pages and will be able to continuouslly work on it just copying his updated or newly created html files to that folder.

The whole thing about authorization and authentication works just fine when I run it locally on visual studio web development server. When I am trying to access some html content, stored in 'Content' folder I am getting redirected to login.apsx and everything works as expected.

I have a problem when I publish this complete asp.net web application to remote server. When I try to access same html content I am not getting redirected to login.aspx and I can access all html pages inside 'Content' without authentication needed.

This is authentication and authorization part of my web.config:

  <authentication mode="Forms">
      <forms loginUrl="login.aspx"/>
    </authentication>

    <authorization>
      <deny users="?"/>
    </authorization>

And this is content of my login.aspx.cs:

if (//USER WEB SERVICE CHECK)
{

        if (Request.QueryString["ReturnUrl"] == null)
        {
            FormsAuthentication.SetAuthCookie(UserName.Text, true);
            Response.Redirect("~/Content/index.html");
        }
        else
        {
            FormsAuthentication.RedirectFromLoginPage(UserName.Text, true);
        }
    }
    else
    {
        FailureText.Text = "Wrong username or password...";
    }
}

Do you have any better idea how to do it with asp.net? Why this form authentication is not working when i publish it? Is it possible to prevent accessing plain html content, as part of web application, when whole thing is published?

I am constantly using the same principle in my asp.net projects and it works just fine on same remote server. I even tried to put this on another server, but I've got the same effect.

The structure of my web app project is following:

ApplicationFolder
 |
  - login.aspx
 |
 - web.config
 |
 - CONTENT
        |
         - index.html
         - ...

Additionally I've tried to put some aspx content in CONTENT folder, and authentication redirection works just fine. Is it even possible to user forms authentication to secure html content inside web application?

Remote server uses IIS 6 and ASP.NET runtime does not process html files, and because of that forms authentication does not work. I've renamed html file extension to aspx and everything works fine. I am satisfied with this solution for now, but if someone has better solution please write it here...

I've read that there is a workaround with web site configuration on IIS 6 (http://forums.asp.net/t/1184547.aspx), but I am not allowed to this on my server.

Answer 1

我认为您最好检查服务器上该应用程序的IIS设置，与本地应用程序应该有所不同，您需要对其进行更改。

Answer 2

Open IIS, click on the project in question in the site treeview. Select the "Authentication" menu and check whether Formsauthentication is enabled or disabled. If this does not work, try to disable the windows authentication.

Answer 3

I've finally solved this problem if someone would have same issue as me....

I've anyway changed IIS 6 settings as described in http://forums.asp.net/t/1184547.aspx , have written custom request handler with following code below

public class DocHandler : IHttpHandler
{

    public DocHandler() { }
    public void ProcessRequest(HttpContext context)
    {
        string path = context.Request.PhysicalPath;
        string name = path.Split('\\')[path.Split('\\').Length - 1];
        if (!string.IsNullOrEmpty(path) && path.ToLower().EndsWith(".pdf"))
        {
            context.Response.ClearHeaders();
            context.Response.ClearContent();
            context.Response.Clear();
            context.Response.Charset = null;
            context.Response.ContentType = "application/pdf";
            context.Response.AddHeader("Content-Type", "application/pdf");
            context.Response.AppendHeader("Content-Disposition", string.Format("inline;filename={0}", name));
            context.Response.WriteFile(path);
        }
        else if (!string.IsNullOrEmpty(path) && path.ToLower().EndsWith(".doc"))
        {
            context.Response.ClearHeaders();
            context.Response.ClearContent();
            context.Response.Clear();
            context.Response.Charset = null;
            context.Response.ContentType = "application/msword";
            context.Response.AddHeader("Content-Type", "application/msword");
            context.Response.AppendHeader("Content-Disposition", string.Format("inline;filename={0}", name));
            context.Response.WriteFile(path); 
        }
        else if (!string.IsNullOrEmpty(path) && path.ToLower().EndsWith(".xls"))
        {
            context.Response.ClearHeaders();
            context.Response.ClearContent();
            context.Response.Clear();
            context.Response.Charset = null;
            context.Response.ContentType = "application/vnd.ms-excel";
            context.Response.AddHeader("Content-Type", "application/vnd.ms-excel");
            context.Response.AppendHeader("Content-Disposition", string.Format("inline;filename={0}", name));
            context.Response.WriteFile(path);
        }
        else if (!string.IsNullOrEmpty(path) && path.ToLower().EndsWith(".ppt"))
        {
            context.Response.ClearHeaders();
            context.Response.ClearContent();
            context.Response.Clear();
            context.Response.Charset = null;
            context.Response.ContentType = "application/vnd.ms-powerpoint";
            context.Response.AddHeader("Content-Type", "application/vnd.ms-powerpoint");
            context.Response.AppendHeader("Content-Disposition", string.Format("inline;filename={0}", name));
            context.Response.WriteFile(path);                
        }
        else if (!string.IsNullOrEmpty(path) && path.ToLower().EndsWith(".html"))
        {        

            context.Response.ClearHeaders();
            context.Response.ClearContent();
            context.Response.Clear();
            context.Response.Charset = null;
            context.Response.ContentType = "text/html";
            context.Response.AddHeader("Content-Type", "text/html");
            context.Response.AppendHeader("Content-Disposition", string.Format("inline;filename={0}", name));
            context.Response.WriteFile(path);
        }
        else
        {
            throw new System.IO.FileNotFoundException("The page requested is invalid", path);
        }
    }
    public bool IsReusable { get { return false; } }
}

and finally added following section to web.config

<add verb="GET" path="*.pdf" type="PartnerPortal.DocHandler" validate="false" />
<add verb="GET" path="*.doc" type="PartnerPortal.DocHandler" validate="false" />
<add verb="GET" path="*.xls" type="PartnerPortal.DocHandler" validate="false" />
<add verb="GET" path="*.ppt" type="PartnerPortal.DocHandler" validate="false" />
<add verb="*" path="*.html" type="PartnerPortal.DocHandler" validate="false" />