How to protect files in asp.net

Source: Internet
Author: User
Tags filter config contains iis interface soap mdb database access database
asp.net How to protect files   profiles in asp.net if we do a Web site using an Access database as a data source, we are most concerned about security issues with Access database files. If we're going to have an. mdb file with important information such as passwords, payment information, personal data, and so on, in a directory accessible on the Web server, it is dangerous for anyone to guess the database file name to download through a browser or other download tool.   There are many ways to protect. mdb database files, or even any file you want to protect. The most direct and effective method is to place the. mdb database file in the Web server Non-web accessible directory. Many Web servers provide a special, read-write database directory, but it is not accessible as a Web page.   Understanding how IIS and asp.net work when you access a request from an IIS server, the IIS ISAPI (Internet Server Application Programming interface, The Internet Server Application programming Interface) checks the extension of the file being accessed and whether the file type it accesses is blocked by the Web server parser.  web server By default, IIS returns the contents of its file contained for simple requests. it resolves the cognitive existence of files, such as pictures, HTML pages, CSS files, extended JavaScript files, and so on, for example, when accessing an HTML file, IIS returns the content information it contains.   For files that are dynamically generated by the content, ISAPI dynamically generates content for the requested file. For example, a Web site in ASP language, its. asp's files are mapped to the extended Asp.dll Internet Server Application programming interface for resolution. The extended Asp.dll Internet Server Application programming interface automatically parses the ASP pages requested by the Web server and returns the contents of the generated HTML file. If your site is written in asp.net language, IIS maps the. aspx file to the extended Aspnet_isapi.dll Internet Server Application programming interface, when aspnet_ When Isapi.dll receives a request for an. aspx file, the extended Aspnet_isapi.dll Web server application programming interface automatically becomes the content of the HTML file in the process.   Extended aspnet_isapi.dll Internet Server Application programming interface is an unmanaged code. It cannot be run in. NET Framwork. When IIS sends the request to the extended Internet Server Application programming interface, that is, ASPNET_ISAPI.DLL forwards its request on the asp.net engine and resolves it through. Net Framwork managed code.  asp. NET engine is very close to IIS, as if IIS has a directory that maps the specified file type to the ISAPI, but the ASP.net engine maps the file type to the HTTP handlers. An HTTP Handler is a managed code that is automatically generated for a particular file type. For example, ASP. NET is used PageHandlerFactory生成的;网络服务的The SOAP response is used WebServiceFactoryHandler生成的。PageHandlerFactoryKnow how to parse a asp.net Web page into an HTML file; WebServiceFactoryHandler Know how to call the correct network service method for the received SOAP response and return the SOAP response in the correct format.   Test httpforbiddenhandlerasp.net network applications are configured through XML format files, that is, web.config files. This file contains the main information:      according to the library connection string      Authenticated user information, can include user name and Honey code       Other related caching, coding and other configuration information   Spend some time, you try to access a asp.net network application Web.config file, the result? Obviously, it is very dangerous to allow all network visitors to see the contents of the Web.config file of the ASP.net network application, so asp.net network application has been configured Aspnet_isapi.dll to filter out the. mdb file type.   How do I block when I access a Web.config file? In IIS, the. config file is mapped to the ASP.net ISAPI, so the ASP.net engine maps the requested. config file to the HttpForbiddenHandler HTTP handler. The HttpForbiddenHandler HTTP handler is then returned to the user in HTML format via a Web browser.   Now we look at how to use HttpForbiddenHandler HTTP handler in asp.net to protect the. config file, and we can also reference this technique to protect. cs,. vb,. webinfo,. vbproj,. Other file types, such as csproj,. resx. Similarly, we use this technique to protect an Access database file (. mdb file) or any file type. In the following sections, we will see the necessary steps to protect the specified file type.   Protect. mdb files to protect. mdb database file types and. config file types, we must set the following two steps:1.     configure IIS to map the. mdb file type to asp.net isapi2.     configure ASP.net to map the. mdb file type to HttpForbiddenHandler HTTP handler  you must be on the Web server in IIS, The. mdb fileType is mapped to the Aspnet_isapi.dll ISAPI. Log on to the Web server, by [Start]->[Admin tool]->[internet Service Manager], next, right-click on a Web site, pop-up menu appears, then select [Properties] to eject the site's Properties dialog box, click the [Home Directory] tab, click the [Configure] button, The application configuration dialog appears, as shown below
Windows NT/2000/XP Windows 2003
Clicking Add adds a map, which displays a dialog box that asks you to enter the file name of the ISAPI, which can be an. exe or. dll file, and it blocks the special file type that the user requests (you can also block all HTTP requests (get and post) for the file type. or a specific HTTP action) then, enter *.mdb carriage return, select executable file for ISAPI as Aspnet_isapi.dll (this file can be in the current $WINDOWS_DIR$\Microsoft.Net\Framework\$VERSION$Found). Now that we've got the. mdb filter, we're going to do one last step: Map the network application. mdb file type to the HttpForbiddenHandler HTTP handle. To achieve this step, we must add the following configuration to the Web.config file:
<add verb= "*" path= "*.mdb" type= "System.Web.HttpForbiddenHandler"/>
This piece of code must be placed in the<system.web>这一节中,当前的网络应用程序在访问该程序使用的.mdb时,就会阻止访问。
如果你想将所有的网络应用程序都无法访问*.mdb文件类型,将<add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
Added to the directory of the Machine.config file to  find )



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.