Protecting Files with ASP.NETBy Scott Mitchell
When creating a data-driven Web site using Microsoft Access, it is important to take good care of the Access database file (the
.mdbfile). If you place the
.mdbfile in a Web accessible directory on the Web server, anyone who knows (or can guess) the name of the Access database file can download the file via their Web browser. This can be an especially perilous situation if the Access database file contains sensitive information, such as passwords, payment information, or other personal, private data.
There are a couple of ways to protect an Access database file (or any arbitrary file). The
most straightforward way is to place it in a non-Web accessible directory. Many Web hosts,
for example, have a special
database folder that provides the necessary
read/write access requires for an Access database, but is not Web accessible.
(When using Access, you will get an "Operation must use an updateable query" error unless the
file exists in a directory with read/write permissions for the account accessing the
file. For a more thorough discussion on this be sure to read the FAQ Why
am I getting 'Operation must use an Updateable Query' error?)
In this article we will examine how to use ASP.NET to protect Access database files, or files with an arbitrary extension.
Understanding How IIS and ASP.NET Work
When a request comes into Microsoft's IIS Web server its extension is examined and, based on this extension, the request is either handled directly by IIS or routed to an ISAPI extension. An ISAPI extension is a compiled class that is installed on the Web server and whose responsibility it is to return the markup for the requested file type.
By default, IIS handles the request, and simply returns the contents of the file requested.
files, and so on. For example, when a request is made for a
.html file, IIS
simply returns the contents of the requested HTML file.
For files whose content is dynamically generated, the ISAPI extension configured for the file
extension is responsible for generating the content for the requested file. For example,
a Web site that serves up classic ASP pages has the
.asp extension mapped to
asp.dll ISAPI extension. The
asp.dll ISAPI extension executes
the requested ASP page and returns its generated HTML markup. If your Web site serves up
ASP.NET Web pages, IIS has mapped the
an ISAPI extension that starts off the process of generating the rendered HTML for the
requested ASP.NET Web page.
aspnet_isapi.dll ISAPI extension is a piece of unmanaged code. That is,
it is not code that runs in the .NET Framework. When IIS routes the request to the
aspnet_isapi.dll ISAPI extension, the ISAPI extension routes the request onto
the ASP.NET engine, which is written in managed code - managed code is code that runs in
the .NET Framework.
The ASP.NET engine is strikingly similar to IIS in many ways. Just like IIS has a directory mapping file
extensions to ISAPI extensions, the ASP.NET engine maps file extensions to HTTP handlers. An
HTTP handler is a piece of managed code that is responsible for generating the markup for a particular file
type. For example, ASP.NET Web pages are rendered by the
the SOAP responses of Web services are generated by the
PageHandlerFactory knows how to render the HTML markup of an ASP.NET Web page; the
WebServiceFactoryHandler knows how to accept incoming SOAP requests, invoke the proper
Web service method, and return the response in a properly formatted SOAP response.
|For More Information on IIS and ASP.NET...|
|For more a good overview on how ASP.NET and IIS work in serving ASP.NET Web pages be sure to read How ASP.NET Web Pages are Processed on the Server, an earlier article of mine. Michele Leroux Bustamante provides a much more in-depth examination of ASP.NET and IIS in her article, Inside IIS & ASP.NET.|
ASP.NET Web applications have their configuration information specified via an XML-formatted file,
Web.configcan contain information like:
- Database connection strings,
- Information on how users are authenticated, which might include user and password information,
- Information on authorization, and
- Other potentially sensitive information.
Clearly, allowing any Web visitor to view the contents of an ASP.NET Web application's
file could be disastrous. Take a moment, though, to try to access the contents of an ASP.NET application's
Web.config file. Here, you can try to access the
Web.config file here on 4Guys -
When you try to view the file you get back a page that says: This type of page not served.
How did a request to
Web.config return a specialized page rather than the contents of the
Web.config file? Well, in IIS files with the
.config extension are mapped to the
ASP.NET ISAPI extension. The ASP.NET engine, then, maps requests to
.config files to
HttpForbiddenHandler HTTP handler. The
HttpForbiddenHandler HTTP handler
returns the HTML you see when visiting the
Web.config file through your browser.
We've just seen how ASP.NET uses the
HttpForbiddenHandler HTTP handler to protect
files - it also uses this approach to protect
.resx, and others. Similarly, we can use this
technique to protect Access database files (
.mdb files), or any arbitrary file extension. In
the next section we'll look at the steps necessary to protect a given file extension.
Let's look at how to protect Access database files using the same techniques ASP.NET uses to protect
.configfiles. To accomplish this we must perform the following two steps:
- Configure IIS so that
.mdbfiles are mapped to the ASP.NET ISAPI extension
- Configure ASP.NET so that
.mdbfiles are mapped to the
To configure IIS to map
.mdb files to the
aspnet_isapi.dll ISAPI you will need
access to Web server. Log on to the Web server and open the IIS Administration dialog, which is available
through the Administrative Tools section. Next, right-click on the Web site you want to configure and
choose Properties. This will display the Web Site Properties dialog box. Navigate to the Home Directory
tab and click the Configuration button. This will display the Application Configuration dialog box, which
is shown below.
|Windows NT/2000/XP||Windows 2003|
To add a mapping, click the Add button. This will display a new dialog box that allows you to enter the ISAPI extension that should execute when a request comes in for a specific file extension. (You can also specify if this mapping should apply to all incoming HTTP requests (GET and POST), or to a specific HTTP verb.)
So, to add a mapping for
.mdb files, enter
.mdb as the extension and choose the
aspnet_isapi.dll ISAPI extension. (This should be in the directory
Now that we have configured IIS to map
.mdb files to the ASP.NET ISAPI extension, we're ready to
tackle our final step: specifying that our Web application should map
.mdb files to the
HttpForbiddenHandler HTTP handler. To accomplish this, simply add the following lines to the
This needs to be placed inside the
<system.web> element. With this addition, when
.mdb files are requested from the specific Web application, a This type of page is not
served error message will be returned.
Adding the above
<httpHandlers> section to a
Web.config file configures
.mdb files are mapped to the
HttpForbiddenHandler HTTP handler just for
that Web application. If you want to apply this mapping to all ASP.NET Web applications on the
Web server, simply add
<add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
<httpHandlers> section. (The
machine.config file is located in the
In this article we saw how to use ASP.NET HTTP handlers to protect files with a certain extension. Accomplishing this involves two steps: first, the file extension in IIS needs to be mapped to the ASP.NET ISAPI extension; next, the ASP.NET engine needs to be configured to map the same extension to the
HttpForbiddenHandlerHTTP handler. Realize that both of these two steps are vital - if you forget to map the extension in IIS to the ASP.NET ISAPI extension, then the ASP.NET engine will not be invoked when a file with the forbidden extension is accessed. If you map the file extension correctly through IIS, but forget to perform the mapping in the appropriate ASP.NET configuration file, the ASP.NET engine will simply return the contents of the file.