 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / General / September 2007how does the app_data folder work
Hi, From what I can gather, under Asp.Net 2.0, it is safe to put data and config files underneath the app_data in the web root and they will not be served directly to the browser from a URL. Can anyone explain just how this feature works. is app_data a reserved name for IIS and ASP.Net, or is there some jiggery pokery going on behind the scenes with file permissions or virtual roots? It's not that I don't trust Microsoft; it's just that .... well.... I guess I don't trust Microsoft - especially where bits of unexplained magic are concerned :-) TIA Andy re: !> is app_data a reserved name for IIS and ASP.Net No, it's not. The files which are not served are set in the master web.config file, in the <httpHandlers> section, managed by System.Web.HttpForbiddenHandler. That m,aster web.config file is located at : drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config Examples : <add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" /> <add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" /> <add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" /> <add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" /> You can add any other file extensions you don't want ASP.NET to serve directly by following that format. re: !> is there some jiggery pokery going on behind the scenes with file permissions or virtual roots? There's also some jiggery pokery going on behind the scenes with file permissions or virtual roots. If you create a Web site in Visual Web Developer (whether the standalone or the VS IDE), VWD creates a folder named App_Data below the current root folder. The folder is designed to be a store for application data of any type. The App_Data folder is also used by ASP.NET to store databases that the system maintains, such as the database for membership and roles. When VWD creates the App_Data folder, it grants Read and Write permissions for the folder to the ASPNET or NETWORK SERVICE user account. So, if a request is made from an external browser for a forbidden file, the account requesting it won't be the ASPNET or NETWORK SERVICE accounts, which are the only ones which are allowed access to those files. There's no "unexplained magic" involved. It's all pretty much straightforward. Juan T. Llibre, asp.net MVP asp.net faq : http://asp.net.do/faq/ foros de asp.net, en español : http://asp.net.do/foros/ ====================================== > Hi, > [quoted text clipped - 10 lines] > > Andy Thanks for the reply, but I still don't really get it let's say I create a new web site (just using explorer and IIS admin - not visual web developer) with a one folder called foo and one called app_data inside each folder I place a file with an unknown extension not mentioned in the global web.config - say foo.bar I can access http://localhost/mysite/foo/foo.bar but not http://localhost/mysite/app_data/foo.bar even though the file permissions are the same so surely there must be some magic going on behind the scenes somewhere? Andy > re: > !> is app_data a reserved name for IIS and ASP.Net [quoted text clipped - 70 lines] >> >> Andy Hi, Andy. re: !> so surely there must be some magic going on behind the scenes somewhere? Not quite "magic" but, yes, any data files you put in the App_Data folder will be protected by default. No external http requests for any file there will be honored. What I tried to say was that the mechanism has nothing to do with "reserved names", as you suggested it might. There *is*, however an internal check for the source of the request. If the request for a file in App_Data is external to the server, the file won't get served. re: !> inside each folder I place a file with an unknown extension !> not mentioned in the global web.config - say foo.bar If you want *.bar files protected, you'd have to add : <add path="*.bar" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" /> Juan T. Llibre, asp.net MVP asp.net faq : http://asp.net.do/faq/ foros de asp.net, en español : http://asp.net.do/foros/ ====================================== > Thanks for the reply, but I still don't really get it > [quoted text clipped - 72 lines] >>> >>> Andy > There *is*, however an internal check for the source of the request. > If the request for a file in App_Data is external to the server, the file > won't get served. So just to confirm, the special processing of the app_data folder is a rule hard-coded into IIS - correct ? re: !> So just to confirm, the special processing of !> the app_data folder is a rule hard-coded into IIS - correct ? Hard-coded into ASP.NET, more precisely. It's an ASP.NET check which prevents the files from getting served by IIS. IIS never even knows the file was requested. ASP.NET checks...and doesn't send IIS the request. ASP.NET is an ISAPI filter which sits between the client and IIS, passing data requests to IIS, after processing them with its rules. Juan T. Llibre, asp.net MVP asp.net faq : http://asp.net.do/faq/ foros de asp.net, en español : http://asp.net.do/foros/ ====================================== >> There *is*, however an internal check for the source of the request. >> If the request for a file in App_Data is external to the server, the file won't get served. > > So just to confirm, the special processing of the app_data folder is a rule hard-coded into IIS - correct ? thanks for the info - I get it now :-) > re: > !> So just to confirm, the special processing of [quoted text clipped - 20 lines] >> So just to confirm, the special processing of the app_data folder is a >> rule hard-coded into IIS - correct ?
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.