 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / General / March 2008A few file upload questions
asp.net 2.0 When I first set up the app I'm working on, it was not in teh inetpub folder. Instead, VWD put it in the VS folder in My Documents. I was brand new to all this when I started working on this project. At the time, I created a page that allowed for uploading images. It's simple enough and was working fine. Later on after some more reading, I discovered that I should have my project in the inetpub folder to see it in IIS. So I did that and most everything is fine. But now my file upload doesn't work. This is all on my development machine so far (win2k pro sp4 so it's IIS 5). I checked the permissions through IIS of the folder that I'm trying to upload to. It was set as read only so I changed it so that the "write" box is now checked as well. That didn't help. I still get a folder access denied error duiring the upload attempt. What should I do to handle this? Everything I find online deals with people who say "... it was working fine on my development machine but when I put it up on a server for the web it stopped working..." That's not my situation right now (although in a couple of weeks it might be mine as well). Second question is that it seems like it would be unsafe to open up a folder to write access without soem other precautions. The folder is goign to store images of people. I'm thiking that the safest thing to do would be to have a temp folder that has write access so that the pictures can be uploaded there and then I'd have to do something else programatically to move them to the live read only for viewing pictures folder. I guess I'm looking for some advice here on what's the most practical and safest way to handle this sort of thing. Thanks, Keith OK. As far as the first question goes (I still would like help on the 2nd one) - I changed the permissions on the folder security in Windows (not IIS) to all "Everyone" write access and now it works. I even changed the permission on the same folder in IIS back to where Write is unchecked. The upload still works. So I guess I'm not clear on what the "write" checkbox in IIS is doing. I'm also not sure WHO actually needs permission on that folder from within Windows. Obviously setting it to "everyone" is overkill but that was the easiest way for me to test it. How do I set it so that the user that's logged into the web app can do an upload? Do I need to set up a user in Windows that synchs up with whoever is logged into my asp.net app? I'm using Forms authentication, not Windows (in the asp.net app). One thing I don't understand is tha I'm the administrator on this development machine. In Windows, I have full access to the folder in question. So how does that line up with what's going on in IIS? I'm not really sure if I'm even asking the right quesitons here so please be kind. Thanks, Keith I'm also new at asp.net, but I've been working on similar issues. Unless your website is impersonating the browsing user, the user who does the writing and therefore needs permissions on the folder where you're putting the files is the user account that's running your website. The account depends on which version of IIS you're running, and for some IIS versions it also depends on the IIS process isolation level you set for the website. On older IIS versions, for example, it used to be IUSR_MachineName or IWAM_MachineName. It's sometimes identified as the Anonymous user. You can perhaps find it by checking the documentation in your version of IIS Manager, or searching on google. I saw a suggested location for file uploads as a folder under the App_Data built-in folder. Two main reasons: A) ASP.Net will not let a browser access files under App_Data- it's a protected folder. So the only way anyone gets to those files is if you either move the files to an accessible folder or write a bit of code to stream the file to the user's browser. It leaves you in good control of the files. B) If you deploy your site pre-compiled, uploading a file to any folder NOT under App_Data will cause the site to recompile. ASP.Net is watching the file system for any site changes, and it doesn't know that your uploaded files don't count. But it doesn't watch anything under App_data. Paul Shapiro > OK. As far as the first question goes (I still would like help on the 2nd > one) - I changed the permissions on the folder security in Windows (not [quoted text clipped - 20 lines] > Thanks, > Keith I found an "ASP.net machine account" in my Windows security (I'm guessing that IIS added that when I installed IIS either that or one of the .net frameworks did it - I'm far from a security expert so I really dont' know). I added that to the permissions for the 2 folders in question and gave them write permission inWindows. That did the trick so far. So it sounds like I should move my 3 image upload folders under the App_Data folder. I do recall seeing something about not recompiling if things are under that folder but that was a while ago before I got into this side of things. I'm unclear about this line from what you wrote below: "Unless your website is impersonating the browsing user, the user who does the writing and therefore needs permissions on the folder where you're putting the files is the user account that's running your website." I don't know what you mean by a website impersonating the browser user. Are you talking about this: http://msdn2.microsoft.com/en-us/library/aa292118(VS.71).aspx? I need to find a good place to get a clear general understanding of asp.net security. I know how to set up users/roles/rules, etc but beyond that I'm very much a novice. Any suggestions on where to get a good basic overview (not looking for a 1000 page book!!!) would be great. Thanks, Keith > I'm also new at asp.net, but I've been working on similar issues. Unless > your website is impersonating the browsing user, the user who does the [quoted text clipped - 43 lines] > > Thanks, > > Keith For an Intranet site, you can set the application to impersonate the browsing user's account. This is not the usual way of running, and wouldn't work for an Internet site. Since you added the machine account to the folder permissions and it's working now, your site must be running under the machine account. So you're all set. Someone with more experience will hopefully suggest security learning resources. I have a (large) book recommended by others titled "ASP.Net 3.5 Unleashed" which I've found helpful in general, not specifically for security. >I found an "ASP.net machine account" in my Windows security (I'm guessing > that IIS added that when I installed IIS either that or one of the .net [quoted text clipped - 94 lines] >> > Thanks, >> > Keith Thanks Paul. I appreciate your help. Keith
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.