Datasheet
control, which was prohibitive in an Internet environment. It also allows, with the extensibility of the
pipeline components, developers to create their own authentication schemes and easily apply them to
any file or folder on the server.
Using ASP.NET Forms authentication for content other than ASP.NET is covered in Chapter 14,
“Authentication and Authorization.”
Request Filtering
IIS 7.0 includes request filtering as a standard function. While some of this ability was included in the
unsupported URLScan tool released for IIS 5.0, request filtering takes this concept even further with hid-
den namespaces, where a particular section of a URL can be hidden and not served. Making the transi-
tion from using URLScan to request filtering is easy.
For example, in URLScan you could control serving specific file extensions using the
AllowExtension
or DenyExtension configurations. Request filtering uses the same allow or deny concept. For example,
to allow all files to be served except for Microsoft Word files with a .DOC extension, you could use
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted=”true” >
<add fileExtension=”.doc” allowed=”false” />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
To allow only .ASPX files in a request, you could use
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted=”false” >
<add fileExtension=”.aspx” allowed=”true” />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Denying access to a folder such as the BIN folder so that your DLLs could not be directly requested is
handled by a new option called
hiddenNamespaces. In URLScan, you could deny a URL sequence, so
“BIN” could not appear in a URL, but that would affect requests for both
www.domain1.com/bin and
www.domain1.com/binder/legalfiles. With request filtering, you can hide the BIN folder by using
<configuration>
<system.webServer>
<security>
18
Part 1: Introduction and Deployment
97823c01.qxd:WroxPro 2/4/08 6:47 PM Page 18