using system.web.authorization settings in web.config to protect classic asp files?

Question

I've got a virtual directory with a vast subfolder hierarchy and thousands of classic ASP files, all of which have varying permissions set at the NT folder level (don't ask.. shakes head).

Is there any way to setup all these virtual directories with their own web.config so i can control access via configuring system.web.authorization parameters therein and doing away with folder level permissions?

I've tried and so far have only been able to have this work on asp.net files, not classic ASP.

If it isn't possible, can someone offer some alternatives?

Answer 1

Because clasic ASP has no idea about the ASP.NET runtime due to the fact that it is a) classic and 2) isn't .NET, you can't use the .NET configuration to manage the permissions.

Your options though would be:

1. Upgrade to IIS7
2. Rename all you asp pages to aspx
3. Change your asp handler to aspnet_isapi.dll (which is the .net handler)

While 2 and 3 may work you will need to completly test these pages to make sure that they still work as intended.

I would say the best bet would be to just use the file system ACLs to control who can access the folders. Just because you don't understand them doesn't mean that they don't have their place.

Answer 2

You can use wildcard mapping so that all file types will be handled by the ASP.NET runtime in IIS6; however, even with this turned on permissions are not handled through the web.config. Windows authentication in both classic and .NET uses the file permissions to determine access.