Access to external javascript file denied

Discussion:

(too old to reply)

NZ Jimmy

2010-06-22 22:49:13 UTC

I have a page in an ASP.NET web application that includes an external
javascript file using a fairly basic script tag:

<script src="DispatchRuleControl.js" type="text/javascript"></script>

When running the application on the ASP.NET internal webserver everything
works fine. When I try to host it on IIS7 however I get a syntax error in
that *.js file and, upon closer inspection (using firebug) it appears that
under IIS 7 what is returned is not the contents of the
DispatchRuleControl.js file at all but instead the fully rendered Login page
for the ASP.NET web appliction...

So essentially it seems that access to that file is being denied by IIS 7...
this causes ASP.NET to redirect to the login page and return this instead of
the *.js file, which in turn causes the syntax error (the login page is not a
valid javascript file)... but the root cause is that IIS is blocking access
to this file for some reason.

I can confirm this by entering the URL of the javascript file in the address
bar for firefox/ie directly... I get sent straight to the following URL:

http://localhost:8000/Login.aspx?ReturnUrl=%2fCMS%2fAdmin%2fDispatchRuleControl.js

Which is, of course, the login page for the site. After logging in, the
login page then redirects to the ReturnUrl (seen in the Query string above)
and that in turn goes straight back to the login page... it's impossible to
get the contents of this js file served up by IIS 7 - it's blocking access to
it outright.

Any idea why this might be or how I can debug further?

Thanks in advance.

Jimmy

Dan

2010-06-23 13:37:55 UTC

Permalink

Post by NZ Jimmy
I have a page in an ASP.NET web application that includes an external
<script src="DispatchRuleControl.js" type="text/javascript"></script>
When running the application on the ASP.NET internal webserver everything
works fine. When I try to host it on IIS7 however I get a syntax error in
that *.js file and, upon closer inspection (using firebug) it appears that
under IIS 7 what is returned is not the contents of the
DispatchRuleControl.js file at all but instead the fully rendered Login page
for the ASP.NET web appliction...
So essentially it seems that access to that file is being denied by IIS 7...
this causes ASP.NET to redirect to the login page and return this instead of
the *.js file, which in turn causes the syntax error (the login page is not a
valid javascript file)... but the root cause is that IIS is blocking access
to this file for some reason.
I can confirm this by entering the URL of the javascript file in the address
http://localhost:8000/Login.aspx?ReturnUrl=%2fCMS%2fAdmin%2fDispatchRuleControl.js
Which is, of course, the login page for the site. After logging in, the
login page then redirects to the ReturnUrl (seen in the Query string above)
and that in turn goes straight back to the login page... it's impossible to
get the contents of this js file served up by IIS 7 - it's blocking access to
it outright.
Any idea why this might be or how I can debug further?
Thanks in advance.
Jimmy

Have you checked that IIS7 has permission to read the .js file? Have you
also checked that the MIME settings allow .js files to be served?

--
Dan

NZ Jimmy

2010-06-23 20:42:13 UTC

Permalink

Yeah, I've got another file in another directory that I can load fine:
http://localhost:8000/Components/WarehouseSelectorControl.js

Punching in the above URL shows the contents of the
WarehouseSelectorControl.js script file as expected.

However when I try to navigate to the following:
http://localhost:8000/CMS/Admin/DispatchRuleControl.js

I'm getting redirected to the login dialog.

The file permissions on the DispatchRuleControl.js file are identical to the
file permisions on DispatchRuleControl.aspx (sitting in the same directory)
and the aspx content is getting delivered to the browser just fine (via
ASP.NET of course).

I'm wondering whether this is an ASP.NET security issue rather than an IIS
security issue, but it seems strange that ASP.NET serves the javascript file
up fine on the Visual Studio development webserver in this case... which is
the reason I suspected IIS first and foremost.

Jimmy

Post by Dan
Have you checked that IIS7 has permission to read the .js file? Have you
also checked that the MIME settings allow .js files to be served?
--
Dan
.

NZ Jimmy

2010-06-24 00:50:17 UTC

Permalink

OK so this is getting bizarre. In the directory where the offending *.js file
is located, I have an ASP.NET web.config file that contains the following:

<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>

If I replace that <deny users="*" /> with a <deny users="?" /> then I can
get at the javascript file just fine. HOWEVER that also means that logged in
non administrative users can then access all of the files in this directory
(definitely not what I want).

If I leave <deny users="*" /> then when I'm logged in as an administrator I
can get at any *.aspx and *.ascx files in that directory, but not any *.js
files ???

This seems pretty messed up.

Jimmy

Dan

2010-06-24 08:23:12 UTC

Permalink

Post by NZ Jimmy
OK so this is getting bizarre. In the directory where the offending *.js file
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
If I replace that <deny users="*" /> with a <deny users="?" /> then I can
get at the javascript file just fine. HOWEVER that also means that logged in
non administrative users can then access all of the files in this directory
(definitely not what I want).
If I leave <deny users="*" /> then when I'm logged in as an administrator I
can get at any *.aspx and *.ascx files in that directory, but not any *.js
files ???
This seems pretty messed up.
Jimmy

I haven't played with ASP.NET yet, but doesn't it only process .aspx, .ascx,
and other pre-configured file extensions only? If so, then that means IIS is
handling permissions for the .js file, so it will need different permissions
than the ASP.NET files - the ASP.NET files will be handled by the user
permission that ASP.NET is configured with, the other files will be using
the IUSR_ account permissions, or those of the authenticated user in the
case of integrated auth.

It's certainly possible that you just need to adjust the permissions for the
.js files for the IIS user account.

--
Dan

NZ Jimmy

2010-06-24 11:31:41 UTC

Permalink

Post by Dan
I haven't played with ASP.NET yet, but doesn't it only process .aspx, .ascx,
and other pre-configured file extensions only? If so, then that means IIS is
handling permissions for the .js file, so it will need different permissions
than the ASP.NET files - the ASP.NET files will be handled by the user
permission that ASP.NET is configured with, the other files will be using
the IUSR_ account permissions, or those of the authenticated user in the
case of integrated auth.

In theory I'd agree with you... if that's the case though, why does changing
the authorization block in the ASP.NET web.config file alter whether or not I
can access this file? That said, why is it only when hosting the application
under IIS7 that I run into this problem? It simply doesn't seem logical.

I can work around this problem by adding the following in the web.config
file that resides in the Admin folder:

<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
<location path="DispatchRuleControl.js">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Essentially I'm adding an explicit exception to allowing all logged in users
to access the DispatchRuleControl.js file... since I AM logged in to ASP.NET
as an administrator, this seems a little peculiar and it's a pain to have to
explicitly override the permissions for every *.js file that is in a secure
folder in the web application. There must be some way to tell IIS to use
ASP.NET authentication for js files... I've done this for asp files on sites
where we had a mix of classic ASP pages and ASP.NET pages:

http://weblogs.asp.net/scottgu/archive/2007/03/04/tip-trick-integrating-asp-net-security-with-classic-asp-and-non-asp-net-urls.aspx

Attempting the same trick for js files doesn't seem to work though.

Jimmy

oruben

2010-08-10 21:00:03 UTC

Permalink

About the .js not been served by IIS, I found this:

http://techvins.wordpress.com/2010/06/07/solutions-to-problems-setting-up-virtual-directory-in-iis-7-2/

Adding the handler for .js did solve the problem. Hope it helps other with
the same problem.