how to create IIsWebDirectory without mapping them to physical dir

This is with reference to previous question - "Client Certificate Auth only
for certain urls handled by ISAPI filter"

Ques was :
I have written a ISAPI filter. It handles all the request urls and generate
output. None of the urls are mapped to file system.

Now I want anonymous access to most of the urls served by this ISAPI filter.

However for certain urls, I want to enable client certificate based
authentication.

I got response from David :
Configure IIS to enable SSL and require Client Certificates for those
URLs. If they don't exist as vdirs or physical directories in IIS,
then create IIsWebDirectory and IIsWebFile nodes as appropriate
placeholders for them in the Virtual namespace. Of course, none of
them need to map to the file system

Then, use GetServerVariable() with the various documented server
variable names to read the relevant Client Certificate data and do
your custom authentication/authorization.


//David

Now my ques is :
I do not know how to define those URLs. Please provide more input on
that. If you can point to some document that will be great. Please provide
inputs on how to create IIsWebDirectory and IIsWebFile without mapping them
to physical directory.

Also I do not want to hard-code client certificate verification in my code.
I want it to be outside, which can be modified easily as per client
certificate.

Thanks,
Kshitiz

Re: how to create IIsWebDirectory without mapping them to physical dir

On Sep 6, 10:40 am, Kshitiz wrote:
> This is with reference to previous question - "Client Certificate Auth only
> for certain urls handled by ISAPI filter"
>
> Ques was :
> I have written a ISAPI filter. It handles all the request urls and generate
> output. None of the urls are mapped to file system.
>
> Now I want anonymous access to most of the urls served by this ISAPI filter.
>
> However for certain urls, I want to enable client certificate based
> authentication.
>
> I got response from David :
> Configure IIS to enable SSL and require Client Certificates for those
> URLs. If they don't exist as vdirs or physical directories in IIS,
> then create IIsWebDirectory and IIsWebFile nodes as appropriate
> placeholders for them in the Virtual namespace. Of course, none of
> them need to map to the file system
>
> Then, use GetServerVariable() with the various documented server
> variable names to read the relevant Client Certificate data and do
> your custom authentication/authorization.
>
> //David
>
> Now my ques is :
> I do not know how to define those URLs. Please provide more input on
> that. If you can point to some document that will be great. Please provide
> inputs on how to create IIsWebDirectory and IIsWebFile without mapping them
> to physical directory.
>
> Also I do not want to hard-code client certificate verification in my code.
> I want it to be outside, which can be modified easily as per client
> certificate.
>
> Thanks,
> Kshitiz


CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS CREATE W3SVC/1/
ROOT/MyUrl IIsWebDirectory
CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS CREATE W3SVC/1/
ROOT/MyUrl/MyFilename.extension IIsWebFile
CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS SET W3SVC/1/
ROOT/MyUrl/MyFilename.extension/AccessSSLFlags 320

You will notice that request to:
http://localhost/MyUrl/MyFilename.extension

will now require SSL and Client Certificate

/MyUrl and /MyFilename.extension do not need to exist at all.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: how to create IIsWebDirectory without mapping them to physical

Thanks David for your inputs. However it is not a solution to my problem.

Running your command made changes in metabase.xml.

A ISAPIFilter is already applied even before it reaches the level of
IISWebFile. So if my filter is able to provide output to the request,
whatever I configure at IISWebFile/IISWebDirectory level does not matter. No
SSL/client-cert is required in any case, ISAPIFilter provided output without
even looking at the client cert requirement.

Thanks,
Kshitiz

"David Wang" wrote:

> On Sep 6, 10:40 am, Kshitiz wrote:
> > This is with reference to previous question - "Client Certificate Auth only
> > for certain urls handled by ISAPI filter"
> >
> > Ques was :
> > I have written a ISAPI filter. It handles all the request urls and generate
> > output. None of the urls are mapped to file system.
> >
> > Now I want anonymous access to most of the urls served by this ISAPI filter.
> >
> > However for certain urls, I want to enable client certificate based
> > authentication.
> >
> > I got response from David :
> > Configure IIS to enable SSL and require Client Certificates for those
> > URLs. If they don't exist as vdirs or physical directories in IIS,
> > then create IIsWebDirectory and IIsWebFile nodes as appropriate
> > placeholders for them in the Virtual namespace. Of course, none of
> > them need to map to the file system
> >
> > Then, use GetServerVariable() with the various documented server
> > variable names to read the relevant Client Certificate data and do
> > your custom authentication/authorization.
> >
> > //David
> >
> > Now my ques is :
> > I do not know how to define those URLs. Please provide more input on
> > that. If you can point to some document that will be great. Please provide
> > inputs on how to create IIsWebDirectory and IIsWebFile without mapping them
> > to physical directory.
> >
> > Also I do not want to hard-code client certificate verification in my code.
> > I want it to be outside, which can be modified easily as per client
> > certificate.
> >
> > Thanks,
> > Kshitiz
>
>
> CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS CREATE W3SVC/1/
> ROOT/MyUrl IIsWebDirectory
> CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS CREATE W3SVC/1/
> ROOT/MyUrl/MyFilename.extension IIsWebFile
> CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS SET W3SVC/1/
> ROOT/MyUrl/MyFilename.extension/AccessSSLFlags 320
>
> You will notice that request to:
> http://localhost/MyUrl/MyFilename.extension
>
> will now require SSL and Client Certificate
>
> /MyUrl and /MyFilename.extension do not need to exist at all.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>

Re: how to create IIsWebDirectory without mapping them to physical

It all depends on when in the request pipeline your ISAPI Filter acts.

If it acts in SF_NOTIFY_PREPROC_HEADER, then it controls which URL and
hence which metadata, including the IIsWebFile settings, is loaded by
IIS. If it acts afterwards, then the IIsWebFile settings will take
effect.

It is always tricky when you want to modify web server behavior like
this, because timing matters.

You haven't given sufficient information about how your filter works,
so I cannot give any better advice.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Sep 7, 3:14 am, Kshitiz wrote:
> Thanks David for your inputs. However it is not a solution to my problem.
>
> Running your command made changes in metabase.xml.
>
> A ISAPIFilter is already applied even before it reaches the level of
> IISWebFile. So if my filter is able to provide output to the request,
> whatever I configure at IISWebFile/IISWebDirectory level does not matter. No
> SSL/client-cert is required in any case, ISAPIFilter provided output without
> even looking at the client cert requirement.
>
> Thanks,
> Kshitiz
>
>
>
> "David Wang" wrote:
> > On Sep 6, 10:40 am, Kshitiz wrote:
> > > This is with reference to previous question - "Client Certificate Auth only
> > > for certain urls handled by ISAPI filter"
>
> > > Ques was :
> > > I have written a ISAPI filter. It handles all the request urls and generate
> > > output. None of the urls are mapped to file system.
>
> > > Now I want anonymous access to most of the urls served by this ISAPI filter.
>
> > > However for certain urls, I want to enable client certificate based
> > > authentication.
>
> > > I got response from David :
> > > Configure IIS to enable SSL and require Client Certificates for those
> > > URLs. If they don't exist as vdirs or physical directories in IIS,
> > > then create IIsWebDirectory and IIsWebFile nodes as appropriate
> > > placeholders for them in the Virtual namespace. Of course, none of
> > > them need to map to the file system
>
> > > Then, use GetServerVariable() with the various documented server
> > > variable names to read the relevant Client Certificate data and do
> > > your custom authentication/authorization.
>
> > > //David
>
> > > Now my ques is :
> > > I do not know how to define those URLs. Please provide more input on
> > > that. If you can point to some document that will be great. Please provide
> > > inputs on how to create IIsWebDirectory and IIsWebFile without mapping them
> > > to physical directory.
>
> > > Also I do not want to hard-code client certificate verification in my code.
> > > I want it to be outside, which can be modified easily as per client
> > > certificate.
>
> > > Thanks,
> > > Kshitiz
>
> > CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS CREATE W3SVC/1/
> > ROOT/MyUrl IIsWebDirectory
> > CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS CREATE W3SVC/1/
> > ROOT/MyUrl/MyFilename.extension IIsWebFile
> > CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS SET W3SVC/1/
> > ROOT/MyUrl/MyFilename.extension/AccessSSLFlags 320
>
> > You will notice that request to:
> >http://localhost/MyUrl/MyFilename.extension
>
> > will now require SSL and Client Certificate
>
> > /MyUrl and /MyFilename.extension do not need to exist at all.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -

Re: how to create IIsWebDirectory without mapping them to physical

Hi David,

Yes my filter acts in SF_NOTIFY_PREPROC_HEADER. So I have implementation
for following methods :
- static DWORD filterPreprocHeaders(PHTTP_FILTER_CONTEXT pfc,
PHTTP_FILTER_PREPROC_HEADERS notification)
- static DWORD filterPluginPreprocHeaders(PHTTP_FILTER_CONTEXT pfc,
PHTTP_FILTER_PREPROC_HEADERS notification)

Now it is defined to act on all url matching "/", thus it will act on all
the requests made to IIS. Now please let me know, this will relate to which
metadata. And is there any way to specify a specific url in that metadata for
which I can do client certificate based authentication, and for other allow
anonymous access.

Thanks,
Kshitiz

"David Wang" wrote:

> It all depends on when in the request pipeline your ISAPI Filter acts.
>
> If it acts in SF_NOTIFY_PREPROC_HEADER, then it controls which URL and
> hence which metadata, including the IIsWebFile settings, is loaded by
> IIS. If it acts afterwards, then the IIsWebFile settings will take
> effect.
>
> It is always tricky when you want to modify web server behavior like
> this, because timing matters.
>
> You haven't given sufficient information about how your filter works,
> so I cannot give any better advice.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //

Re: how to create IIsWebDirectory without mapping them to physical

Please clarify what your filter does in SF_NOTIFY_PREPROC_HEADERS.

By definition, SF_NOTIFY_PREPROC_HEADERS event happens before
authentication and authorization. At this point, it sounds like you
expect the filter's behavior to depend on authentication/
authorization, which means that your current filter design is
incompatible with what you want to do.

Thus, I want you to describe what exactly your filter does and what
information it needs, te determine if it needs to be in
SF_NOTIFY_PREPROC_HEADERS at all. Based on what your filter does, I
can recommend a different event, if possible.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Sep 10, 4:28 am, Kshitiz wrote:
> Hi David,
>
> Yes my filter acts in SF_NOTIFY_PREPROC_HEADER. So I have implementation
> for following methods :
> - static DWORD filterPreprocHeaders(PHTTP_FILTER_CONTEXT pfc,
> PHTTP_FILTER_PREPROC_HEADERS notification)
> - static DWORD filterPluginPreprocHeaders(PHTTP_FILTER_CONTEXT pfc,
> PHTTP_FILTER_PREPROC_HEADERS notification)
>
> Now it is defined to act on all url matching "/", thus it will act on all
> the requests made to IIS. Now please let me know, this will relate to which
> metadata. And is there any way to specify a specific url in that metadata for
> which I can do client certificate based authentication, and for other allow
> anonymous access.
>
> Thanks,
> Kshitiz
>
>
>
> "David Wang" wrote:
> > It all depends on when in the request pipeline your ISAPI Filter acts.
>
> > If it acts in SF_NOTIFY_PREPROC_HEADER, then it controls which URL and
> > hence which metadata, including the IIsWebFile settings, is loaded by
> > IIS. If it acts afterwards, then the IIsWebFile settings will take
> > effect.
>
> > It is always tricky when you want to modify web server behavior like
> > this, because timing matters.
>
> > You haven't given sufficient information about how your filter works,
> > so I cannot give any better advice.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -