Apr 22, 2011, 12:02 PM
[CLOSED] bypassing authentication for EXTJS EXTNET resources
hi,
i saw in MVC example method of bypassing authentication for EXTJS EXTNET resources:
please advice,
thanks,
i saw in MVC example method of bypassing authentication for EXTJS EXTNET resources:
protected void Application_AuthenticateRequest(object sender, System.EventArgs e)
{
string url = HttpContext.Current.Request.RawUrl.ToLower();
if(url.Contains("ext.axd"))
{
HttpContext.Current.SkipAuthorization = true;
}
...more unrelated code..
}
but i'm not using MVC and i did the following in web.config for all the folders generated by ext.net on runtime:<location path="extjs">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="extnet">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="icons">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="ux">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
it work fine, but i want to know if this good solution or its hack! because extnet have already 2 configs! what is the use of these 2 configs:<section name="extnet" type="Ext.Net.GlobalConfig" requirePermission="false"/>
<httpHandlers>
<add path="*/ext.axd" verb="*" type="Ext.Net.ResourceHandler" validate="false"/> <!--does validate=false suppose to bypass auth?!-->
</httpHandlers>
i'm afraid that allowing full access to all ext resources is bad in which hacker might invoke DirectRequest without authentication! or that's not true! also is global.asax is better than doing it in web.config!!please advice,
thanks,
Last edited by Daniil; May 02, 2011 at 10:28 AM.
Reason: [CLOSED]