Does ASP Classic has its own security framework or does it use that of IIS?

1
votes

I'm supporting a site that still uses mixed ASP.NET and ASP Classic. The user receives a 'You are not authorized' error page while accessing certain ASP Classic page. I've checked her active directory account and she could access other pages in the said site. Can it be attributed to classic ASP or to IIS?

3
securityasp-classic
You'd need to provide more detail for any chance of a sensible answer - AnthonyWJones
A user or all users? What actually happens? Did they used to be able to access? What's changed? - AnthonyWJones

3 Answers

2
votes

ASP is entirely dependent on the underlying IIS and the OS for security. It has none of its own. In ASP you access Request.ServerVariables("AUTH_USER"), etc. when the connection is authenticated, but this is done by IIS.

2
votes

ASP Classic is a very simple framework. I cannot imagine it has its own security framework (I assume that means user authentication, etc.) unless it was programmed into the application itself.

1
votes

You can force ASP to use the ASP.NET authentication by making a few changes in IIS so ASP files are using the aspnet_isapi.dll just like the asp.net pages.

Scott Guthrie published an article about this Tip/Trick: Integrating ASP.NET Security with Classic ASP and Non-ASP.NET URLs

Once you make this change classic asp pages can be protected just as asp.net pages using the standard asp.net security features.