none
Security trimming against asp.net web.config RRS feed

  • Question

  • Hi,

    Maybe it is a silly question, but does FAST search support security trimming against the settings in an ASP.NET web.config authorization tag?

    for example, I have an asp.net site in my IIS. For any user belong to domain\managers, he/she can access this website, but everyone else can NOT.

    I am using windows authentication in this ASP.NET site, and below is the web.config file:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <security>
                <authorization>
                    <remove users="*" roles="" verbs="" />
                    <add accessType="Allow" users="" roles="domain\managers" />
                    <add accessType="Allow" users="crawler" />
                </authorization>
            </security>
        </system.webServer>
    </configuration>

    Now i setup a web crawler in FAST search content SSA to crawl it. The crawler works find and indexed all pages. But regardless who query the index (belong to domain\managers or not), the search engine just returns all pages. The security trimming is NOTworking.

    I googled a lot, include reading http://social.technet.microsoft.com/Forums/zh/fastsharepoint/thread/2534d505-770a-4ab2-a8fe-9579ac7419f4 and http://msdn.microsoft.com/en-us/magazine/ff796226.aspx, but did not find solution yet.

    I understand these are ootb security trimmings in FAST/SharePoint search, but does it work with web.config setting? Or i have to implement a custom security trimming? 

    BTW i tested with sharepoint search, but got the same problem.

    Thanks!

    -Feng 

    Friday, December 28, 2012 8:44 AM

Answers

  • Hi,

    Web crawls are indexed with public credentials, and you will have to create your own crawler implementing custom security to get it filtered.

    When you are specifying who can access a web page, that is authorization checking by IIS. There is no way for any crawler to pick up who has access and who has not like you would when checking properties on a file.

    If your web pages are static there is a work around. Set correct security on the files in the file system. Then set up a crawl of a file share with those files. In addition set up a server name mapping on the SSA which points from file://server/share to http://server

    This way the files will get security trimmed, and IIS will do the same checking when a user clicks it.

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    • Marked as answer by Feng_Lu Friday, January 4, 2013 5:00 AM
    Sunday, December 30, 2012 8:49 PM

All replies

  • Hi,

    Web crawls are indexed with public credentials, and you will have to create your own crawler implementing custom security to get it filtered.

    When you are specifying who can access a web page, that is authorization checking by IIS. There is no way for any crawler to pick up who has access and who has not like you would when checking properties on a file.

    If your web pages are static there is a work around. Set correct security on the files in the file system. Then set up a crawl of a file share with those files. In addition set up a server name mapping on the SSA which points from file://server/share to http://server

    This way the files will get security trimmed, and IIS will do the same checking when a user clicks it.

    Thanks,
    Mikael Svenson


    Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
    http://techmikael.blogspot.com/
    Author of Working with FAST Search Server 2010 for SharePoint

    • Marked as answer by Feng_Lu Friday, January 4, 2013 5:00 AM
    Sunday, December 30, 2012 8:49 PM
  • Hi Mikael,

    thanks, the OOTB security trimming for file share crawling works. Then i have to setup the identical permission settings in web.config and in folder permission.

    e.g. in web.config we disallow user group domain\employee to access these web site as well as set domain\employee has denied permission in folder sharing.

    Thanks,

    Feng

    Friday, January 4, 2013 5:06 AM