0

I've a site hosted on IIS7. The site uses Flask with wfastcgi incase that's relevant. It's not publicly facing so I'm trying to just use Windows Authorization to block user groups that I don't want to be able to access it, so I have my web.config set like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <add name="FlaskHandler" path="*" verb="*" modules="FastCgiModule" scriptProcessor="C:\Python34\python.exe|C:\inetpub\wwwroot\mysite\wfastcgi.py" resourceType="Unspecified" />
        </handlers>
        <security>
            <authorization>
                <add accessType="Deny" users="?" />
                <add accessType="Deny" users="GroupName" />
                <add accessType="Allow" users="*" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

This doesn't seem to have any effect; users in the AD Group "GroupName" can still load the site as normal. I've tried it with and without the following <add accessType="Allow" users="*" /> line.

What am I doing wrong here?

Dan Scally
  • 1,922
  • 1
  • 19
  • 31
  • That's desired. IIS authorization was designed for scenarios like Windows authentication, but your Python apps do not use that at all. You should also read why today you should not use wfastcgi or Windows to host Python apps, https://stackoverflow.com/tags/wfastcgi/info – Lex Li Dec 11 '18 at 14:09
  • @LexLi thanks. I'd love to use Linux, but alas the situation prevents it I think. I didn't realise wfastcgi was deprecated, that's annoying. I'll have to have a think about what to do then. – Dan Scally Dec 11 '18 at 14:58

0 Answers0