If you've worked with ASP.NET forms authentication security, you know that by default it only protects ASP.NET resources, like *.aspx pages. So what about those PDFs, and *.html pages? What about WebPublisher?
That's right. You may have stopped anonymous users from getting to the search page, but they could still query your databases by constructing a URL which accessed WebPublisher directly. This means that canned queries are open doors also!
Fortunately you can protect non ASP.NET resources with ASP.NET security. Scott Guthrie describes how to use wildcard mappings in IIS 6.0 and better to route any URL through forms authentication, and apparently it's not a significant performance drag (unlike mapping an extension directly to ASP.NET).
I've tested this with my installation of DB/Text WebPublisher Pro 10. I had to reduce the dbtw-wpd virtual directory from virtual application to mere virtual folder so as to easily make it part of my existing ASP.NET applications, but that didn't affect the operation of WebPublisher in any way. So, success!
We Andornauts spend more time than is probably healthy obsessing about the security of WebPublisher, and have already developed comprehensive solutions for locking down web access to WebPublisher textbases. The above technique just puts another arrow in the quiver.
If you're concerned about security, and would like to consult with us on how to control web access to your textbases, contact us at firstname.lastname@example.org.