Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, September 3, 2014 6:24 AM
I have a website which includes some data that must not be directly accessible by the client. I have that inside the folder as
root
|-Confidential
|-Test.txt
|- web.confid
|- _PageStart.cshtml
web.config
..what I want to do is, to deny the access to the folder Confidential as a whole by the user, so that all of the content, is accessed directly would be redirected somewhere to shown a simple 404.
I have even tried using the web.config file as there was a solution in Stack Overflow, to create a new web.config file and then write this to it.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
But it doesn't work for me. Then I tried using another method by replacing the name of the file, and writing it as _Test.txt. But I guess, ASP.NET only controls the .cshtml files and other ASP.NET files to be hidden this way.
Another method applied was, setting the error code to 404 by creating a new page called**_PageStart.cshtml** and then writing this code
@{
Response.StatusCode = 404;
}
..but again! The page was directly accessible. After all these methods, I came here, to find a solution to this problem. How can I deny the access to all of the file or the folder as a whole in ASP.NET.
All replies (5)
Wednesday, September 3, 2014 8:10 AM ✅Answered
Solution, add
<security>
<requestFiltering>
<hiddenSegments>
<add segment="folderName"/>
</hiddenSegments>
</requestFiltering>
</security>
..to the system.webServer section and it will result in a 404.
Wednesday, September 3, 2014 12:17 PM ✅Answered
App_Data is protected by ASP.NET Request Filtering. You will have to create a handler of some kind to access the content of App_Data or any folder that you protect using Request filtering. Then you perform authentication in the handler.
Wednesday, September 3, 2014 8:28 AM
By default, static content is not protected by forms authentication within an ASP.NET application. If your site is running in integrated mode on IIS 7 or above, you can make a change to the web.config file to change this. Add the following to your web.config file:
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
You also need to add the following to protect the Confidential folder:
<location path="Confidential">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
You should add that to the <configuration> section. Then you just need to ensure your app is set up to use Forms authentication:
<system.web>
<authentication mode="Forms" />
</system.web>
See this for more information on Integrated Pipeline: http://www.iis.net/learn/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline
Wednesday, September 3, 2014 8:33 AM
Solution, add
<security>
<requestFiltering>
<hiddenSegments>
<add segment="folderName"/>
</hiddenSegments>
</requestFiltering>
</security>
..to the system.webServer section and it will result in a 404.
That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help.
Wednesday, September 3, 2014 10:39 AM
Afzaal.Ahmad.Zeeshan
Solution, add
<security> <requestFiltering> <hiddenSegments> <add segment="folderName"/> </hiddenSegments> </requestFiltering> </security>..to the system.webServer section and it will result in a 404.
That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help.
Yes, I did check that thing out and it was *anyone. *
But I found that the App_Data folder is a better way of doing this. Each and every content present inside the folder if directly accessed gets a 404 error. That folder has the same thing? Deny All users thing or a seperate control by ASP.NET? So, I changed the idea of doing this thing by pasting the stuff inside the App_Data folder and let the ASP.NET handle it.
And yes, I want to ignore all of the users from accessing the data in that folder. I will create a UI for the admins (or as a whole the team of mine) to work with the files in that folder because server has the access to the file and contents.