Deny access to a directory with web.config

Matt · Apr 26, 2005

Hello,
I'm working on a portal based on IBuySpy, where the main page is
desktopdefault.aspx and all content is stored in
www.domain.com/content/html/nnn
or
www.domain.com/content/images/nnn
and injected in the desktopdefault.aspx page.

How can I prevent users doing www.domain.com/content/images/test.jpg
and getting the image (or the html file, or whatever inside the
content directory?)
It doesn't matter if the user is authenticated or not, I just want
obly the webapplication to be able to load and display the files
inside the /content directory.

Can I do this just manipulating the web.config, without changing
directory permissions on the webserver?

Thanks!

Brock Allen · Apr 26, 2005

You can move the directory outside of the web application's directory.

-Brock
DevelopMentor
http://staff.develop.com/ballen

Matt · Apr 27, 2005

Good suggestion, but is there a way to control access to that
directory with the web.config?

Thanks.

Juan T. Llibre · Apr 27, 2005

web.config :

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<system.web>
<authorization>
<allow users="ASPNET's account name"/>
<deny users="*"/>
</authorization>

</system.web>
</configuration>

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

Juan T. Llibre · Apr 27, 2005

There's a step-by-step tutorial at :

http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=186

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

Matt · Apr 27, 2005

I tried, but nothing changes, the user can still do something like
www.domain.com/content/html/test.htm
and see the content.

Matt · Apr 27, 2005

Thanks I'll read it

Brock Allen · Apr 27, 2005

Good suggestion, but is there a way to control access to that

directory with the web.config?

Not if IIS is serving up the files, as the request never makes it to ASP.NET.

-Brock
DevelopMentor
http://staff.develop.com/ballen

Juan T. Llibre · Apr 27, 2005

I think that adding the specific file types to the files managed
by ASP.NET will turn the trick if you implement forms-based
authentication to the directory.

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

Brock Allen · Apr 27, 2005

I think that adding the specific file types to the files managed by

ASP.NET will turn the trick if you implement forms-based
authentication to the directory.

Yep, that will work.

-Brock
DevelopMentor
http://staff.develop.com/ballen

More: Deny direct access to jpg, swf... files, without authentication	1	Apr 28, 2005
Protecting my CSS using a location tag in web.config	4	Aug 18, 2006
Deny Access to MP3 folder	2	Oct 31, 2007
Refering to a master page from a directory	4	Jul 4, 2006
how to access site content after authentication	3	Oct 6, 2007
Authenticate Users In Web.Config?	1	Sep 16, 2006
allow anonymous access to directory	1	May 23, 2006
window based authentication with members defined in a distribution list.	2	Feb 21, 2010

Deny access to a directory with web.config

Matt

Brock Allen

Matt

Juan T. Llibre

Juan T. Llibre

Matt

Matt

Brock Allen

Juan T. Llibre

Brock Allen

Ask a Question

Similar Threads