Ok, I have an asp.net application and inside this application, I have a folder with excel files. These excel files contain protected information, and should not be publicly viewable. I'm trying to make it so that someone could not type in the hyperlink of one of the files and view the data.I have a web.config file inside the directory that I am concerned about. It reads
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
but it doesn't work, and the files are still accessable. How would I accomplish this?
I'm also not using ASP.NET Membership roles in my application, and I just want to allow access to the files once someone is authenticated. How would I allow them access?
I'm hosting this on IIS 8.
Well, it looks like I should have just researched a little longer. Adding:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
To my application's main Web.Config seems to have done it.
Related
I have a directory contains some documents,
i would like to allow access to files on this directory only if the user successfully logged in to a website.
the login users and passwords managed by aspNet Membership tables and stored at the DB.
if the directory was sitting on the website is would be easy since it restricted by default
but physical path of the directory is not inside the website
and i prefer to leave it that way, since this directory can be access from another website
how to solve this?
thanks
You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:
<location path="SomeVirtualDirectory">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Its not possible to navigate outside of a website directory as it is outside scope of your website and no way depends on the website credentials.
The file directory doesn't have to be a physical subdirectory of your site. If you add it as a virtual directory inside your application, you can just set authentication appropriately.
Alternatively you can just issue something like this:
string filename = #"F:\SomeDirectory\Foo.txt";
Response.TransmitFile(filename);
Then you can just set authentication on this page, for example called DownloadFile.aspx.
I've got a legacy flash app (no access to the source) that when it completes it opens a pdf in a new window automatically.
Is there some way to prevent this one file at this one specific location from opening (again, keeping in mind I cant edit the flash)
So it opens to http://site.com/Files/Video/Completion.pdf directly in the browser, no handler or anything to change.
You can drop a web.config in that folder which will prevent the files from being accessed unless they are in a specific role:
<configuration>
<system.web>
<authorization>
<allow roles="WHATEVER-ALLOWED-ROLES"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
If you only want to lock down that specific file you can wrap that <system.web> with <location path="filepath-and-name">
This will likely require you to add the following handler to your root web.config in the "handlers" section, as usually IIS will serve up the file before ASP.NET touches it. This will make PDFs go through ASP.NET which can then handle the Role restrictions from above:
<add name="PDFHandler-Integrated" path="*.pdf" verb="GET" type="System.Web.StaticFileHandler" modules="ManagedPipelineHandler" requireAccess="Script" preCondition="integratedMode" />
You could lock the file down on the web server or delete it? If you can't alter the source you can't prevent the window.open from happening, but you can prevent the delivery.
i have one subfolder called MySubFolder in my web form project and i want that all the page in that folder will be protected by form authentication. so i search google to do it. i got a xml snippet which i need to put in my main web.config file. the xml snippet as follows
<location path="MySubFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
so i want to know that does it protect all files in my subfolder? plzz let me know. thanks
Yes, it protects all folder content. And sub-folders' content too (except case when you allow access to sub-folder manually). I.e. with you configuration and next project structure
only authorized users will have access both to MySubFolder/Test.aspx and MySubFolder/MySubFolder2/Test2.aspx.
I'm trying to add a directory for anon access in IIS 7.5. It works under Web Dev but not IIS 7.5
I'm currently using this web.config in the directory. This is a directory with style sheets:
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Update:
I've went to the folder and under Authentication, I've changed anonymous authentication from IIS_USR to pool. This seems to have correct it.
I will reward anyone who provides a very good explanation and resources for understanding this setting. Also, how to apply it globally would be good to know -- for all folders.
Since you answered your own question, here is the explanation that might help
Authorization deals with who IIS will offer resources to. Those resources, however, have their own security as they are just files on a file system.
The Authentication element in the config assists in determining how IIS will identify a user's requests after its accepted and as it accesses resources beyond/external to IIS.
This is set at the site level, typically in the applicationHost.config file for your server. It can, if properly setup, be overridden at the site level.
IIS.net pages about this:
http://www.iis.net/ConfigReference/system.webServer/security/authorization/add
http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication
The .config version of what you did in the UI is:
<location path="/yourSite">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" username="" />
</authentication>
</security>
</system.webServer>
</location>
On the anon. auth method, the username field is who IIS will impersonate when resources are accessed. When you don't specify one, it defaults to use the identity of the apppool.
Now, as to why this mattered ... check the actual file on disk (the .css). If this fixed the problem that would mean IUSR doesn't have access to read that file.
You don't have a location defined for your authorization. You also don't specify what sort of authentication you're using within the web.config (if any).
<location path="/">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I am upgrading my site to IIS7, .NET 4.0 and Integrated Pipeline and am having some issues.
I have a sub application (virtual directory on a remote server) in my IIS install which contains static files, and I want it to be authenticated using WindowAuthentication where as the rest of my site will be using FormsAuthentication.
It has a web.config that looks like:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="?" />
</authorization>
</system.web>
I add the 2 authentication modules in the parent web.config and remove the default managedOnly precondition. Although, obviously because of the remove statement the directory is not under any authentication. However if I remove those lines, I get a generic server 500 error. Am I missing something else?
Okay, so the reason this was happening was actually pretty simple, the application didn't have a Bin directory and so it didn't have any of the DLLs it needed and so it was throwing an error because it didn't know how to create a new WindowsAuthenticationModule