Our client has a virtual file server setup which contains some PDF's he wanted to restrict. He thought they would be restricted from non-logged in users, however they've somehow turned up in google search results.
So my question is, if I setup forms authentication (he currently doesn't have any authentication) on his website, can I restrict access to any directory I want? For example, the path of the PDF's is on another server, mapped to the "S" drive like this:
S:\Files\PDFs\
Can I list this path somewhere in a config file to restrict it to only authenticated users?
Thanks
you can put this kind of web.config in the folder where pdf files are located , this will not allow unauthnicated user to access you files
<location path="FolderNameAuthenticationNeed" allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization> </system.web>
</location>
Related
Hello Im Having a domain
www.xxxx.com/folder/folder/default.aspx
inside the second folder im having lot of sub folders
i want to restrict access for unauthorized user
can any one explain how to do using Web
i want to check the User name[session ] from the Cookies
if session is there need to allow access other wise deney
can any one pls help
<system.web>
<authorization>
<deny users="?"/>
<allow users="xxxx"/>
</authorization>
</system.web>
Now its blocking all users its not allowing for user xxxx
Please help
The best way for doing this is setting the authentication mode to Windows. By doing this the server will use the domain accounts or the local user accounts to allow access. You just have to set the appropriate permissions to these users or to their user groups directly in this folder (by using the security tab in Windows folder properties).
I have built an ASP.NET website for my companies intranet. It is utilizing windows authentication, we use active directory. What I want to do is restrict certain pages of this website (add, delete) so only a few people can access it. Any ideas on how to do this? I want to create groups in active directory so I can just add people to them and they automatically can access these restricted pages.
Thanks for any help
You just need to tell ASP.NET what to protect and how. This is done through your web.config settings. For example, if you change your web.config for your ASP.NET application to reflect the following:
<system.web>
<authentication mode=“Windows“ /> = Windows AD Auth
<identity impersonate=“true“/>
<authorization>
<allow users=“*“/> = Only allow authenticated users into the web site
<deny users=“?“/> = Deny unauthenticated users
</authorization>
</system.web>
Then add location config sections that only allow certain roles to visit certain parts of the application. Roles translate to Active Directory Groups, for instance:
<location path="Admin">
<system.web>
<authorization>
<allow roles=“BUILTIN\Administrators“ /> = only allow users of this AD Group
<deny users=“*“/> = Deny everyone else
</authorization>
</system.web>
</location>
This tells ASP.NET to only allow users within the Active Directory Group called "Administrators" to get access to the pages within that folder.
Also, the "path" setting of the location node in the web.config file can be set to individual files of your application if they are not separated out into a folder.
If your app is MVC, the location "path" variable corresponds to the path taken to invoke your endpoints. These are usually specified in your RouteConfig.cs file. For instance, if you have an MVC urls "website.com/viewA/show" vs "website.com/AdminView/show". To restrict access to viewA the path would be "viewA" and "AdminView" for restricting access to AdminView urls.
You would use the file/folder permissions to restrict users to those pages. So if you have a folder called HR with some pages in it, you would set the folder permissions on the HR folder to allow Read access to the HR group in Active Directory.
I have a directory contains some documents,
i would like to allow access to files on this directory only if the user successfully logged in to a website.
the login users and passwords managed by aspNet Membership tables and stored at the DB.
if the directory was sitting on the website is would be easy since it restricted by default
but physical path of the directory is not inside the website
and i prefer to leave it that way, since this directory can be access from another website
how to solve this?
thanks
You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:
<location path="SomeVirtualDirectory">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Its not possible to navigate outside of a website directory as it is outside scope of your website and no way depends on the website credentials.
The file directory doesn't have to be a physical subdirectory of your site. If you add it as a virtual directory inside your application, you can just set authentication appropriately.
Alternatively you can just issue something like this:
string filename = #"F:\SomeDirectory\Foo.txt";
Response.TransmitFile(filename);
Then you can just set authentication on this page, for example called DownloadFile.aspx.
How to restrict directory level access to only authenticated users? I need www.testpage.net/help to be accessible only for authenticated users + help folder contains only pure html files.
Can I do this?
Currently uses can log into www.testpage.net.
You can have a web.config file with the access list defined there. So, in other words, in your Help directory, have a web.config file that contains something like:
....
<authorization>
<deny users="?" />
</authorization>
....
At the moment in my ASP.NET webApp I have some resources such as some .pdf files or pictures in specific folder in the host .
If any user know the URL of those files can access them from the browser , How can i manage access or ban anonymous user from those files ?
You can use the location directive in web.config.
<location path="resources">
<system.web>
<authorization>
<allow roles="Customers"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
This way you can put your resources (pdf, images) in the directory "resources".
Only Customers will be able to show them.
Note that they can still download the files and upload it to other server, but I guess you already know that.
See http://msdn.microsoft.com/en-us/library/aa291347(VS.71).aspx