Authentication subdirectory access - asp.net

How to restrict directory level access to only authenticated users? I need www.testpage.net/help to be accessible only for authenticated users + help folder contains only pure html files.
Can I do this?
Currently uses can log into www.testpage.net.

You can have a web.config file with the access list defined there. So, in other words, in your Help directory, have a web.config file that contains something like:
....
<authorization>
<deny users="?" />
</authorization>
....

Related

Prevent anonymous access to /script/admin folder in MVC5

In my /scripts folder, I have an "admin" subfolder (/scripts/admin).
How can I prevent anonymous access to this folder? I need only logged in admins to have access to this folder/files (and its subfolders).
I've tried this in web.config, but it doesn't work...
<location path="scripts/admin" allowOverride="false">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Any idea?
I'm not sure if this is a good idea but you could try the following
move the content of your scripts/admin to App_Data, content of this
folder will never gets served by the web server.
create a new controller with just the one action method that accepts
a filename argument and returns the file with the matching name from
the App_data folder
make sure this controller can only be accessible by an admin using
the Authorize attribute.

use root web.config instead of sub-folders web.config

i was trying to find out how can i use only root web.config instead of each one in any sub-folders of a ASP.NET Webforms project on the internet, but unfortunately i could not find propper answer. for example we have a project that has sub-folders like Administrator or Users and in the each one we have Web.Config files that authenticate users and restrict users by their permission.
With this mentioned issue, is it possible that we use ONLY a root web.config to authenticate users without any web.config in sub-folders?
Please help me.
Shadman
You cannot combine <location> and <authorization> tags in a web.config file. You need to have config files for your sub-directories as well, or there is a workaround for a single config file that adds code to your aspx and code-behind files.
Web.config allow location access for specific user
You can use location element
example
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

Can forms authentication restrict any path?

Our client has a virtual file server setup which contains some PDF's he wanted to restrict. He thought they would be restricted from non-logged in users, however they've somehow turned up in google search results.
So my question is, if I setup forms authentication (he currently doesn't have any authentication) on his website, can I restrict access to any directory I want? For example, the path of the PDF's is on another server, mapped to the "S" drive like this:
S:\Files\PDFs\
Can I list this path somewhere in a config file to restrict it to only authenticated users?
Thanks
you can put this kind of web.config in the folder where pdf files are located , this will not allow unauthnicated user to access you files
<location path="FolderNameAuthenticationNeed" allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization> </system.web>
</location>

Protect Sub Folder using Web.config file?

i have one subfolder called MySubFolder in my web form project and i want that all the page in that folder will be protected by form authentication. so i search google to do it. i got a xml snippet which i need to put in my main web.config file. the xml snippet as follows
<location path="MySubFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
so i want to know that does it protect all files in my subfolder? plzz let me know. thanks
Yes, it protects all folder content. And sub-folders' content too (except case when you allow access to sub-folder manually). I.e. with you configuration and next project structure
only authorized users will have access both to MySubFolder/Test.aspx and MySubFolder/MySubFolder2/Test2.aspx.

How to prevent accessing unauthorized user to resource such as .pdf file in host?

At the moment in my ASP.NET webApp I have some resources such as some .pdf files or pictures in specific folder in the host .
If any user know the URL of those files can access them from the browser , How can i manage access or ban anonymous user from those files ?
You can use the location directive in web.config.
<location path="resources">
<system.web>
<authorization>
<allow roles="Customers"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
This way you can put your resources (pdf, images) in the directory "resources".
Only Customers will be able to show them.
Note that they can still download the files and upload it to other server, but I guess you already know that.
See http://msdn.microsoft.com/en-us/library/aa291347(VS.71).aspx

Resources