Protect Sub Folder using Web.config file? - asp.net

i have one subfolder called MySubFolder in my web form project and i want that all the page in that folder will be protected by form authentication. so i search google to do it. i got a xml snippet which i need to put in my main web.config file. the xml snippet as follows
<location path="MySubFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
so i want to know that does it protect all files in my subfolder? plzz let me know. thanks

Yes, it protects all folder content. And sub-folders' content too (except case when you allow access to sub-folder manually). I.e. with you configuration and next project structure
only authorized users will have access both to MySubFolder/Test.aspx and MySubFolder/MySubFolder2/Test2.aspx.

Related

Prevent anonymous access to /script/admin folder in MVC5

In my /scripts folder, I have an "admin" subfolder (/scripts/admin).
How can I prevent anonymous access to this folder? I need only logged in admins to have access to this folder/files (and its subfolders).
I've tried this in web.config, but it doesn't work...
<location path="scripts/admin" allowOverride="false">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Any idea?
I'm not sure if this is a good idea but you could try the following
move the content of your scripts/admin to App_Data, content of this
folder will never gets served by the web server.
create a new controller with just the one action method that accepts
a filename argument and returns the file with the matching name from
the App_data folder
make sure this controller can only be accessible by an admin using
the Authorize attribute.

how to prevent access to virtual directory without login to a website

I have a directory contains some documents,
i would like to allow access to files on this directory only if the user successfully logged in to a website.
the login users and passwords managed by aspNet Membership tables and stored at the DB.
if the directory was sitting on the website is would be easy since it restricted by default
but physical path of the directory is not inside the website
and i prefer to leave it that way, since this directory can be access from another website
how to solve this?
thanks
You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:
<location path="SomeVirtualDirectory">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Its not possible to navigate outside of a website directory as it is outside scope of your website and no way depends on the website credentials.
The file directory doesn't have to be a physical subdirectory of your site. If you add it as a virtual directory inside your application, you can just set authentication appropriately.
Alternatively you can just issue something like this:
string filename = #"F:\SomeDirectory\Foo.txt";
Response.TransmitFile(filename);
Then you can just set authentication on this page, for example called DownloadFile.aspx.

use root web.config instead of sub-folders web.config

i was trying to find out how can i use only root web.config instead of each one in any sub-folders of a ASP.NET Webforms project on the internet, but unfortunately i could not find propper answer. for example we have a project that has sub-folders like Administrator or Users and in the each one we have Web.Config files that authenticate users and restrict users by their permission.
With this mentioned issue, is it possible that we use ONLY a root web.config to authenticate users without any web.config in sub-folders?
Please help me.
Shadman
You cannot combine <location> and <authorization> tags in a web.config file. You need to have config files for your sub-directories as well, or there is a workaround for a single config file that adds code to your aspx and code-behind files.
Web.config allow location access for specific user
You can use location element
example
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

Authentication subdirectory access

How to restrict directory level access to only authenticated users? I need www.testpage.net/help to be accessible only for authenticated users + help folder contains only pure html files.
Can I do this?
Currently uses can log into www.testpage.net.
You can have a web.config file with the access list defined there. So, in other words, in your Help directory, have a web.config file that contains something like:
....
<authorization>
<deny users="?" />
</authorization>
....

Disabling folder with pages in asp.net

i have a simple question
How to disable a folder with aspx pages in asp.net
Thw folder is "Administration" and i want to disable it that it cannot be called in browser by typing .../Administratin/edit.aspx, or that simple to redirect to a login page if we want to go to the administration part
First enable forms based authentication. This can be done for VB and C#.
Next you have to specify who will have access to what. This can be done in the web.config.
Apologies if these articles are a little out of date.
Use a locations element and config settings to restrict access to folders.
<location path="Administration">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
Change the NTFS security permissions on the Administration Folder for
<drive>:\intepub\wwwroot\...\Administration
and restrict access via that way.
You can also right click go to properties in IIS for the folder and remove various granular browsing permissions.
You can also edit the web.config and change permissions there.

Resources