locked
Prevent user from direct access to a folder RRS feed

  • Question

  • User895691971 posted

    I have a website which includes some data that must not be directly accessible by the client. I have that inside the folder as

    root
    |-Confidential
      |-Test.txt
      |- web.confid
      |- _PageStart.cshtml
    web.config

    ..what I want to do is, to deny the access to the folder Confidential as a whole by the user, so that all of the content, is accessed directly would be redirected somewhere to shown a simple 404.

    I have even tried using the web.config file as there was a solution in Stack Overflow, to create a new web.config file and then write this to it.

    <?xml version="1.0"?>
    <configuration>
        <system.web>
          <authorization>
            <allow users="admin" />
            <deny users="*" />
          </authorization>
        </system.web>
    </configuration>

    But it doesn't work for me. Then I tried using another method by replacing the name of the file, and writing it as _Test.txt. But I guess, ASP.NET only controls the .cshtml files and other ASP.NET files to be hidden this way.

    Another method applied was, setting the error code to 404 by creating a new page called_PageStart.cshtml and then writing this code

    @{
        Response.StatusCode = 404;
    }

    ..but again! The page was directly accessible. After all these methods, I came here, to find a solution to this problem. How can I deny the access to all of the file or the folder as a whole in ASP.NET.

    Wednesday, September 3, 2014 6:24 AM

Answers

  • User895691971 posted

    Solution, add

    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="folderName"/>
        </hiddenSegments>
      </requestFiltering>
    </security>

    ..to the system.webServer section and it will result in a 404.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 3, 2014 8:10 AM
  • User-821857111 posted

    App_Data is protected by ASP.NET Request Filtering. You will have to create a handler of some kind to access the content of App_Data or any folder that you protect using Request filtering. Then you perform authentication in the handler.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 3, 2014 12:17 PM

All replies

  • User895691971 posted

    Solution, add

    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="folderName"/>
        </hiddenSegments>
      </requestFiltering>
    </security>

    ..to the system.webServer section and it will result in a 404.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 3, 2014 8:10 AM
  • User-821857111 posted

    By default, static content is not protected by forms authentication within an ASP.NET application. If your site is running in integrated mode on IIS 7 or above, you can make a change to the web.config file to change this. Add the following to your web.config file:

    <system.webServer> 
    <modules> 
        <remove name="FormsAuthenticationModule" />    
       <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />    
        <remove name="UrlAuthorization" />    
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />    
        <remove name="DefaultAuthentication" />    
        <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />    
    </modules> 
    </system.webServer> 

    You also need to add the following to protect the Confidential folder:

    <location path="Confidential">
        <system.web>
            <authorization>
                <deny users="?" />
            </authorization>
        </system.web>
    </location>

    You should add that to the <configuration> section. Then you just need to ensure your app is set up to use Forms authentication:

    <system.web>
        <authentication mode="Forms" />
    </system.web>

    See this for more information on Integrated Pipeline: http://www.iis.net/learn/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline

    Wednesday, September 3, 2014 8:28 AM
  • User-821857111 posted

    Solution, add

    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="folderName"/>
        </hiddenSegments>
      </requestFiltering>
    </security>

    ..to the system.webServer section and it will result in a 404.

    That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help. 

    Wednesday, September 3, 2014 8:33 AM
  • User895691971 posted

    Afzaal.Ahmad.Zeeshan

    Solution, add

    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="folderName"/>
        </hiddenSegments>
      </requestFiltering>
    </security>

    ..to the system.webServer section and it will result in a 404.

    That will work if you don't want anyone to be able to access the static content of the folder. And I mean anyone. Your OP suggests that you might want an authorised person to be able to access the content in which case my reply might help. 

    Yes, I did check that thing out and it was anyone. 

    But I found that the App_Data folder is a better way of doing this. Each and every content present inside the folder if directly accessed gets a 404 error. That folder has the same thing? Deny All users thing or a seperate control by ASP.NET? So, I changed the idea of doing this thing by pasting the stuff inside the App_Data folder and let the ASP.NET handle it.

    And yes, I want to ignore all of the users from accessing the data in that folder. I will create a UI for the admins (or as a whole the team of mine) to work with the files in that folder because server has the access to the file and contents. 

    Wednesday, September 3, 2014 10:39 AM
  • User-821857111 posted

    App_Data is protected by ASP.NET Request Filtering. You will have to create a handler of some kind to access the content of App_Data or any folder that you protect using Request filtering. Then you perform authentication in the handler.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 3, 2014 12:17 PM