8

I have the need to secure an entire folder of static HTML files. The intention is that a user cannot access these files unless they are authenticated and have the necessary role.

We've got cookie-based authentication set up using OWIN, but no matter what I try I can't seem to figure out the correct combination of changes to make to require authentication on the folder.

The first problem is that IIS is skipping ASP.NET completely and just serving the files. I think there's probably a way around that by setting runAllManagedModulesForAllRequests to true. But where do I go from there?

I've tried stuffing elements in the Web.config to require the proper roles, but it just results in EVERY request getting denied (presumably because it's not inspecting the proper cookie or something).

I've spent my entire day on this and I'm about to lose my mind.

Has anyone solved this problem?

Anthony Compton
  • 5,271
  • 3
  • 29
  • 38
  • Create a class that implements `IHttpHandler`, and put your security there. See http://stackoverflow.com/q/1146652 – Robert Harvey Sep 29 '14 at 22:09
  • In that scenario, I'd be putting my role-checking and such into the RouteHandler? I'm not positive, but that doesn't seem like the right place for that sort of thing. – Anthony Compton Sep 29 '14 at 22:13
  • 1
    Then serve the file from a standard controller method. That's probably how I would do it. You can front-load that with whatever security you want, and the MVC gods would be satisfied. – Robert Harvey Sep 29 '14 at 22:15
  • As @RobertHarvey stated, there is no issues using a controller as a gatekeeper to static content. Here is a previous SO answer I gave detailing how we go about performing authorization/authentication on static files - http://stackoverflow.com/questions/7208120/in-asp-net-mvc-is-there-a-good-library-or-pattern-to-follow-when-saving-users-c/7560390#7560390 – Tommy Sep 29 '14 at 22:20

1 Answers1

3
  1. IIS is serving static files , if you want to stop this you can remove default static file handler and than every request is serverd by MVC/OWIN.
  2. Than make static file handling and authorization in your controller : listen/map route where static files are located

to remove default static file handler add this to web.config file:

<configuration>
    <system.webServer>
        <handlers>
           <remove name="StaticFile" />
        </handlers>
    </system.webServer>
</configuration>
Davit Tvildiani
  • 1,915
  • 3
  • 19
  • 29
  • How do I get this to work with angular? My web app is written in Angular 1.6 with Typescript. If I remove the StaticFile module the index.html is not served and it messes everything up. I just need to restrict access to the **attachments** folder, and server static/media files only to authorized users. Any ideas? – Nexus Feb 18 '18 at 00:04
  • take a look , this may help you https://stackoverflow.com/a/11258217/715224 – Davit Tvildiani Feb 23 '18 at 19:11
  • You're a pal! Thanks a lot, lemme have a look and give it a try. Much obliged. – Nexus Feb 23 '18 at 19:27