Deny static content for unauthorized users using web.config

Question

In my asp.net MVC application I have tried to deny unauthorized users from an html file inside a sub folder. But it is not working as expected. Below is the web.config section which used right now.

<configuration>

<system.web>
  <compilation debug="true" targetFramework="4.5" />
  <authentication mode="Forms">
    <forms loginUrl="~/" defaultUrl="~/" slidingExpiration="true" timeout="60">
    </forms>
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>

<location path="Docs/help/index.html">
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</location>

</configuration>

I think the global deny users will block all unauthorized access for all the pages, otherwise we should give specific permission. Please correct me If I am wrong.

But in my case even http://siteurl.com/Docs/help/index.html still able to access for an unauthorze user.

IIS - 7.5 , .NET - 4.5, MVC - 4

Please help me to resolve this issue.

MG

Answer 1

You have two ways to achieve it.

1st: <modules runAllManagedModulesForAllRequests=“true” /> Meaning
Add <modules runAllManagedModulesForAllRequests="true" /> in your web.config

(IIS < v7)
2nd: Global.asax Events in IIS 6 and IIS 7 for Static Resources
Add an wildcard managed handler to serve each request (inlucding static files which are handled by iis directly)

Answer 2

You can put a new Web.config in the folder that needs the permissions applied. Inside it do something like this

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

Or you might need to wrap the <authorization> tag with a <security> tag.

If that doesn't work for you, try to do it via IIS Manager and see how it does it, then copy that.