2

I have an asp.net website, using .Net 4.0, and IIS 7.5, and using Classic Pipeline Mode in the Application Pool.

I'm using forms authentication, and the authorization setting in the web.config at the root folder of the website allows all users.

In a subfolder's web.config, I am setting authorization for that folder and its contents to block all anonymous users.

There is a pdf file in that subfolder, and even though I am denying anonymous users, I can read the pdf file and download it.

I am trying to block anonymous access to pdf files, and all of the examples I've found on how to do this are not working for me.

How can I block anonymous access to pdf, word, excel, and other files?

Bryan
  • 3,629
  • 2
  • 28
  • 27
  • Are there reasons for you using Classic Pipeline mode vs. Integrated Pipeline mode? – Russ Cam Feb 23 '15 at 22:51
  • We connect to multiple databases for the website. Some are MS SQL databases, and some are Oracle. Since we have to encrypt the web.config for the Oracle connection strings anyways, we also include the MS SQL connection strings in the web.config, since there are different connection strings depending on the database. – Bryan Feb 23 '15 at 22:57
  • If we changed to Integrated pipeline mode, how would that resolve blocking anonymous access to the pdf files? I did a test with Integrated Pipeline mode just now, and I was still able to access the pdf file as an anonymous user. – Bryan Feb 23 '15 at 23:06
  • 1
    It sounds like the pdf is being served by IIS via the `StaticFileHandler` before checking the authorization rules defined in the web.config. Running in Integrated Pipeline mode would allow the requests to be run through managed code, allowing you the opportunity to deny access to files by implementing logic in managed code in e.g. a `HttpModule` (but IIRC, running in Integrated Pipeline mode will obey the authorization rules defined in config) – Russ Cam Feb 23 '15 at 23:11
  • Thanks, we're going to have to look into how to solve this using Integrated Pipeline mode, and possibly implementing a custom HttpModule. The authorization rules while running in Integrated mode aren't blocking me from opening the pdf as an anonymous user. – Bryan Feb 23 '15 at 23:39
  • No worries. The easiest way to get it to work in Integrated Pipeline mode would be to set `` in the root web.config, but you may not want **all** requests going through the pipeline, so will leave it to you to decide :) – Russ Cam Feb 23 '15 at 23:42
  • 1
    @BryanHepburn I cover this in [this SO answer](http://stackoverflow.com/a/14146553/1810243) on how to block the download and [this SO answer](http://stackoverflow.com/a/19124733/1810243) on a custom handler. – MikeSmithDev Feb 24 '15 at 01:32
  • @MikeSmithDev Dude, you rock!! The procedure detailed in the first SO Answer link (http://stackoverflow.com/a/14146553/1810243) that you provided did the job just fine. If you would repost your comment as an answer, I'll mark it as the answer to my question. – Bryan Feb 24 '15 at 15:35

0 Answers0