1

I have successfully set up a test area on my website which is authenticated using forms auth on iis 8. I am using this in integrated mode with asp.net which as I understand should mean that with the correct web.config file I am able to make the server use the asp.net auth on everything not just URLs. If I try and navigate to a page that I haven't entered the credentials for it returns an error 403, which is what I expect. However if I put in the path of a file stored on the site exactly, it downloads the file without the need for credentials to be provided. Here is my current top level web.config:

<?xml version="1.0"?>
<configuration> 
<system.web>
    <compilation debug="false">
    </compilation>

    <authentication mode="Forms">
        <forms name=".ASPXFORMSAUTH" loginUrl="default.aspx" />
    </authentication>
    <authorization>
        <allow users="*" />
    </authorization>
</system.web>

<location path="staff/test/test">
    <system.web>            
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

<system.webServer>
    <modules>
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
      <remove name="RoleManager" />
      <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
      <remove name="DefaultAuthentication" />
      <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
    </modules>
</system.webServer>

The area /staff/test/test has a word document in it. If I type www.website.com/staff/test/test/test.doc into my browser is downloads the file.

What should I change to secure that file?

rene
  • 41,474
  • 78
  • 114
  • 152
Phil Angell
  • 11
  • 1
  • can u try adding this to your modules node runAllManagedModulesForAllRequests="true" ? – Sushil Apr 27 '15 at 16:27
  • @Sushil while that would work, it is not necessary and is overkill. [This answer](http://stackoverflow.com/a/21970733/1810243) shows how to put specific file types through ASP.NET pipeline so they can be secured through web.config. – MikeSmithDev Apr 27 '15 at 16:31
  • thanks @MikeSmithDev. an httphandler is always best for this case. – Sushil Apr 27 '15 at 16:33
  • Another approach if you need to do more advanced handling- http://stackoverflow.com/a/19124733/1810243. – MikeSmithDev Apr 27 '15 at 16:38

1 Answers1

0

Thanks for your replies. In the end it turned out to be the security permissions on the root of the website. The code I originally pasted on here worked fine I had the server\users group having read permissions where as I only needed iis_iusers having read permissions.

Thanks again

Phil Angell
  • 11
  • 1