2

I have a C# Webform application.

It contains a Report folder inside it Which contain some pdf files.

My application will show these reports on demand.

But I do not want someone to access these by typing the direct url

Eg: www.abc.com/Reports/a.pdf

I created the following Web.config inside the report folder:

<configuration>
<system.web>
            <authorization>
                <deny users="?" />                
            </authorization>
</system.web>
</configuration>

Still, when testing I can access pdf files directly.

Also per business rules, I cannot use Form Authentication.

S Nash
  • 2,363
  • 3
  • 34
  • 64

1 Answers1

4

<system.web> controls configuration of the ASP.NET pipeline, not IIS. If you're running under IIS then ASP.NET will not be invoked for static file requests, such as the PDF file you mentioned.

To deny those requests use <system.webServer> instead. See this QA: How to make IIS7 stop serving a folder?

<configuration>
   <system.webServer>
        <security>
            <requestFiltering>
               <hiddenSegments>
                   <add segment="My_Directory" />
               </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Note that <system.webServer> requires IIS7 or later (Windows Server 2008). If you're running IIS6 (Windows Server 2003 or Windows XP) then this won't work.

Community
  • 1
  • 1
Dai
  • 141,631
  • 28
  • 261
  • 374
  • I test your Solution but now I cannot access the file from within the app . – S Nash Apr 03 '17 at 19:23
  • @SNash If your application serves the file by *redirecting* to the static file then it is impossible to filter requests to the files. To protect the files you should instead have your application return the files through your own code using `Response.WriteFile` (don't forget to set the `Content-Type` header too). – Dai Apr 03 '17 at 19:25
  • 1
    This answer is correct if ASP.NET is in classic mode, but not when it is in [integrated pipeline mode](http://stackoverflow.com/questions/716049/what-is-the-difference-between-classic-and-integrated-pipeline-mode-in-iis7). – John Wu Apr 03 '17 at 20:44
  • My concern is a user put the direct URL to the pdf in the browser to access the file. – S Nash Apr 04 '17 at 17:36
  • Tested your solution. Worked perfectly. Currently using ASP.Net Framework (Web Forms) with AD authentication / Organizational authenticattion. – NegativeFeedbackLoop Mar 09 '18 at 14:32
  • @JohnWu Only if you have “runManagedRequestHandlersForAllRequests” – Dai Feb 17 '21 at 18:45