1

I need to prevent access to static files in a folder in an Asp.Net MVC web application.

I used to prevent access to the following config in the web.config

<location path="help">
  <system.web>
    <authorization>
      <deny users="?" />
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

but this web application is using OWIN and the cookie base middleware and it seems the IIS security check is bypassed

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Login/index"),
    CookieHttpOnly = true,
    CookieSecure = CookieSecureOption.Always, // https for dev also
});

I thought the iis security will apply for static files, but even if there's no cookie I can still access the folder.

How can I restrict the access to a specific folder for the authenticated user only?

Regards

Edit: thanks to Tommy comment I can solve my problem but is there any good reading for a better understanding of what we can / can't do using owin and asp.net mvc? I would like to understand why I can't prevent access with deny user ?

NicoD
  • 1,179
  • 8
  • 19
  • 2
    One way that we did this (it was in regards to uploads but the principle is the same) was to use a controller action as a "gate" to the files and use IIS to prevent direct linking to the files folder itself. This way, the .NET app handles all the roles and authentications around the files. https://stackoverflow.com/questions/7208120/in-asp-net-mvc-is-there-a-good-library-or-pattern-to-follow-when-saving-users-c/7560390#7560390. Even though you cant access files from the browser, the application code can access those files in order to return them to the user – Tommy Oct 27 '17 at 23:26
  • 1
    @Tommy thanks for the pointer, hiddenSegments will do the trick. – NicoD Oct 28 '17 at 11:25
  • I just saw your edit. The reason is in how IIS and .NET play together. Abridged version: IIS handles all incoming request. It first looks to see if a static (physical) file exists in the location. If it does, it returns that. If it doesn't, .NET takes over the request to see if it matches routes. OWIN runs in .NET, not IIS. So, if IIS sees physical file, .NET is bypassed. That's why gating the content as I did above works, it passes request on into .NET pipeline. Cant speak to deny user, never used it for app security. IIS runs as a user itself, perhaps that matches `*` and not `?` – Tommy Nov 07 '17 at 00:59
  • or since IIS does not pass the request to .NET pipeline, web.config could be completely bypassed. Not sure on which one without lots of reading at https://www.iis.net/learn – Tommy Nov 07 '17 at 01:18
  • @Tommy. I know that by default static files won't be managed by .Net pipeline and for performance it's not my goal, but with form Authentication we used a configuration like this one : [How do I protect static files with ASP.NET form authentication on IIS 7.5?](https://stackoverflow.com/questions/2903292/how-do-i-protect-static-files-with-asp-net-form-authentication-on-iis-7-5). I wonder if it's possible with OWIN – NicoD Nov 07 '17 at 11:14

0 Answers0