4

I have ASP.NET application with forms authentication. It works well but I have one directory with olly .txt files (no aspx files) that I want users not to access (or only logged in users).

I added web.config to this directory:

<system.web>
    <authorization>
        <deny users="?" />
    </authorization>
</system.web>

EDIT:

This works only for .aspx files. It does not work for .txt files and similar. Users cannot browse this directory nor subdirectories however knowing .txt file name they can access it.

I tries IIS6 and IIS 7.5. On IIS6 .txt files are also restricted but on IIS 7.5 not so it may be IIS configuration issue.

jlp
  • 9,800
  • 16
  • 53
  • 74
  • What web server do you use? Your question was how to protect .txt files. Muhammads answer does not answer this question. With your configuation you would either have full access (on IIS 5/6) or no access on IIS 7.x – slfan Jun 09 '11 at 13:33
  • IIS 7.5 - I updated my question. it look like it's other way round – jlp Jun 09 '11 at 14:01
  • Yes, but your configuration was wrong. deny user="*" locks out all users, not only unknown users. So IIS6 probably tried to give you a chance to login (even if it's no use) but IIS7 didn't. On IIS 6 you can always access your txt files. I updated my answer – slfan Jun 09 '11 at 15:03
  • change this deny users="*" to deny users="?" – Yuriy Rozhovetskiy Jun 09 '11 at 15:12
  • 1
    You didn't understand me. I wrote that it DOES work for aspx files. My question is why it doesn't work for .txt files etc on IIS 7.5 – jlp Jun 09 '11 at 16:16
  • do you run your application in integrated mode or classic mode? If in classic mode, you still have to setup the mime type to redirect the call to ASP.NET. If your app. pool is in integrated mode, it should work – slfan Jun 09 '11 at 18:19
  • possible duplicate of [How do I protect static files with ASP.NET form auhentication on IIS 7.5?](http://stackoverflow.com/questions/2903292/how-do-i-protect-static-files-with-asp-net-form-auhentication-on-iis-7-5) – Qantas 94 Heavy Jul 16 '14 at 01:51

3 Answers3

7

Your question depends on the web server you are using. ASP.NET authorization works only with file types that are handled by ASP.NET. If you have IIS 5 or 6, this is normally not true for .txt files or even for .jpg, .gif and pure .html files, but only for aspx, asmx etc.

No problem if you have IIS7 and integrated mode, because ASP.NET is integrated and will be called for every type of file. So if you have IIS5 or 6 you have to register the mime types such as the aspnet.isapi is called for .txt files as well.

UPDATE: The configuration of 

 <deny users="*">

locks out all users. It would work only in combination with allow, e.g.

<allow roles="administrators" /> 
<deny users="*">

like this all users but administrators will be locked out. If a user is authenticated but not adminstrator, he will be redirected to the login page.

The other option is to lock out anonymous users only:

<deny users="?">
slfan
  • 8,950
  • 115
  • 65
  • 78
3

Add location section to the web.config with appropriate settings location Element (ASP.NET Settings Schema)

Yuriy Rozhovetskiy
  • 22,270
  • 4
  • 37
  • 68
3

If you use IIS 7+, then you can use the system.webServer/security/authorization http://www.iis.net/ConfigReference/system.webServer/security/authorization section, and have that automatically work for any kind of content in any pipeline mode. IF you still want to use system.web seciton, then you will need to use Integreated Mode and do the changes that are mentioned in the modules to run for all content, but by far, the simplest is use system.webServer/security/authorization instead.

Carlos Aguilar Mares
  • 13,411
  • 2
  • 39
  • 36