Deny access to a directory with web.config

Discussion in 'ASP .Net Security' started by Matt, Apr 26, 2005.

  1. Matt

    Matt Guest

    Hello,
    I'm working on a portal based on IBuySpy, where the main page is
    desktopdefault.aspx and all content is stored in
    www.domain.com/content/html/nnn
    or
    www.domain.com/content/images/nnn
    and injected in the desktopdefault.aspx page.

    How can I prevent users doing www.domain.com/content/images/test.jpg
    and getting the image (or the html file, or whatever inside the
    content directory?)
    It doesn't matter if the user is authenticated or not, I just want
    obly the webapplication to be able to load and display the files
    inside the /content directory.

    Can I do this just manipulating the web.config, without changing
    directory permissions on the webserver?


    Thanks!
    Matt, Apr 26, 2005
    #1
    1. Advertising

  2. Matt

    Brock Allen Guest

    You can move the directory outside of the web application's directory.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > Hello,
    > I'm working on a portal based on IBuySpy, where the main page is
    > desktopdefault.aspx and all content is stored in
    > www.domain.com/content/html/nnn
    > or
    > www.domain.com/content/images/nnn
    > and injected in the desktopdefault.aspx page.
    > How can I prevent users doing www.domain.com/content/images/test.jpg
    > and getting the image (or the html file, or whatever inside the
    > content directory?)
    > It doesn't matter if the user is authenticated or not, I just want
    > obly the webapplication to be able to load and display the files
    > inside the /content directory.
    > Can I do this just manipulating the web.config, without changing
    > directory permissions on the webserver?
    >
    > Thanks!
    >
    Brock Allen, Apr 26, 2005
    #2
    1. Advertising

  3. Matt

    Matt Guest

    Good suggestion, but is there a way to control access to that
    directory with the web.config?

    Thanks.

    >You can move the directory outside of the web application's directory.
    >
    >-Brock
    >DevelopMentor
    >http://staff.develop.com/ballen
    >
    >
    >
    >> Hello,
    >> I'm working on a portal based on IBuySpy, where the main page is
    >> desktopdefault.aspx and all content is stored in
    >> www.domain.com/content/html/nnn
    >> or
    >> www.domain.com/content/images/nnn
    >> and injected in the desktopdefault.aspx page.
    >> How can I prevent users doing www.domain.com/content/images/test.jpg
    >> and getting the image (or the html file, or whatever inside the
    >> content directory?)
    >> It doesn't matter if the user is authenticated or not, I just want
    >> obly the webapplication to be able to load and display the files
    >> inside the /content directory.
    >> Can I do this just manipulating the web.config, without changing
    >> directory permissions on the webserver?
    >>
    >> Thanks!
    >>

    >
    >
    Matt, Apr 27, 2005
    #3
  4. web.config :

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>

    <system.web>
    <authorization>
    <allow users="ASPNET's account name"/>
    <deny users="*"/>
    </authorization>

    </system.web>
    </configuration>




    Juan T. Llibre
    ASP.NET MVP
    http://asp.net.do/foros/
    Foros de ASP.NET en Español
    Ven, y hablemos de ASP.NET...
    ======================

    "Matt" <> wrote in message news:...
    > Good suggestion, but is there a way to control access to that
    > directory with the web.config?
    >
    > Thanks.
    >
    >>You can move the directory outside of the web application's directory.
    >>
    >>-Brock
    >>DevelopMentor
    >>http://staff.develop.com/ballen
    >>
    >>
    >>
    >>> Hello,
    >>> I'm working on a portal based on IBuySpy, where the main page is
    >>> desktopdefault.aspx and all content is stored in
    >>> www.domain.com/content/html/nnn
    >>> or
    >>> www.domain.com/content/images/nnn
    >>> and injected in the desktopdefault.aspx page.
    >>> How can I prevent users doing www.domain.com/content/images/test.jpg
    >>> and getting the image (or the html file, or whatever inside the
    >>> content directory?)
    >>> It doesn't matter if the user is authenticated or not, I just want
    >>> obly the webapplication to be able to load and display the files
    >>> inside the /content directory.
    >>> Can I do this just manipulating the web.config, without changing
    >>> directory permissions on the webserver?
    >>>
    >>> Thanks!
    Juan T. Llibre, Apr 27, 2005
    #4
  5. There's a step-by-step tutorial at :

    http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=186



    Juan T. Llibre
    ASP.NET MVP
    http://asp.net.do/foros/
    Foros de ASP.NET en Español
    Ven, y hablemos de ASP.NET...
    ======================

    "Juan T. Llibre" <> wrote in message
    news:...
    > web.config :
    >
    > <?xml version="1.0" encoding="utf-8" ?>
    > <configuration>
    >
    > <system.web>
    > <authorization>
    > <allow users="ASPNET's account name"/>
    > <deny users="*"/>
    > </authorization>
    >
    > </system.web>
    > </configuration>
    >
    >
    >
    >
    > Juan T. Llibre
    > ASP.NET MVP
    > http://asp.net.do/foros/
    > Foros de ASP.NET en Español
    > Ven, y hablemos de ASP.NET...
    > ======================
    >
    > "Matt" <> wrote in message
    > news:...
    >> Good suggestion, but is there a way to control access to that
    >> directory with the web.config?
    >>
    >> Thanks.
    >>
    >>>You can move the directory outside of the web application's directory.
    >>>
    >>>-Brock
    >>>DevelopMentor
    >>>http://staff.develop.com/ballen
    >>>
    >>>
    >>>
    >>>> Hello,
    >>>> I'm working on a portal based on IBuySpy, where the main page is
    >>>> desktopdefault.aspx and all content is stored in
    >>>> www.domain.com/content/html/nnn
    >>>> or
    >>>> www.domain.com/content/images/nnn
    >>>> and injected in the desktopdefault.aspx page.
    >>>> How can I prevent users doing www.domain.com/content/images/test.jpg
    >>>> and getting the image (or the html file, or whatever inside the
    >>>> content directory?)
    >>>> It doesn't matter if the user is authenticated or not, I just want
    >>>> obly the webapplication to be able to load and display the files
    >>>> inside the /content directory.
    >>>> Can I do this just manipulating the web.config, without changing
    >>>> directory permissions on the webserver?
    >>>>
    >>>> Thanks!

    >
    >
    Juan T. Llibre, Apr 27, 2005
    #5
  6. Matt

    Matt Guest

    I tried, but nothing changes, the user can still do something like
    www.domain.com/content/html/test.htm
    and see the content.


    On Wed, 27 Apr 2005 06:15:05 -0400, "Juan T. Llibre"
    <> wrote:

    > <allow users="ASPNET's account name"/>
    > <deny users="*"/>
    Matt, Apr 27, 2005
    #6
  7. Matt

    Matt Guest

    Matt, Apr 27, 2005
    #7
  8. Matt

    Brock Allen Guest

    > Good suggestion, but is there a way to control access to that
    > directory with the web.config?


    Not if IIS is serving up the files, as the request never makes it to ASP.NET.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
    Brock Allen, Apr 27, 2005
    #8
  9. I think that adding the specific file types to the files managed
    by ASP.NET will turn the trick if you implement forms-based
    authentication to the directory.



    Juan T. Llibre
    ASP.NET MVP
    http://asp.net.do/foros/
    Foros de ASP.NET en Español
    Ven, y hablemos de ASP.NET...
    ======================

    "Brock Allen" <> wrote in message
    news:...
    >> Good suggestion, but is there a way to control access to that
    >> directory with the web.config?

    >
    > Not if IIS is serving up the files, as the request never makes it to ASP.NET.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    Juan T. Llibre, Apr 27, 2005
    #9
  10. Matt

    Brock Allen Guest

    > I think that adding the specific file types to the files managed by
    > ASP.NET will turn the trick if you implement forms-based
    > authentication to the directory.


    Yep, that will work.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
    Brock Allen, Apr 27, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?ZGF2aWQ=?=
    Replies:
    3
    Views:
    2,888
    =?Utf-8?B?ZGF2aWQ=?=
    Sep 29, 2004
  2. Matt
    Replies:
    9
    Views:
    22,948
    Brock Allen
    Apr 27, 2005
  3. =?Utf-8?B?VGltOjouLg==?=

    web.Config Deny access not working???

    =?Utf-8?B?VGltOjouLg==?=, Jun 13, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    3,409
    Juan T. Llibre
    Jun 13, 2006
  4. Jeff
    Replies:
    2
    Views:
    941
    clintonG
    Sep 19, 2006
  5. david

    Deny web access to a directory?

    david, Sep 29, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    150
    david
    Sep 29, 2004
Loading...

Share This Page