Deny access to a directory with web.config

[Matt]

Hello,
I'm working on a portal based on IBuySpy, where the main page is
desktopdefault.aspx and all content is stored in
www.domain.com/content/html/nnn
or
www.domain.com/content/images/nnn
and injected in the desktopdefault.aspx page.

How can I prevent users doing www.domain.com/content/images/test.jpg
and getting the image (or the html file, or whatever inside the
content directory?)
It doesn't matter if the user is authenticated or not, I just want
obly the webapplication to be able to load and display the files
inside the /content directory.

Can I do this just manipulating the web.config, without changing
directory permissions on the webserver?


Thanks!

 

[Brock Allen]

You can move the directory outside of the web application's directory.

 

[Matt]

Good suggestion, but is there a way to control access to that
directory with the web.config?

Thanks.

 

[Juan T. Llibre]

web.config :

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<system.web>
<authorization>
<allow users="ASPNET's account name"/>
<deny users="*"/>
</authorization>

</system.web>
</configuration>

 

[Juan T. Llibre]

There's a step-by-step tutorial at :

http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=186

 

[Matt]

I tried, but nothing changes, the user can still do something like
www.domain.com/content/html/test.htm
and see the content.

 

[Matt]

Thanks I'll read it

 

[Brock Allen]

Good suggestion, but is there a way to control access to that

directory with the web.config?

Not if IIS is serving up the files, as the request never makes it to ASP.NET.

 

[Juan T. Llibre]

I think that adding the specific file types to the files managed
by ASP.NET will turn the trick if you implement forms-based
authentication to the directory.

 

[Brock Allen]

I think that adding the specific file types to the files managed by

ASP.NET will turn the trick if you implement forms-based
authentication to the directory.

Yep, that will work.