Reputation: 2499
ASP.NET failing to make folder not accessible
I have a C# Webform application.
It contains a Report folder inside it Which contain some pdf files.
My application will show these reports on demand.
But I do not want someone to access these by typing the direct url
Eg: www.abc.com/Reports/a.pdf
I created the following Web.config inside the report folder:
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Still, when testing I can access pdf files directly.
Also per business rules, I cannot use Form Authentication.
Upvotes: 2
Views: 654
Answers (1)
Reputation: 155448
<system.web> controls configuration of the ASP.NET pipeline, not IIS. If you're running under IIS then ASP.NET will not be invoked for static file requests, such as the PDF file you mentioned.
To deny those requests use <system.webServer> instead. See this QA: How to make IIS7 stop serving a folder?
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="My_Directory" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Note that <system.webServer> requires IIS7 or later (Windows Server 2008). If you're running IIS6 (Windows Server 2003 or Windows XP) then this won't work.
Upvotes: 4
Related Questions
- Allow folder access only to admin user
- How to restrict access to a particular folder in asp .net
- How to restrict folder access in asp.net
- Control access to folders asp.net
- How to prevent access to a folder in ASP.NET
- Access to path is denied on server
- Protecting directory in asp.net is not working
- Block visitors access to specific folder in asp.net
- Unable to access ASP.NET Page inside a folder
- Directory Not Found Exception...yet I can browse to the directory?