CODEWITHSUNDEEP
iisbasic-authentication
user1762087
user1762087

Reputation: 460

IIS HTTP Basic auth for specific URL

I want to restrict access using HTTP Basic Auth for a specific path so that someone who visits /www/private will be prompted with the authentication but not /www/public , /www/public/dashboard, ....

note: "private", "public", "dashboard", etc are not folders, but url rewrite

My current webconfig:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
    <rewrite>
        <rules>
            <rule name="Imported Rule 1" stopProcessing="true">
                <match url="\.(pdf|js|ico|gif|jpg|png|css|rar|zip|tar\.gz)$" ignoreCase="false" negate="true" />
                <conditions logicalGrouping="MatchAll">
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                </conditions>
                <action type="Rewrite" url="index.php" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
<location path="mysite/www/private">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <basicAuthentication enabled="true" />
                <windowsAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>
<location path="mysite/www">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="true" />
                <basicAuthentication enabled="false" />
                <windowsAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>

I also enabled basic auth and anonymous authorization in IIS Manager enter image description here

However this does not work - it never prompts for authorization

Upvotes: 1

Views: 2453

Answers (1)

Rohith
Rohith

Reputation: 5677

IIS URLRewrite module rewrites the request before the authentication kicks in so with your current rewrite rule,this is not possible.

Exceprts from here

The URL Rewrite module is a native code module that plugs into the request-processing pipeline at the Pre-begin Request or Begin Request stages, and then evaluates the requested URL path by using a set of rewrite rules. Each rewrite rule analyzes the URL path and, if all the rule conditions are met, changes the original path to a new path. After all the rules have been evaluated, the URL Rewrite module produces a final URL path that is used for the request through the remainder of the IIS pipeline processing. This means that the handler selection in the IIS pipeline is made based on the rewritten URL that is produced by the URL Rewrite module.

Your rewrite rule is in such a way that it rewrites any path which is not to a static file to index.php. Rest of the IIS pipeline sees the path as index.php. You have to implement your authentication inside index.php.Or you can easily write a simple IIS module,this SO question talks about it. You have to add little bit more logic to check the URL(if contains www/private) and send 401 etc.

Upvotes: 1

Related Questions