Hello,

my site is running Asp.net 2 on IIS 6 ( via third-party service provider).

I'm trying to secure a couple of folders  in the root directory to be accessed only by the authenticated users. The rest of the site is to be available for everyone. I'm not using Roles, just Membership feature.

To accompish this, I included <location/> tags in my web.config.

But, but, but ...  those directories are still accessible by everyone! Then I tried to place web.config in the sub-directories ( a shortened version as prescribed in the ealeir posts in this forum) ... but it still does not work. 

Any ideas?

 Here is files structure:

root/

root/family_albums/

root/trees/

Here is my web.config in the root dir:

<?xml version="1.0"?>

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
...
 <system.web>
 ...
  <authentication mode="Forms">
   <forms name="AuthCookie" loginUrl="Login.aspx" defaultUrl="index.aspx" protection="All" timeout="30" path="/" />
  </authentication>

  <authorization>
    <allow users="*"/>
  </authorization>

 </system.web>

 <!-- deny access to non-members  -->
 <location path="trees">
  <system.web>
   <authorization>
    <deny users="?"/>
   </authorization>
  </system.web>
 </location>
 <location path="family_albums">
  <system.web>
   <authorization>
    <deny users="?"/>
   </authorization>
  </system.web>
 </location>
</configuration>
 

thanks !!!

web.config can only secure files that will go through the aspnet worker process.  So, are your files mapped to be handled by the worker process?

 You are correct! My files were pdf and jpg, they were not mapped.

As I found in this discussion group: 

Forms authentication protects ASPX files and other resources owned by ASP.NET, but it does not restrict access to HTML files and other non-ASP.NET resources.

The best way to do it is map *.htm, *.html, and other file name extensions to Aspnet_isapi.dll in the IIS metabase. (You can use the IIS configuration manager to do the mapping.) Transferring ownership of these resources to ASP.NET degrades performance a bit, but it might be worth it for the added security.

thank you very much!

P.S.

Hey, is the grass really blue in the blue grass state?

-:)

thanks again

Hello, may I ask whether there is a way to map files to Asp.Net from .Net itself, via web.config or programmatically?

That might be great for sites on basic hosting providers, where you cannot configure IIS.

Thanks. -LV

stiletto:

You might be able to do it with HttpHandlers in the web.config, but I'd be surprised since IIS has to make the first decision on whether or not to serve the file or pass it to the aspnet worker process.

Unfortunately, I guess you are right...

Thanks. -LV

It seems to me the answer to your problem is very simple - look at your web.config file outside of the location tags:

  <authorization>
    <allow users="*"/>
  </authorization>

 Doesn't it seem that would allow all users to access the site? Try changing that to <deny users="?"/> and see if you get better results.

My host provider has changed the mappings, so jpg, pdf extensions are now mapped to to Aspnet_isapi.dll in the IIS metabase.

The access to the folders is secured and  works fine.

 But, but, but now jpg and pdf files are NOT displayed at all, anywhere on my site.... !!!

What is wrong?

At the same time, everything is OK on my own development PC....