Link to home
Start Free TrialLog in
Avatar of trzesniakj
trzesniakjFlag for United States of America

asked on

Directory secured via ASP.NET web.config file still serving files???

Hi all,

Don't know where this should go, here or under IIS, so I'm starting here...

I have a small web app written that controls access to demo videos.  There is the app's root directory and 2 subdirectories:  \secure and \admin.  \secure is where the videos and ASPX pages are kept to allow access to the videos (WMV files).  \admin is a small admin app that allows me to set up user accounts and put them in roles

Everything seems to be working well with the secured access to the different subdirectories by accounts in different roles.  So I'm happy to say the membership & roles functionality works well and with very little effort.  

But what's happening is that even when I do NOT log in as any user (role), admin or demo, , I can type the URL and the video starts to play!  I would think access to it would be blocked since I'm not authenticated yet by the login.  But all of my pages that are ASPX pages ARE blocked if I'm not logged in.  It seems like any files that are NOT served as ASP.NET files are not being subjected to the directory access rules in the web.config file.

Basically, I do NOT want any files served from the directory except my ASPX files.  I do NOT want anyone to get direct access to the files in either of the secure directories (\admin or \secure).

Did I miss something in the web.config file?  Is there something additional I need to do in IIS to set up for this access?

I did happen to see the <authentication mode="Forms" /> and know there is an attribute/setting called "protection" as in <authentication mode="Forms" protection="All" />.  But I think that has to do with validation and encryption of the cookie used for authentication.



\approot (web app/virtual dir)
     \admin  (normal dir)
     \secure (normal dir)
In web.config
 <!-- Access rules for \secure directory-->
  <location path="secure">
        <allow roles="admin" />
        <allow roles="demo" />        
        <deny users="?" />
  <!-- Access rules for \admin directory-->
  <location path="admin">
        <allow roles="admin" />
        <deny roles="demo" />
        <deny users="?" />
    <roleManager enabled="true" />
    <authentication mode="Forms" />
        <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
          Set compilation debug="true" to insert debugging
          symbols into the compiled page. Because this
          affects performance, set this value to true only
          during development.
    <compilation debug="true">
        <add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
        <add directoryName="VB_Code"/>
        <add directoryName="CS_Code"/>
    <membership defaultProvider="CustomizedProvider">
        <add name="CustomizedProvider"
    <profile defaultProvider="SqlProfileProvider" enabled="true">
        <add name="SqlProfileProvider" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" applicationName="---REMOVED---"/>
        <add name="EffectiveDateTime" type="System.DateTime" serializeAs="Xml" />
        <add name="ExpirationDateTime" type="System.DateTime" serializeAs="Xml" />

Open in new window

Avatar of Jeeva Subburaj
Jeeva Subburaj
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of trzesniakj


Wow, that was a quick response!  Thanks vavjeeva.  

I've tried a number of other things but not that.

Thanks vavjeeva!  

That was it.  I needed a special http file handler for the file type I was trying to protect.  I was able to adapt the code from the link you gave me above to do what I needed.  It took me a while to get it working.

The problem I had was that my code for the http handler was not being added to the assembly for my site.  So even though I thought the <httpHandlers> section of the web.config file was correctly set up to find the handler coden it was not finding it.  But I finally resolved it.