Preventing download to subfolders by role using IIS Rules in ASP .Net 4.0 web.config

I've recently have updated my application to IIS 7.5 and ASP .Net 4 from IIS ? and ASP .Net 2.0 so I am new to this issue and frankly unaware that it was happening.  I've tried for a couple of weeks and I still can download documents in a secure folder while I'm not able to access the .aspx pages.

So we have a couple secure folders that have data that is not particularly sensitive but not intended for the public view.  I've been trying to implement the IIS rules in the .Net web.config to restrict download of static content (e.g., .pdf, .png).  So there are two separate folder structures and the business requirement to have the web.config settings for access to the sub folders in the subfolder itself not the root of the application.  I found several good websites, too many to list them, that state that the customErrors section in the web.config only controls the ASP .Net content (e.g., .aspx pages).  The new web.config settings restrict access to the pages in the secure folders but not to static content.  What am I doing wrong?

I dynamically generate the roles that have access to the secure folders so it would be best to utilize the web.config settings inside the sub folders.  The documents and images are in subfolders of the folder that is in the web.config.  My assumption is that the denial would pass through to the subfolders but I'm attempting to test that now.

Here is the root web.config security settings
 <system.web>
     <!--<customErrors mode="On" defaultRedirect="~/error.aspx">
     </customErrors>-->
  </system.web>
  <system.webServer>
    <modules> 
	    <remove name="FormsAuthenticationModule" />    
	   	<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />    
	    <remove name="UrlAuthorization" />    
	    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />    
      	<remove  name="RoleManager" /> 
        <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
	    <remove name="DefaultAuthentication" />    
	    <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />    
	</modules> 
    <httpErrors errorMode="Custom" existingResponse="Replace" defaultResponseMode="ExecuteURL" > 
    	<!-- remove/add status codes here (removed) -->
    </httpErrors>
  </system.webServer>

Open in new window


Here is the root web.config settings.  I deny everyone for testing purposes.  The pages redirect to login even after every successful login and page attempt.  The static content is still served (e.g., .txt, .pdf).  Notice here the docs or img folder is not reference and I believe inherits the web.config from the folder above.
<?xml version='1.0'?>
<configuration>
  <system.web>
   <authorization>
    <deny users='*' />
   </authorization>
   </system.web>
</configuration>

Open in new window

atljarmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atljarmanAuthor Commented:
This did not work
<?xml version='1.0'?>
<configuration>
  <system.web>
  <authorization>
   <deny users='*' />
  </authorization>
 </system.web>
  <location path='docs'>
  <system.web>
  <authorization>
    <deny users='*' />
   </authorization>
  </system.web>
  </location>
</configuration>

Open in new window

Again, while authenticated (even if) I get redirected to login (proper behavior).  One .txt and .pdf tried from the docs folder was presented by the browser.... so that did not work.

I have access to the global.asax and the web.config but not to IIS the server itself.
0
atljarmanAuthor Commented:
IIS was not in integrated pipeline mode.  When we switched to integrated pipeline mode that solved the issue using the code provided.

Adding this to a blank page with a server label helped me to determine this

//add to page load of test button and call it mode.aspx
if (HttpRuntime.UsingIntegratedPipeline) {
lblStatus.Text = 'integrated mode';
} else {
lblStatus.Text = 'NOT integrated mode';
}

<asp:label id="lblStatus"/>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atljarmanAuthor Commented:
I'm lucky to have figured this out on my own
0
David Johnson, CD, MVPOwnerCommented:
any static data that you allow to be displayed in the browser by definition is downloaded to the users computer (there internet cache folder).. all of the .aspx pages also can be downloaded (they have to to display content)
0
atljarmanAuthor Commented:
Thank you, but I'm not sure that I'm following your comment.  IIS is preventing access until authentication.  Is there a concern that I'm missing?  I appreciate you making a comment and want to make sure I don't misunderstand.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.