Authorize static user's content in


I have one scenario where one client side application written in backbonejs and use web api services for all server related functions. That application has to host on iis8 within web application environment.

Problem: There is one folder user where all user related files are create which i have to authorize through mechnism which is not handled in client application.

I even used handler for reading user specific content like html file and try to hit db to check if user is logged in or not in the application so I can deny users to access user specific html resource.

But by using handler html file is not loading in authenticated mode also.

I can not use aspx or code behind c# page. Web.config
Kumar Kashyap PandeyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alexandre SimõesManager / Technology SpecialistCommented:
Do you have dynamic data on those pages or is simply static HTML?

I assume it has dynamic content because you speak about getting data from the DB.
In this case, you basically don't care if the html is available or not, the security must be implemented when you're asking for the data from the WebAPI services.

These WebAPI services are the ones that have to pick the request header with the authentication and use them to get the data (which I assume you're already doing).
If these services identify that the user doesn't have permissions to do something, they should return an HTTP 401 Unauthorized error.
On the client-side, if you get one of these, you act as you well want, either redirect to a generic unauthorized or just ignore a portion of the rendering... whatever makes sense to you.

So bottom line, don't secure the HTML, secure the data and handle the ajax result http code.
Kumar Kashyap PandeyAuthor Commented:
Thanks Alexandre, for quick findings.

Client application has one folder named users and its contains as set of data which has landing html page and that have no relation to Web API services.
Just like static content.

Application structure is as follows:
1. Client application which have interaction with web API (this connect with db)
2. application is only provide host for client application by keeping that as Folder and no relation with how client is maintaining session.
3. In pic shows application WebHost and one containing folder ClientApplication. ClientApplication contains one folder named users which contain multiple user related html files.4. User specific directory contains html file, these are not authenticated by client application.
5. I have to do with mechanism.
Alexandre SimõesManager / Technology SpecialistCommented:
Ok, so you have one folder per user...
These are full pages or just partial html that gets rendered in the main website?
Daniel Van Der WerkenIndependent ConsultantCommented:
You're using the Microsoft provided role manager/provider (in fact you're using two role providers). Why not just make sure the users who need access to the folder are in the correct role and then modify the web.config in that folder for role based access?

If you wanted to do the access by user, you could simply allow that specific username in the web.config in the "users=lo7377" in the web.config for that specific folder and it should work.

Each folder will need a unique web.config.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kumar Kashyap PandeyAuthor Commented:
Hi Alaxandre and Dan7el,

Thanks for your responses.

Every user has individuals directory which contains on html (its supporting js, css, json etc.)  that renders  in client application (main website) for previewing or editing,  Which can be downloaded by user and can run offline as complete package, like "lo7377" directory from user can be download as per user wish.

So we want if user is logout in client application no one can access his/her files in application.


Role manager, membership are default in web.config i am not using, if you could give idea about this it will be great.

In users we can keep web.config file not in "lo7377" directory because it can be download to user and web.config will be extra file to him/her.

Overall we want to disable directory browsing to users folder and with check of user authentication. Here authentication model in client side application but we have to do authorization with application( WebHost).

Please share if any more clarification required.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.