Deny all files in a directory, via web.config setting

Question

As a test, I\'m trying to use the web.config to control security in the following ways:

1. Deny access to all files in a directory, except for a specific file
<

Answer 1

You may be running in to the difference between ASP.NET URL Authorization and IIS URL Authorization. A detailed summary on this is at http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization#Differences

Briefly, what happens with ASP.NET by default with web.config is that it only apply the allow and deny rules to files handled by the managed handler.

Files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.

You can test this out by adding this to your main web.config to use the IIS version.

<system.webServer>
    <modules>
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
    </modules>
</system.webServer>

I tested this with your same security and same directories and files, and all appears to work

A more complete version if you use other authentication methods such as forms could be this

<system.webServer>
    <modules>
        <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
        <remove name="DefaultAuthentication" />
        <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
    </modules>
</system.webServer>