Deny all files in a directory, via web.config setting

后端 未结 1 1802
粉色の甜心
粉色の甜心 2021-02-09 11:03

As a test, I\'m trying to use the web.config to control security in the following ways:

  1. Deny access to all files in a directory, except for a specific file
  2. <
相关标签:
1条回答
  • 2021-02-09 12:03

    You may be running in to the difference between ASP.NET URL Authorization and IIS URL Authorization. A detailed summary on this is at http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization#Differences

    Briefly, what happens with ASP.NET by default with web.config is that it only apply the allow and deny rules to files handled by the managed handler.

    Files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.

    You can test this out by adding this to your main web.config to use the IIS version.

    <system.webServer>
        <modules>
            <remove name="UrlAuthorization" />
            <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
        </modules>
    </system.webServer>
    

    I tested this with your same security and same directories and files, and all appears to work

    A more complete version if you use other authentication methods such as forms could be this

    <system.webServer>
        <modules>
            <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
            <remove name="UrlAuthorization" />
            <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
            <remove name="DefaultAuthentication" />
            <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
        </modules>
    </system.webServer>
    
    0 讨论(0)
提交回复
热议问题