Forum guidelines
  • Home
  • »
  • .NET 5.0
  • »
  • How to Prevent direct access to files and folders in asp.net
AuthorQuestion
How to Prevent direct access to files and folders in asp.net
Posted By satish kumar on 17 Aug 2011
Hi everyone
can you any one tell me how to prevent files from directory when the user trying to access files directly.
when he tries to access files it should ask login
in my directory i have [.xls, .doc, .pdf files]

how to do this.
if by authentication and authorization how...?
is there any alternate...to do this..?

AuthorReply
Re: How to Prevent direct access to files and folders in asp.net
Posted By Amit Choudhary on 17 Aug 2011  

If you are using the form Authentication and then this could be done by using web.config for sub directory use the location tag to prevent the access for anonymous user. 
<location path="download">
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="user"/>
<deny users="?"/>
</authorization>
</system.web>
</location>

in the above sample configuration setting the location download is your folder where you want to restrict the anonymous user.


Hope this was helpful.


=====================================
Amit Choudhary
MicrosoftMVP MindcrackerMVP Blog: www.cshandler.com
Follow @vendettamit

Re: How to Prevent direct access to files and folders in asp.net
Posted By Satish Bhat on 17 Aug 2011  
By default, IIS only invokes the ASP.NET runtime when a request comes in for an ASP.NET resource, such as an ASP.NET web page, a Web Service, etc.. Requests for static contents like images, CSS files, JavaScript files, PDF files, ZIP files etc.are retrieved by IIS without the involvement of the ASP.NET runtime.


There are a couple of techniques you can use to protect static content from unauthorized users.


1. You can write Custom HTTP Handler.


2] IIS 7 introduced the integrated pipeline, which marries IIS's workflow with the ASP.NET runtime's workflow. In a nutshell, you can instruct IIS to invoke the ASP.NET runtime's authentication and authorization modules all incoming requests (including static content like PDF files). 

Once IIS has been configured to use the integrated pipeline add the following markup to the Web.config file in the root directory:

<system.webServer>


      <modules>


          <add  name="FormsAuthenticationModule"  type="System.Web.Security.FormsAuthenticationModule" />


          <remove  name="UrlAuthorization" />


          <add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />


          <remove  name="DefaultAuthentication" />


          <add  name="DefaultAuthentication"  type="System.Web.Security.DefaultAuthenticationModule" />


      </modules>


</system.webServer>


This markup instructs IIS 7 to use the ASP.NET-based authentication and authorization modules. Re-deploy your application and then re-visit the PDF file. This time when IIS handles the request it gives the ASP.NET runtime's authentication and authorization logic an opportunity to inspect the request. Because only authenticated users are authorized to view the contents in the PrivateDocs folder, the anonymous visitor is automatically redirected to the login page.


If your web host provider is still using IIS 6 then you cannot use the integrated pipeline feature. One workaround is to put your private documents in a folder that prohibits HTTP access (such as App_Data) and then create a page to serve these documents. This page might be called GetPDF.aspx, and is passed the name of the PDF through a querystring parameter. The GetPDF.aspx page would first verify that the user has permission to view the file and, if so, would use the Response.WriteFile(filePath) method to send the contents of the requested PDF file back to the requesting client. This technique would also work for IIS 7 if you did not wish to enable the integrated pipeline.


REF: Source



SPONSORED BY

Custom Software Development
MCN is your source for developing solutions involving websites, mobile apps, cloud-computing, databases, BI, back-end services and processes and client-server applications.