Deny access to a directory with web.config

[Matt]

Hello,
I'm working on a portal based on IBuySpy, where the main page is
desktopdefault.aspx and all content is stored in
[url]www.domain.com/content/html/nnn[/url]
or
[url]www.domain.com/content/images/nnn[/url]
and injected in the desktopdefault.aspx page.

How can I prevent users doing [url]www.domain.com/content/images/test.jpg[/url]
and getting the image (or the html file, or whatever inside the
content directory?)
It doesn't matter if the user is authenticated or not, I just want
obly the webapplication to be able to load and display the files
inside the /content directory.

Can I do this just manipulating the web.config, without changing
directory permissions on the webserver?


Thanks!

[Brock Allen]

You can move the directory outside of the web application's directory.

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]

> Hello,
> I'm working on a portal based on IBuySpy, where the main page is
> desktopdefault.aspx and all content is stored in
> [url]www.domain.com/content/html/nnn[/url]
> or
> [url]www.domain.com/content/images/nnn[/url]
> and injected in the desktopdefault.aspx page.
> How can I prevent users doing [url]www.domain.com/content/images/test.jpg[/url]
> and getting the image (or the html file, or whatever inside the
> content directory?)
> It doesn't matter if the user is authenticated or not, I just want
> obly the webapplication to be able to load and display the files
> inside the /content directory.
> Can I do this just manipulating the web.config, without changing
> directory permissions on the webserver?
>
> Thanks!
>

[Matt]

Good suggestion, but is there a way to control access to that
directory with the web.config?

Thanks.

>You can move the directory outside of the web application's directory.
>
>-Brock
>DevelopMentor
>[url]http://staff.develop.com/ballen[/url]
>
>
>

>> Hello,
>> I'm working on a portal based on IBuySpy, where the main page is
>> desktopdefault.aspx and all content is stored in
>> [url]www.domain.com/content/html/nnn[/url]
>> or
>> [url]www.domain.com/content/images/nnn[/url]
>> and injected in the desktopdefault.aspx page.
>> How can I prevent users doing [url]www.domain.com/content/images/test.jpg[/url]
>> and getting the image (or the html file, or whatever inside the
>> content directory?)
>> It doesn't matter if the user is authenticated or not, I just want
>> obly the webapplication to be able to load and display the files
>> inside the /content directory.
>> Can I do this just manipulating the web.config, without changing
>> directory permissions on the webserver?
>>
>> Thanks!
>>

>
>

[Juan T. Llibre]

web.config :

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<system.web>
<authorization>
<allow users="ASPNET's account name"/>
<deny users="*"/>
</authorization>

</system.web>
</configuration>




Juan T. Llibre
ASP.NET MVP
[url]http://asp.net.do/foros/[/url]
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Matt" <none@none.com> wrote in message news:e2ju61l2vntc345gtvcbc0ukfmdeull60l@4ax.com...

> Good suggestion, but is there a way to control access to that
> directory with the web.config?
>
> Thanks.
>

>>You can move the directory outside of the web application's directory.
>>
>>-Brock
>>DevelopMentor
>>[url]http://staff.develop.com/ballen[/url]
>>
>>
>>

>>> Hello,
>>> I'm working on a portal based on IBuySpy, where the main page is
>>> desktopdefault.aspx and all content is stored in
>>> [url]www.domain.com/content/html/nnn[/url]
>>> or
>>> [url]www.domain.com/content/images/nnn[/url]
>>> and injected in the desktopdefault.aspx page.
>>> How can I prevent users doing [url]www.domain.com/content/images/test.jpg[/url]
>>> and getting the image (or the html file, or whatever inside the
>>> content directory?)
>>> It doesn't matter if the user is authenticated or not, I just want
>>> obly the webapplication to be able to load and display the files
>>> inside the /content directory.
>>> Can I do this just manipulating the web.config, without changing
>>> directory permissions on the webserver?
>>>
>>> Thanks!

[Juan T. Llibre]

There's a step-by-step tutorial at :

[url]http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=186[/url]



Juan T. Llibre
ASP.NET MVP
[url]http://asp.net.do/foros/[/url]
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Juan T. Llibre" <nomailreplies@nowhere.com> wrote in message
news:ejueHIxSFHA.1152@tk2msftngp13.phx.gbl...

> web.config :
>
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
>
> <system.web>
> <authorization>
> <allow users="ASPNET's account name"/>
> <deny users="*"/>
> </authorization>
>
> </system.web>
> </configuration>
>
>
>
>
> Juan T. Llibre
> ASP.NET MVP
> [url]http://asp.net.do/foros/[/url]
> Foros de ASP.NET en Español
> Ven, y hablemos de ASP.NET...
> ======================
>
> "Matt" <none@none.com> wrote in message
> news:e2ju61l2vntc345gtvcbc0ukfmdeull60l@4ax.com...

>> Good suggestion, but is there a way to control access to that
>> directory with the web.config?
>>
>> Thanks.
>>

>>>You can move the directory outside of the web application's directory.
>>>
>>>-Brock
>>>DevelopMentor
>>>[url]http://staff.develop.com/ballen[/url]
>>>
>>>
>>>
>>>> Hello,
>>>> I'm working on a portal based on IBuySpy, where the main page is
>>>> desktopdefault.aspx and all content is stored in
>>>> [url]www.domain.com/content/html/nnn[/url]
>>>> or
>>>> [url]www.domain.com/content/images/nnn[/url]
>>>> and injected in the desktopdefault.aspx page.
>>>> How can I prevent users doing [url]www.domain.com/content/images/test.jpg[/url]
>>>> and getting the image (or the html file, or whatever inside the
>>>> content directory?)
>>>> It doesn't matter if the user is authenticated or not, I just want
>>>> obly the webapplication to be able to load and display the files
>>>> inside the /content directory.
>>>> Can I do this just manipulating the web.config, without changing
>>>> directory permissions on the webserver?
>>>>
>>>> Thanks!

>
>

[Matt]

I tried, but nothing changes, the user can still do something like
[url]www.domain.com/content/html/test.htm[/url]
and see the content.


On Wed, 27 Apr 2005 06:15:05 -0400, "Juan T. Llibre"
<nomailreplies@nowhere.com> wrote:

> <allow users="ASPNET's account name"/>
> <deny users="*"/>

[Matt]

Thanks I'll read it

On Wed, 27 Apr 2005 06:26:18 -0400, "Juan T. Llibre"
<nomailreplies@nowhere.com> wrote:

>[url]http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=186[/url]

[Brock Allen]

> Good suggestion, but is there a way to control access to that

> directory with the web.config?

Not if IIS is serving up the files, as the request never makes it to ASP.NET.

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]

[Juan T. Llibre]

I think that adding the specific file types to the files managed
by ASP.NET will turn the trick if you implement forms-based
authentication to the directory.



Juan T. Llibre
ASP.NET MVP
[url]http://asp.net.do/foros/[/url]
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Brock Allen" <ballen@NOSPAMdevelop.com> wrote in message
news:564311632501908156760592@msnews.microsoft.com ...

>> Good suggestion, but is there a way to control access to that
>> directory with the web.config?

>
> Not if IIS is serving up the files, as the request never makes it to ASP.NET.
>
> -Brock
> DevelopMentor
> [url]http://staff.develop.com/ballen[/url]
>
>
>

[Brock Allen]

> I think that adding the specific file types to the files managed by

> ASP.NET will turn the trick if you implement forms-based
> authentication to the directory.

Yep, that will work.

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]