2

I've got an ASP.NET (.Net 4) site hosted on an IIS8 (Windows 2012) server, with forms authentication in place. Everything's working fine.

I'd now like to introduce some static content - HTML "help files" - but I don't want these to be "deep linkable"; in other words, the pages should only be available when the user is authentication.

Having Google'd around, I've found a few references on how to achieve this. So in my web.config, I have (removed all the uninteresting stuff):

<compilation>
 <buildProviders>
    <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
    <add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
 </buildProviders>
</compilation>

and

 <handlers> 
      <add name="WebServiceHandlerFactory-ISAPI-4.0_32bit" path="*.asmx,*.html" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
      <add name="WebServiceHandlerFactory-ISAPI-4.0_64bit" path="*.asmx,*.html" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
 </handlers>

... but I can still access the HTML files when not authenticated.

Can anyone suggest what's wrong, and how I can protect the static HTML content?

KenD
  • 1,147
  • 2
  • 17
  • 37
  • Have you taken a look at http://stackoverflow.com/questions/3589020/how-to-do-forms-authentication-on-purely-html-pages-using-asp-net yet? – Evan Anderson Jul 03 '13 at 22:22
  • Yes: the config I'm using is the same as the first answer on that question. But it doesn't work; I'm not sure if there's something more that's required for IIS8? – KenD Jul 04 '13 at 07:57
  • @KenD have you checked on that [http://www.iis.net/learn/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline](http://www.iis.net/learn/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline) – user Jul 09 '13 at 10:59

3 Answers3

4

Ensure that IIS is running in Integrated Mode in order for the following to work.

The below is an entire Web.config file which you could place in a sub-folder, and assumes that authentication (e.g. Forms Authentication) has been setup.
Or, extract the authorization and handlers parts, and add it to your root Web.config. 

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
  <system.webServer>
    <handlers>
      <add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
      <add name="CSS" path="*.css" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
      <add name="JS" path="*.js" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
      <add name="PNG" path="*.png" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
    </handlers>
  </system.webServer>
</configuration>
Bart Verkoeijen
  • 141
  • 4
1

You can specify the Location tag and whitelist the entire folder.

<location path="YourFiles">
    <system.web>
    <authorization>
        <allow users="?" />
    </authorization>
    </system.web>
</location>
KnaveT
  • 56
  • 3
-1

Have you tried Handlers?

Place this in your Web.Config file and see if it helps.

P.S. Not tested.

user300519
  • 1