Preventing getting to other URL of web service

Question

I am doing a web service in .NET containing a server file (.asmx) and a client interface (.aspx). The visitors should be able to visit only the client aspx site ( urlXXX:portYY/Client.aspx) However, when I remove the "/Client.aspx" part from the URL, I get into the project directory and this should not be possible. (So far, I am running the project just on localhost.)

Is there any way, how restrict getting into other parts of the solution? The only possibility I could think of is creating a separate project for the client aspx site, however, even then the visitor is able to get into the directory containing that site.

What IIS version are you using? You can disable Directory browsing for your site. Check out [this](http://stackoverflow.com/questions/9806446/disable-directory-listing-in-iis) — Nilesh Thakkar, Jul 11 '13 at 08:15
What have you done? You can do it as said in that link and if you're debugging with VS and checking, then set any of your page as default page. That might solve your problem. — Nilesh Thakkar, Jul 11 '13 at 08:43
Did you try setting any of your page as default page while checking/debugging with VS? — Nilesh Thakkar, Jul 11 '13 at 08:53
Yes, by following this: http://stackoverflow.com/a/1913213/1942656 Still, the problem remains. — Storm, Jul 11 '13 at 08:57

score 1 · Answer 1 · edited May 23 '17 at 10:25

You should be able to control explicit access using your web.config. Have a look at this example (exclaimer: I've copied this straight from this MS page):

<configuration>
    <system.web>
        <authentication mode="Forms" >
            <forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
            </forms>
        </authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
        <authorization>
            <deny users="?" /> 
        </authorization>
    </system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
        <location path="default1.aspx">
        <system.web>
        <authorization>
            <allow users ="*" />
        </authorization>
        </system.web>
        </location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder.  -->
        <location path="subdir1">
        <system.web>
        <authorization>
            <allow users ="*" />
        </authorization>
        </system.web>
        </location>
</configuration>

EDIT: Take a look at this question for more info on denying access to explicit folders as well.

I have tried it, but somehow, I am still able to get into almost all directories, and even some text and xml files, stored inside them. — Storm, Jul 11 '13 at 08:44
Added a link to another question which points out how to deny access to folders. The practice would usually be to blanket deny access to the folder, then explicitly add files you want to make available. — Nick, Jul 11 '13 at 08:49

score 0 · Accepted Answer · answered Jul 11 '13 at 11:02

So, basically I have managed to find a workaround, by adding the following code into the Web.config:

<system.webServer>
    <defaultDocument>
        <files>
            <add value="Client.aspx" />
        </files>
     </defaultDocument>
</system.webServer>

...which makes the Client a default web-page, thus preventing to see the directory. However, I will leave this topic open in case someone comes with a more elaborate and sophisticated solution.

Preventing getting to other URL of web service

2 Answers2