1

I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.

I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.

However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:

<modules runAllManagedModulesForAllRequests="true">
  ...
</modules>

However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.

I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.

Any suggestions would be highly welcome!

ne1410s
  • 6,864
  • 6
  • 55
  • 61

1 Answers1

2

As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).

Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.

So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.

EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:

<location path="MySite/media/MyMediaLibrary">
    <system.web>
          <authorization>
                <deny users="*"/>
          </authorization>
    </system.web>
</location>

into your web.config inside configuration section.

Community
  • 1
  • 1
Martin Makarsky
  • 2,580
  • 1
  • 17
  • 28
  • But like I say, I have a requirement to serve up ~/sitemap.xml, which does not have the .aspx extension. So do you suppose it is a case of choosing one or the other? – ne1410s May 11 '16 at 12:30
  • I think you do not need to use runAllManagedModulesForAllRequests attribute in order to have .xml extension. (I suppose you are using IIS7 or above). – Martin Makarsky May 11 '16 at 12:40
  • 1
    Yeah, but if the "~/sitemap" page is actually created inside a content tree a s a regular document you would need that. If you are trying to get the actual physical file from file system, than you dont need it and IIS can handle it. – Enn May 11 '16 at 13:35
  • You are right Richard - my bad. We`ll have to find another solution ;/ – Martin Makarsky May 12 '16 at 06:34
  • Brilliant! Thanks – ne1410s May 13 '16 at 21:34