2

I have a directory on the root of my website which contains some files(usually html). These files should be accessed only for the logged-in user. How can I achieve this? I believe this could be done using impersonation but I don't have any idea about how exactly I can implement it. Could you please guide me on right direction?

Currently, I have added these settings to my Web.config file:

<location path="TestData"> <!-- 'TestData' is the directory which I want to deny access for -->
    <system.web>
        <identity impersonate="true"/>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

Is there anything that I have to do in coding?

PS: This is a webservice application.

Update: It works partially!!! to be specific: It denies only the .aspx pages and even the logged-in user too cannot access the files.

I'm using Windows authentication.

NaveenBhat
  • 3,248
  • 4
  • 35
  • 48

3 Answers3

1

You don't need to impersonate. If you have forms or windows authentication, your <deny users="?"/> will deny all anonymous users. To answer your question: no, you don't have to explicitly deny any users within your code.

How to: Implement Simple Forms Authentication

In order to secure non-ASP.NET files, you will need to register an HttpHandler that will do this. Please see this reference on how to register the handler.

  • @Knvn did you take out the `impersonate` section? You shouldn't be getting partial access, as you have directory authorization. –  Jan 05 '12 at 13:50
  • Ya I tried by removing `impersonate` section but still it works only for `.aspx` and not for other types such as `.html` or `.txt` – NaveenBhat Jan 05 '12 at 13:59
  • @Knvn see my edit. It's because these are files that ASP.NET (for performance reasons) doesn't secure. You need to implement `IHttpHandler` to create your own handler for these file times and have them registered. Information in my post above. –  Jan 05 '12 at 14:04
  • Thank you so much...now it works for all types. However, another issue is not solved! I'm unable to browse the file even though I logged-in! – NaveenBhat Jan 05 '12 at 14:33
  • @Knvn so you can access it but not browse it? –  Jan 05 '12 at 14:40
  • I want the files to be able to browse/access only if the user is logged in – NaveenBhat Jan 05 '12 at 14:42
  • @Knvn I think that should be another question/post here on SO. We try not to double-up on questions. If this post has helped you, please mark it as the answer. Then post a new question with your other question to comply with site rules. –  Jan 05 '12 at 14:43
0

you don't need impersonate. Impersonate is for making the app run as a different user from the user of the app pool in iis. source

If you're using forms/windows authentication then

<authorization>
    <deny users="?"/>
</authorization>

should be enough and will block users who are not logged in

Eonasdan
  • 7,563
  • 8
  • 55
  • 82
0

You need to add 

<authorization>
      <deny users="?"/>
</authorization>

in <system.web></system.web>

And use form authentication like

[Update] : As you use windows authentication see

MSDN

SUN Jiangong
  • 5,242
  • 16
  • 57
  • 76
  • I could use `Forms` authentication, if it is a web application...but its a webservice application and I'm authenticating by returning the appropriate values to the client application(flash). – NaveenBhat Jan 05 '12 at 13:53