Deny all files in a directory, via web.config setting

8
votes

As a test, I'm trying to use the web.config to control security in the following ways:

  1. Deny access to all files in a directory, except for a specific file
  2. Allow access to all files in a directory, except for a specific file

So I set up the web.config as follows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <!-- Deny access to all files in a directory, except for a specific file -->
  <location path="NonAccessibleDirectory">
    <system.web>
        <authorization>
          <deny users="?"/>
          <deny users="*"/>
        </authorization>
    </system.web>
  </location>

  <location path="NonAccessibleDirectory/AccessibleFile.html">
    <system.web>
        <authorization>
          <allow users="?"/>
          <allow users="*"/>
        </authorization>
    </system.web>
  </location>

  <!-- Allow access to all files in a directory, except for a specific file -->
  <location path="AccessibleDirectory/NonAccessibleFile.html">
    <system.web>
        <authorization>
          <deny users="?"/>
          <deny users="*"/>
        </authorization>
    </system.web>
  </location>

  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
  </system.web>

</configuration>

As expected:

  • If I browse to the non accessible directory and do not specify a file, I get access denied
  • If I browse to the accessible directory and do not specify a file, I can see the list of files

The problems I'm having are:

  • If I browse to the non accessible directory and specify a file, I can view it, and I would have expected not to be granted access
  • If I browse to the accessible directory and specify a file I have denied access to via the web.config, I can still view it, and I would have expected not to be granted access

Amy I configuring things wrong?

1
asp.netsecurityweb-config

1 Answers

11
votes

You may be running in to the difference between ASP.NET URL Authorization and IIS URL Authorization. A detailed summary on this is at http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization#Differences

Briefly, what happens with ASP.NET by default with web.config is that it only apply the allow and deny rules to files handled by the managed handler.

Files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.

You can test this out by adding this to your main web.config to use the IIS version.

<system.webServer>
    <modules>
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
    </modules>
</system.webServer>

I tested this with your same security and same directories and files, and all appears to work

A more complete version if you use other authentication methods such as forms could be this

<system.webServer>
    <modules>
        <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
        <remove name="DefaultAuthentication" />
        <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
    </modules>
</system.webServer>