IIS alwaysAllowedUrls not recognized

1
votes

I wanted to add some IIS requestFiltering rules to my web application. I followed folling guides:

http://www.iis.net/configreference/system.webserver/security/requestfiltering/alwaysallowedurls http://www.iis.net/configreference/system.webserver/security/requestfiltering/denyurlsequences

For example, I want to deny Url test but enable testallowed

So I made following configuration in my web.config:

<system.webServer>
   <security>
    <requestFiltering>
      <denyUrlSequences>
        <add sequence="test" />
      </denyUrlSequences>
      <alwaysAllowedUrls>
        <add url="testallowed" />
      </alwaysAllowedUrls>
    </requestFiltering>
  </security>
</system.webServer>

Wenn calling mypage/test, I get the IIS HTTP Error 404.5 Page, which is correct. But I get the same page when calling mypage/testallowed. And in my web.config, the Tag alwaysAllowedUrls is underlined and it says:

The element 'requestFiltering' has invalid child element 'alwaysAllowedUrls'. List of possible elements expected: 'fileExtensions, requestLimits, verbs, hiddenSegments, denyUrlSequences'.

1
asp.netiisrequestfiltering
Nothing looks wrong with the rules.For the web.config part you verify it in the IIS Schema here C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml . If you do not see it there try reinstalling Request FilteringRavi A.

1 Answers

-1
votes

this is the syntax as per the IIS documentation :

<system.webServer>
   <security>
      <requestFiltering>
         <denyUrlSequences>
            <add sequence="bad" />
            <add sequence="sequence" />
         </denyUrlSequences>
         <alwaysAllowedUrls>
            <add url="/bad_sequence.txt" />
         </alwaysAllowedUrls>
      </requestFiltering>
   </security>
</system.webServer>

https://www.iis.net/configreference/system.webserver/security/requestfiltering/alwaysallowedurls?showTreeNavigation=true