Sunday, January 20, 2013

ASP.NET Security: Controlling Access to Specific Files


Generally, setting file access permissions by directory is the cleanest and easiest approach. However, you also have the option of restricting specific files by adding <location> tags to your web.config file.

The location tags sit outside the main <system.web> tag and are nested directly in the base <configuration> tag, as shown here:

<configuration>
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" />
</authentication>

<authorization>
<allow users="*" />
</authorization>
</system.web>
...
<location path="SecuredPage.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

<location path="AnotherSecuredPage.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

</configuration>

In this example, all files in the application are allowed, except SecuredPage.aspx and AnotherSecuredPage.aspx, which have an additional access rule denying anonymous users.

Notice that even when you use multiple <location> sections to supply different sets of authorization rules, you still only include one <authentication> section. That’s because a web application can use only one type of authentication.

No comments:
Write comments
Recommended Posts × +