2

I have an asp.net website, using .Net 4.0, and IIS 7.5, and using Classic Pipeline Mode in the Application Pool.

I'm using forms authentication, and the authorization setting in the web.config at the root folder of the website allows all users.

In a subfolder's web.config, I am setting authorization for that folder and its contents to block all anonymous users.

There is a pdf file in that subfolder, and even though I am denying anonymous users, I can read the pdf file and download it.

I am trying to block anonymous access to pdf files, and all of the examples I've found on how to do this are not working for me.

How can I block anonymous access to pdf, word, excel, and other files?

Improve this question
8
  • Are there reasons for you using Classic Pipeline mode vs. Integrated Pipeline mode? Commented Feb 23, 2015 at 22:51
  • We connect to multiple databases for the website. Some are MS SQL databases, and some are Oracle. Since we have to encrypt the web.config for the Oracle connection strings anyways, we also include the MS SQL connection strings in the web.config, since there are different connection strings depending on the database. Commented Feb 23, 2015 at 22:57
  • If we changed to Integrated pipeline mode, how would that resolve blocking anonymous access to the pdf files? I did a test with Integrated Pipeline mode just now, and I was still able to access the pdf file as an anonymous user. Commented Feb 23, 2015 at 23:06
  • 1
    It sounds like the pdf is being served by IIS via the StaticFileHandler before checking the authorization rules defined in the web.config. Running in Integrated Pipeline mode would allow the requests to be run through managed code, allowing you the opportunity to deny access to files by implementing logic in managed code in e.g. a HttpModule (but IIRC, running in Integrated Pipeline mode will obey the authorization rules defined in config) Commented Feb 23, 2015 at 23:11
  • 1
    @BryanHepburn I cover this in this SO answer on how to block the download and this SO answer on a custom handler. Commented Feb 24, 2015 at 1:32
Related questions
3
.NET Forms Authentication: How to limit access to resources like pdf files to authenticated users only
1
How to prevent accessing unauthorized user to resource such as .pdf file in host?
6
How do I restrict access to pdf files on my server?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.