How to deny access to a file with ASP.NET web config but not just locally?

Question

I have a problem with ASP.NET web configuration file. I want to deny some users or roles to accessing a specific PDF file. I am using ASP.NET membership and role management system. So I added this lines of codes to a Web.config file:

<location path="myfile.pdf">
    <system.web>
        <authorization>
            <allow roles="admin"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

and put it to the directory witch the file is included in it. Now when I run the project in local system I can not access the PDF file wile I login with "admin" role. But when I publish the project on the web server I can not brows the folder but I can view the PDF file when I browse complete path to the PDF file. So:

I can not access: http://www.example.com/folder

but I can view: http://www.example.com/folder/myfile.pdf

Answer 1

IIS is probably serving the PDF file before ASP.Net gets its hands on it. Assuming you're using .Net 4.0, add this to your Web.config file to force all requests to flow through to ASP.Net:

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
<system.webServer>

Answer 2

You need to make IIS forward PDF requests to ASP.NET for your stuff to take place.

Example Article:

• http://www.primaryobjects.com/CMS/Article112.aspx

Quoting relevant part from article:

Hooking PDF Files Into the Web Application with IIS

It was easy testing the custom HTTP handler in Visual Studio's built-in web server, Cassini, since all document types are automatically processed in the web application by default. However, IIS needs a few tweaks. IIS will ignore sending requests for static documents, such as PDF files, to the ASP .NET web application and will instead simply serve the request. We need to intercept the request and allow our web application to process it first. To do this, we'll need to setup an IIS mapping for PDF files (*.pdf), telling IIS to send the request to our web application.

In IIS 5/6

1. Open the Internet Information Services (IIS) Manager.
2. For your web application, on the Directory tab, click the Configuration button.
3. On the Mappings tab of the Application Configuration window, click the Add button to add a new Application Extension Mapping.

4. In the Executable field, enter: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll

5. In the Extension field, enter: *.pdf

6. Select All Verbs and checkmark Script Engine and Check that file exists.

In IIS 7

1. Open the Internet Information Services (IIS) Manager.
2. Open the Handler Mappings setting.
3. Add a Managed Handler.
4. For Request Path enter: *.pdf
5. For Type, select the custom HTTP handler for the application.

A shortcut to this in IIS 7, as mentioned above in the article, is to define the mapping in the web.config within the system.webServer handlers section, as follows:

<system.webServer> 
... 
<handlers> 
<add name="PDF" path="*.pdf" verb="*" type="CustomFileHandlerDemo.Handlers.FileProtectionHandler" resourceType="Unspecified" /> 
... 
</handlers> 
</system.webServer>

The above code in the web application's web.config will automatically add the entry into the IIS 7 Handler Mappings section.

The above steps may differ depending on your version of IIS, but should be similar for adding a document mapping to the web application. Once configured, requests for PDF documents will be sent to the web application, where you can process the request before allowing access.

Remember, in Visual Studio's built-in web server, module mappings are not required, as all requests for files go through the web application, making it easy to test the custom http handler.

Because you don't use custom handler, you just need to set the handler to ASP.NET default handler. This is the same handler set to ".aspx" already in IIS.