Can I use wildcards in the web.config location path attribute?

Question

In IIS 7 I try to deny access to all files with the extension .xml for all users.

I tried the following setting in my web.config file:

<location path="*.xml">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
</location>

But then getting any file results in an internal server error.

It works if I deny access to the individual files but this solution does not buy me much as I do not know all .xml files in advance.

Answer 1

Try this:

<configuration>
    <system.web>
        <httpHandlers>
            <add path="*.xml" verb="*" 
             type="System.Web.HttpNotFoundHandler" />
        </httpHandlers>
    </system.web>
</configuration>

By the way you could alternatively store all of your xml files within the App_Data directory. Storing files of any type in this directory will not be served to the web.

Answer 2

Another way is to use a request filter:

<system.webServer>
  <security>
    <requestFiltering>
      <fileExtensions>
        <add fileExtension=".xml" allowed="false" />
      </fileExtensions>
    </requestFiltering>
  </security>
</system.webServer>