Restrict Users from Opening the XML file from a project folder, dot.net

Question

I have a "resource" folder in my solution file which contains the xml files. It is available to remote, unauthenticated Internet users and I wanted to deny access to all the users.If they know the files name they can access it thru url.

eg: example.com/common/resources/test.xml

Hence I wanted to deny access to that folder or move it to a directory that is not served as content by the web server.

I am using visual studio 2003 and IIS. Can anyone help me how to restrict all the users from viewing the file?

Answer 1

I think you answered your own question -- move it to a directory that's not served by IIS. This sounds like the simplest solution, based upon your description.

Your other option is to enabled authentication against that folder.

Answer 2

You could change the extension to .config for an easy fix. IIS doesn't server .config files.

I'm sure you can set the permissions of that folder to only allow ASP.Net access.

Answer 3

You can setup IIS to not serve xml files. But that will block all xml files, not only the ones in your resources folder.

Alternatively you can add a web.config file to the resources folder and set the access so that no users are allowed to download files from that folder. Something like this should work:

<authorization>
   <deny users="*"/>
</authorization>

Answer 4

I tried ur way. But still its opening the xml file under the resource folder

The code is:

 <location path="../save/common/resources">
 <system.web>
  <authorization>
   <deny users="*"/>
   <deny users="?"/> 
  </authorization>
 </system.web>
</location>

Answer 5

If the files are only used by your code then you can change the "Build Action" of those files to be "Embedded Resource". Then when you deploy the app, those files will be added as resources within the DLL file itself so you won't have them on the web server anymore. To access them you would use the System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream method.

Answer 6

The problem is that IIS will, by default, serve xml and other static content without even telling ASP.NET about it. So your authentication in ASP.NET is completely bypassed.

One solution is therefore to force IIS to call upon ASP.NET to handle xml content. That way you can get the benefit of ASP.NET authentication and use the web.config file, as discussed in this thread, to control access.

Sorry that these instructions are for IIS 5 and ASP.NET 2.0, but I imagine you can work out the equivalent in other versions of IIS & ASP.NET. In IIS, select Properties for your website, then Configuration, then Add to add a new mapping. Select the path to aspnet_asapi.dll which lives in eg. Windows\Microsoft.Net\Framework\v2.0.5072. Put .xml in the Extension box. Select all verbs, and OK that.

Hope that helps.

Answer 7

You could instead store your XML in the App_Data folder as IIS will disallow access to it by default.