Sitefinity ASP.NET CMS - Content Management System

Support

KB Article

Home >  Support >  Knowledge Base >  KB Article
How to restrict the access to a given folder for a specific role - ID#1082
Rating: Not rated
Last Modified: 8/14/2008
Related categories: Security;

Article information

Article relates to

 Sitefinity 3.x

Created by

 Rebecca
Kudos to  Jason Moodie

Sample scenario: I don't want anonymous users and users assigned to the "test" role to be able to access any files from the folder named "Protected" located in ~/Files. I want to ensure that even if they know the URL, they cannot view the file.

1. Add a web.config file to the folder in Files that you want to protect

In our example we have to place the web.config in \Sitefinity3.x\WebSites\<YourProject>\Files\Protected.
sample web.config
<?xml version="1.0"?>  
 
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">  
    <appSettings/> 
    <connectionStrings/> 
    <system.web> 
        <authorization> 
            <deny roles="test" /> 
            <deny users="?" /> 
        </authorization> 
    </system.web> 
</configuration> 


2. Add application extension mappings
 
By default .NET does not protect non asp.NET files (.pdf, .htm, .doc, .ppt, .xls, etc.), so you need to create a custom mapping in IIS. To do this, open the web site or virtual directory properties in IIS and navigate to  Configuration > Mappings > Add
Add the following mapping record for each file type (extension) you want to protect, in the example below its for .pdf extension.
 
ExecutableC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
Extension:  .pdf
All Verbs (selected)
Script Engine (selected)
Verify/Check that file exists (selected)


3. Add httpHandlers to the application web.config

Open the \Sitefinity3.x\WebSites\<YourProject>\web.config file and add the following httpHandlers for the file types you want protected:

<httpHandlers> 
    <add type="System.Web.StaticFileHandler" path="*.pdf" verb="*" validate="true" /> 
</httpHandlers>  

Now anyone trying to access the files in the protected folder will have to pass through authentication. If s/he belongs to the "test" role, they won't be able to see the file.





Article Comments

There are no comments yet.
Please Sign In to rate this article or to add it to your favorites.

Print Send to a Friend

Copyright 2002 - 2009 © Telerik. All rights reserved | Sitefinity is a registered trademark of Telerik Corp.

a product by telerik