0

My web application uses forms authentication mode.

<authentication mode="Forms">
  <forms loginUrl="Logon.aspx" protection="All" path="/" timeout="60" slidingExpiration="false" />
</authentication>

<authorization>
  <deny users="?"/>
</authorization>

There is a folder in my web application, named "Documentos", that has a lot of PDF files.

My program allow the user to load a PDF file using its URL address:

http://MyHost/MyWebApp/Documentos/1.pdf

However, I need to restrict that functionality only to authenticated users.

For that, I put in my web.config:

  <location path="Documentos">
      <system.web>
          <authorization>
              <deny users="?" />
          </authorization>
      </system.web>
  </location>

But it doesn't make any difference. Any one can still load any PDF file in folder Documentos doing:

http://MyHost/MyWebApp/Documentos/1.pdf

Can I accomplish what I'm looking for or should I approach it in a different way?

EDIT

Win's solution and Richard's solution are correct. This is the way to put those settings in web.config: 

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>

  </system.webServer>
  <location path="Documentos">
        <system.web>
            <authorization>
                <deny users="?" />
            </authorization>
        </system.web>
  </location>
Delmonte
  • 411
  • 2
  • 9
  • 33
  • Could you show us the login method inside Logon.aspx? – Win Feb 05 '16 at 21:29
  • Thanks for your help.I posted my Logon method, see my last edit. – Delmonte Feb 08 '16 at 20:13
  • Could you show how you create **Principal Object**? If you do not have one, you might want to read **Application_AuthenticateRequest** event at [this answer](http://stackoverflow.com/a/28334010/296861). – Win Feb 08 '16 at 20:35
  • Sorry, it was my mistake. After reviewing my code, I realize that your solution and Richard's one are correct. In my web.config I had to put `` and not `` – Delmonte Feb 08 '16 at 21:42

2 Answers2

2

Yo have two options -

Option 1

Use ~/ if your web application is not root level. 

<location path="~/Documentos">
      <system.web>
          <authorization>
              <deny users="?" />
          </authorization>
      </system.web>
  </location>

Option 2

Create a web.config with following content, and place it inside Documentos folder.

<?xml version="1.0"?>
<configuration>

  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>

</configuration>
Win
  • 61,100
  • 13
  • 102
  • 181
1

The problem is that by default, the auth section only applies to requests that go through the pipeline, not to static files. To do what you want, add the following attribute to your modules section:

<system.webServer>   
  <modules runAllManagedModulesForAllRequests="true">
...
Richard
  • 29,854
  • 11
  • 77
  • 120