Monday, November 15, 2010

IIS 7 Secure Files Type like .txt or .html

I've had an .Net 2.0/IIS 4 site running for a long time that was to provide access to documents, but the documents were to be categorized and secured. I did my best to obscure the file structure and document names and not allow bot files in. But I was never quite satisfied with this because you could not fully secure the files such as .doc, or .txt. There was potential to serve up these pages, very annoying.

My understanding of the IIS 7.0/4.0 Integrated Pipeline is that you can secure files other than .aspx. I started using IIS 7 months ago, but never really understood what this new integrated pipeline could do for me until recently. I had to dig to even figure this out on my own. sigh...

Anyhow, by putting your site in 4.0 Integrated Pipeline mode and adding a few configuration lines to a "Form secured site", you can now require security on those "other" file types. Yes, just what i needed!

It was pretty simple, and I am hoping I'm right on with my understanding. If I'm wrong please let me know!!

I just modified the Application Pool to use 4.0 Integrated Mode. Then added the following lines to the web.config, inside the system.webserver tag:
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />

</modules>

No comments:

Post a Comment