how to deny user to access sub folders and file?

Question

on local machine ,i created sample project on mvc4 (razor) and create directory named \"x\" and put a text file \"a.txt\" in it.

http://localhost:64471/x/a.t         


        

Answer 1

I tested with path="x" in root web.config. It restrict everything under x folder; it won't even let me browse ~/x. I get redirected to login page.

Could you try full path to a.txt like this in root web.config?

<location path="x/a.txt">
  <system.web>
    <authorization>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

If it still doesn't work, you can try creating a web.config inside x folder with the following content.

<?xml version="1.0"?>
<configuration>

  <location path="a.txt">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

</configuration>

Answer 2

I know this is an old question, but if you are having issues and dealing with text or html files, you might want to refer to this stackoverflow question.

In short, you might need to add this to your web.config:

<system.webServer>
    <modules>
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
    </modules>
</system.webServer>

As kirk points out, files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.