0

I'm trying to secure few HTML files in a folder (see my questions Protect Static Files with Authentication on ASP.NET Core and ASP.NET Core authorization permission access folder with Identity Server). I created two projects with MVC and Razor Pages with the same result. Also, I have an integration with Identity Server. I can secure not HTML files.

Then, my idea was to use web.config to allow only authenticated users to access to the folder like:

<location path="html">
  <system.web>
    <authorization>
      <deny users ="*" />
    </authorization>
  </system.web>
</location>

and I merge it with the web.config I found on my deployed application on Azure. The result is the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\PatientJourney.dll" 
                  stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
  <location path="infographics">
    <system.web>
      <authorization>
        <deny users ="*" />
      </authorization>
    </system.web>
  </location>
  <location path="html">
    <system.web>
      <authorization>
        <deny users ="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

html folder is the physical folder under the root, infographics is the virtual folder defined in the Startup.cs

enter image description here

app.UseStaticFiles(new StaticFileOptions
{
    FileProvider = new PhysicalFileProvider(Path.Combine(env.ContentRootPath, "html")),
    RequestPath = "/infographics",
    OnPrepareResponse = ctx =>
    {
        if (ctx.Context.Request.Path.StartsWithSegments("/infographics"))
        {
            ctx.Context.Response.Headers.Add("Cache-Control", "no-store");

            if (!ctx.Context.User.Identity.IsAuthenticated)
            {
                // respond HTTP 401 Unauthorized with empty body.
                ctx.Context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                ctx.Context.Response.ContentLength = 0;
                ctx.Context.Response.Body = Stream.Null;

                // - or, redirect to another page. -
                // ctx.Context.Response.Redirect("/");
            }
        }
    }
});

Although I tried to deny access to both folders (physical and virtual) every user can access the files. Then, my questions.

Can I use web.config for this secure a folder or it is not supported anymore? Why location is the web.config doesn't work? Is there any limitations? I want to block the html pages for non-authenticated users: any other ideas?

Improve this question

1 Answer 1

Reset to default
0

What about to manage users rights to access folders using middleware ?

ASP.NET Core Middleware

For example :

public class RequestResponseLoggingMiddleware
{
    private readonly RequestDelegate _next;

    public RequestResponseLoggingMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext context, ILogger<RequestResponseLoggingMiddleware> logger, IConfiguration configuration, UserManager<User> userManager)
    {
        /*
        ...Managing users access to folders using IConfiguration and UserManager...
        */
        
        //Call the next delegate/middleware in the pipeline
        await _next(context);
    }
}

public static class RequestResponseExtensions
{
    public static IApplicationBuilder UseRequestResponseLogging(this IApplicationBuilder builder)
    {
        return builder.UseMiddleware<RequestResponseLoggingMiddleware>();
    }
}

In your Startup.cs :

app.UseRequestResponseLogging();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.