Trying to prevent access to a specific file, not any files with a certain extention, just one specific file.
The issue is that the end user can just type: /filename.xml into their browser and can see the contents of this file, i’d rather they not be able to see this.
Things I have tried:
1) Putting the file elsewhere
I have a “secure” folder as part of my hosting account. So I figured i’d just change the path to: “..\..\..\SSL\FileName.xml” and move the file there. ASP.NET crashes on this one with the error:
- Cannot use a leading .. to exit above the top directory
So I presume that’s in place for security purposes.
2) Location in web.config
So next I tried to use this in the web.config:
<location path="FileName.xml">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
This doesn’t seem to do anything…. anyone know why? I’m not specifically using ASP.NET authentication in this app, is that why this doesn’t work?
3) Using IIS to prevent access
Alas, I do not have access to IIS as I have a terrifically lame hosting account.
So does anyone know what i’m doing wrong with the above attempts or have any alternative solutions I can try?
kthxbye!
Can you add the ASP.Net folder “App_Data” to your application, and put the xml file in there? This folder is specifically meant to hold this type of data and hide it from browsers/users, but keep it within your application scope.
alt text http://img178.imageshack.us/img178/7708/appdata.png
As to why the authorization directive in your web.config file is not working, it’s because the “.xml” file extension is not handled by the ASP.Net pipeline. You would need to configure your IIS to send all requests for xml files through the ASP.Net request handlers in order to apply that security directive to it.