I'm attempting to make a folder that can be FTP'ed in to to deposit PDFs, but they cannot be accessed via a web browser. I have an ASP.NET application that will read the file and send the pdf back as the response to a query. I tried to follow the instructions in:

http://kb.discountasp.net/article.aspx?id=10572

using the settings Deny "All anonymous users" and "All users" and neither seemed to work. Anything I put into the folder was still pubicly accessible.

Is there (a) some trick to getting this to work or (b) a better way to approach this problem? Keeping the pdf files from being accessed directly is the main objective here and I'm open to other methods.

Thanks!

This setting should work. Do you have a URL that we can test? Or can you post your web.config?

Aristotle

DiscountASP.NET
www.DiscountASP.NET (http://www.DiscountASP.NET)

I set up a folder called pdfstore and put a word document in there (I don't have a pdf handy) at:

*Removed broken URL, thanks again!

However, after looking at the web.config file the tool generated:


[quote]



<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration></CODE>I assumed it might be restricting access to asp files in that directory only, so I used the tool on my local IIS install to create a forbidden path, which seems to work. Is this a viable alternative or is there something I'm doing wrong with the tool?

Thanks again!

Post Edited (John Cueto) : 6/21/2008 10:06:39 PM GMT

Ok I see what's happened. You've added a .NET authorization rule. This only applies to ASP.NET files. You should add an IIS authorization rule instead.

Use the IIS 7 Manager or add the following to the web.config.

<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
</system.webServer>



Aristotle

DiscountASP.NET
www.DiscountASP.NET (http://www.DiscountASP.NET)

That worked perfectly, thank you very much!