I’m probably missing something easy here, but I have an ASP.NET website that uses Identity and roles, and I’m trying to restrict access to a folder containing some MP4 videos so that anonymous users cannot see direct links to those videos.
I had this in my web.config for the folder:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
The asp:LoginView control works fine with this setup, but the videos return a 401 error.
I tried this as well with the same result:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
If I remove everything from the authorization tag, then it works so I know all the paths are right and something about the authorization setup is preventing it from serving that video.
I also tried calling out the Files directory individually like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Unfortunately, this makes it so that I can access the video link even when not logged in (which is what I am trying to prevent).
If I try to do a role based setup for the Files subfolder like this (which I don’t think should be any different from the first version) then I’m back to getting a 401 on the video, even when logged in:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
What am I missing here?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I modified my answer. I think the following is what you are looking for:
How to prevent anonymous users from accessing a file using forms authentication?
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0