Hide XML files in asp.net 2.0 using web.config

[ajingar]

Hi All,

I am trying to hide an XML file in my ASP.NET 2.0 application so users cannot type the URL in the address bar and view it. I have read up and it seems the best way is to use the web.config file to hide files or folders. This is what I have done - I have tried to hide at folder level:

Code:

<location path="secret">
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

I've put 2 files in a folder called secret (referenced by the code above), called secret.aspx and hideme.xml

The security works as expected for the secret.aspx file - i.e. it asks for authentication, and won't let me in when I try to view secret.aspx. However, when I type the url for the XML file (hideme.xml), it just shows me the file contents as normal.


I have even tried to hide the at file level:

Code:

<location path="secret/hideme.xml">
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

But this doesn't work also.

Can anyone please shed light on this problem? I'd be very grateful.

Much Obliged, Ash
UK

[wwb_99]

Basically, the issue is that XML files are not mapped to the ASP.NET ISAPI DLL, so your security code is never hit. Now, you could map .XML to that handler, or just use a wildcard, but that can get ugly and will generally require a dedicated server.

A better way to achieve the same goal is to use the app_data folder to contain all your data which the app needs to access internally but the world doesn't need to access directly over HTTP.

[ajingar]

Hi wwb_99,

Thanks for your quick response. Is it just an easy case of moving the file to the App_Data folder? Also, how do you reference the xml file from there?

Do you refer to it as: "App_Data/hideme.xml" for example?

Kind Regards, Ash
:-)

[ajingar]

Hello wwb_99,

Just tried moving it - changed code accordingly - WORKS A TREAT !!

Thank you very very much mate - another thing I've learned thanks to you.

Best Wishes ;-)

Ash
(UK)

[wwb_99]

Glad you got it sorted. I'd generally refer to it as "ResolveUrl(~/App_Data/data.xml)". Future proofs your control if you move it around in the site structure.

[ajingar]

Thanks again - will do.

8-)

[Chroniclemaster1]

I agree, I always place databases and XML files that require security in the App_Data folder.

Though I think it was Wyatt who straightened me out on that.