SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Location
    Birmingham (UK)
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hide XML files in asp.net 2.0 using web.config

    Hi All,

    I am trying to hide an XML file in my ASP.NET 2.0 application so users cannot type the URL in the address bar and view it. I have read up and it seems the best way is to use the web.config file to hide files or folders. This is what I have done - I have tried to hide at folder level:

    Code:
    <location path="secret">
        <system.web>
          <authorization>
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

    I've put 2 files in a folder called secret (referenced by the code above), called secret.aspx and hideme.xml

    The security works as expected for the secret.aspx file - i.e. it asks for authentication, and won't let me in when I try to view secret.aspx. However, when I type the url for the XML file (hideme.xml), it just shows me the file contents as normal.


    I have even tried to hide the at file level:

    Code:
    <location path="secret/hideme.xml">
        <system.web>
          <authorization>
            <deny users="*" />
          </authorization>
        </system.web>
      </location>
    But this doesn't work also.

    Can anyone please shed light on this problem? I'd be very grateful.

    Much Obliged, Ash
    UK

  2. #2
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Basically, the issue is that XML files are not mapped to the ASP.NET ISAPI DLL, so your security code is never hit. Now, you could map .XML to that handler, or just use a wildcard, but that can get ugly and will generally require a dedicated server.

    A better way to achieve the same goal is to use the app_data folder to contain all your data which the app needs to access internally but the world doesn't need to access directly over HTTP.

  3. #3
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Location
    Birmingham (UK)
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi wwb_99,

    Thanks for your quick response. Is it just an easy case of moving the file to the App_Data folder? Also, how do you reference the xml file from there?

    Do you refer to it as: "App_Data/hideme.xml" for example?

    Kind Regards, Ash
    :-)

  4. #4
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Location
    Birmingham (UK)
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello wwb_99,

    Just tried moving it - changed code accordingly - WORKS A TREAT !!

    Thank you very very much mate - another thing I've learned thanks to you.

    Best Wishes ;-)

    Ash
    (UK)

  5. #5
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Glad you got it sorted. I'd generally refer to it as "ResolveUrl(~/App_Data/data.xml)". Future proofs your control if you move it around in the site structure.

  6. #6
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Location
    Birmingham (UK)
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks again - will do.

    8-)

  7. #7
    SitePoint Guru Chroniclemaster1's Avatar
    Join Date
    Jun 2007
    Location
    San Diego, CA
    Posts
    784
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree, I always place databases and XML files that require security in the App_Data folder.

    Though I think it was Wyatt who straightened me out on that.

    Whatever you can do or dream you can, begin it.
    Boldness has genius, power and magic in it. Begin it now.

    Chroniclemaster1, Founder of Earth Chronicle
    A Growing History of our Planet, by our Planet, for our Planet.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •