Securing web folders

[aspnetguy]

When a user tries to type a direct path (mydomain.com/data/file.xml) to a site resource I would like to redirect them to an error page. I know Apache does this with .htaccess but how can I do this with IIS?

[Skemcin]

hmm, I think its a matter of setting up a 301 redirect in the header properties of that folder . . . lemme check . . . but if you wanted to access the file in an web application, you would have to use the physical path to get to it - cuz the 301 redirect would also work for your application, put let me get back to checking . . .yep - pretty easy:1. Open Internet Services Manager2. Goto the website where the folder/file exists and right click on it3. In the Directory tab, select the radio button "a redirection to a URL".4. Enter the destination page for the redirect.5. Check "The exact url entered above" and the "A permanent redirection for this resource".6. Hit "Apply".re: http://www.beyondink.com/howtos/301-redirect.html

[aspnetguy]

But this applies to my applications too? I need a solution that will not require me to write code differently (absolute paths are not an option) but disallows users to download protected files.

[jesh]

But this applies to my applications too? I need a solution that will not require me to write code differently (absolute paths are not an option) but disallows users to download protected files.

Is this for a .NET website? If so, maybe you could create a PageHandlerFactory to handle all of your requests. Something like this:

using System;using System.Web;using System.Web.UI;public class MyPageHandlerFactory : PageHandlerFactory{    public MyPageHandlerFactory()    {    }    public override IHttpHandler GetHandler(HttpContext context, string requestType, string url, string pathTranslated)    {        if(context.Request.Url.AbsolutePath.EndsWith(".aspx"))        {  // return the default page handler            return base.GetHandler(context, requestType, url, pathTranslated);        }        else        {  // return your forbidden handler            return new ForbiddenRequestHandler();        }    }}

And an HttpHandler:

using System;using System.Web;public class ForbiddenRequestHandler : IHttpHandler{    public ForbiddenRequestHandler()    {    }    public bool IsReusable    {        get { return true; }    }    public void ProcessRequest(HttpContext context)    {        context.Response.Redirect("403.aspx");    }}

And then add this to your Web.config file:

<system.web>  <httpHandlers>	<add verb="*" path="*" type="MyPageHandlerFactory" />  </httpHandlers></system.web>

[Skemcin]

But this applies to my applications too? I need a solution that will not require me to write code differently (absolute paths are not an option) but disallows users to download protected files.

hmm, that seems to be a contradiction. I do not think there is a difference between an link to a file and a direct URL request - with the exception of the presence of a referring URL of course. Are the files you speak of a variety of formats (xml, pdf, xls, etc.) or always the same?I dunno, I have a couple of ideas, but I am not sure I understand the usability flow.

[aspnetguy]

they will be different types, xml, js, css, imagesI think I have found what I was looking for...an ISAPI Filter...this parses the URL before it is executed and allows you to create a file similar to .htaccess.Jesh,Thanks for the code but it needs to work for ASP.Net and PHP.