Add the config I sent you without altering and Clear all cookies then try to access your pdf without login

yes re-tested that with the .config you intially sent (thank you) It didn't work the first time hence me changing it slightly

I'm able to access the PDF without having to logging in. 

I've cleared the cookies, cleared the cache, tried logging in under a different role whom I haven't giend accesst too - none of this works!

Is there an issue with unauthenticated PDF's within .net.  As this seriously does not work?

Has anyone been able to prevent access to a pdf?  

No, you are missing some thing. Look at the working copy here
http://www.revenmerchantservices.com/page/ASpnet-20-step-by-step-Membership-Provider-.aspx
update authentication as per 2.2 of that article

Satalaj

Many thanks for that Satalaj

<compilation debug="false" />
    <authentication mode="Forms" >
      <forms defaultUrl="default.aspx"
             name="pdf"
             timeout="5"
             loginUrl="~/login.aspx"
             slidingExpiration="true" >
      </forms>
    </authentication>

I have a couple of questions if I may, please?

• Does the above go in the PDF folder, web.config or the main sites .config
• What do I need to put in the name="pdf" to make this wrk?
• Does this look correct to you?

Thanks for your efforts

yes correct It sould go in main web.config file under the root

 I stumbled across this same problem and discovered a solution:

1.) The ISAPI filter in IIS must have the extension of the type you want to block (in your case .pdf)

2.) Then put this web.config in the folder with the documents to restrict:

<configuration>
	<system.web>
		<authorization>
			<allow roles="Client"/>
			<deny users="*"/>
		</authorization>

		<httpHandlers>
			<add path="*.pdf" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="true"/>
		</httpHandlers>
	</system.web>
</configuration>

Good Luck!
 

Hi Thanks for the reply

Could you please tell me what version of IIS you have, I currently have version 6.0 and don't see the ISAPI Filter tab?

many thanks

I have IIS 5.1, but the concept should be the same

In IIS you'll go to the "properties" of your web app

In the first tab "Directory" click the "Configuration"

Then in the "Mappings" tab click "add"

And it should look like this (this includes my current version which may vary from yours):
Executable: c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll
Extension: .pdf
Limit to: GET,POST,HEAD,DEBUG
Script Engine: (check this box)

Update the roles in the web.config above and you should be good to go.
Since the Auth is set to only those roles you can technically put path="*" as it would perform the same way
I've tested it on my end and it worked fine.

Thank you soooo much ToonKides

I am getting somewhere with this.  I've added the above to ISS, thank you this seems to work i.e it's does prevent direct access to .pdf's.

But authorised users are seeing this error:

The page cannot be displayed

You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed.

Please try the following:

• Contact the Web site administrator if you believe this directory should allow execute access.

HTTP Error 403.1 - Forbidden: Execute access is denied.
Internet Information Services (IIS)

Technical Information (for support personnel)

• Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
• Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled Configuring ISAPI Extensions, Configuring CGI Applications, Securing Your Site with Web Site Permissions, and About Custom Error Messages.
• In the IIS Software Development Kit (SDK) or at the MSDN Online Library, search for topics titled Developing ISAPI Extensions, ISAPI and CGI, and Debugging ISAPI Extensions and Filters.

This is what I've added to my .config file, have I missed anything?

<location path="membersArea/pdf/superUserGuide.pdf">
    <system.web>
      <authorization>
        <allow roles="superUser,globalUser,adminUser,occUser,managerUser"/>
        <deny users="?" />
      </authorization>
      <httpHandlers>
        <add path="*.pdf" verb="GET,HEAD,POST,DEBUG" type="System.Web.DefaultHttpHandler" validate="true"/>
      </httpHandlers>
    </system.web>
  </location>

Thanks ever so much
 

 Strange, I've personally never experienced this..

Do the permissions on that pdf folder seem ok?
Perhaps the IIS setting on that folder isn't set to "Scripts and Executables"?