I have a folder where I store some PDFs only available for members.  I want to use asp.net memberships and roles to prevent non-members from being able to download these files.  The location of the member files is as follows:

/root/uploads/file/members/

I am trying the following, but it fails to work.

<location path="Uploads/file/members">
        <system.web>
            <authorization>
                <!--<allow roles="Members" />-->
                <deny users="*" />
            </authorization>
        </system.web>
    </location>

I commented out the members role for now to see if I can block it for everyone.

Any help?

 Donot do this in your main web.config. Create a new web.config under the folder you want to restrict (members in your case) and add <authorization> to that one. That should work.

I tried this originally, and it did not work either.

Here is what I have in the members folder:

<configuration>
    <system.web>
        <authorization>
            <!--<allow roles="Members" />-->
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

Have you put web.config file in your /root/uploads/files/members/ ?

I think there is also a setting problem on ur <deny users="*" /> which will deny all the users, shall we use <deny users="?" />?

Yes, that is where the web.config file is.  I wanted to use deny users="*" to start with in order to see if it was working under all circumstances.  It's still not...I can bring up the file every time.  Can specific non aspx documents work in this manner?

Try removing <!--<allow roles="Members" />--> from the web.config under the member folder. 

No luck.

In case I am doing something wrong, here is the URL I am trying to view...which I can, but would not like to.

http://localhost/domainname.ca/uploads/file/members/English/Member%20Notes/2009/filename.pdf

?xml version="1.0" encoding="utf-8" ?>
<configuration>
    
  <system.web>
    <customErrors defaultRedirect = "../errorpage.aspx"  /> 
    <authorization>
		<allow users="[MemberUserName]" />
        <deny users="*" /> 
       
        <!-- Allow all users -->
            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>
   
 </system.web>

</configuration>

It still allows me to view the PDF documents in any folders within the members folder.

Try changing your main web.config as following (setup not to be able to access the website) and try to access your default page. If you can still access your default page then the site might not be using the correct web.config.

<configuration>
    <system.web>
        <authorization>
            <!--<allow roles="Members" />-->
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

mcleanap:

It still allows me to view the PDF documents in any folders within the members folder.

Because of the different process machinism for different request in asp.net. By default, the static request is processed by DefaultHttpHandler(.net2.0, used StaticHttpHandler in .net1.0). Thus, if you add a individual web.config file in a folder(/Files/) and add the following configuration.

<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
</configuration>

At this time, if you mark the authentication model as 'Forms' in root web.config. It will authenticate the request if you run the page in Visual studio. However, if you publish your project in Web Server(Such as: IIS). You should enforce all the incoming request of the current website processed with Aspnet_ISAPI.dll. Thus, you should add wildcard in IIS. How to add wildcard in IIS? Please refer to this link.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5c5ae5e0-f4f9-44b0-a743-f4c3a5ff68ec.mspx?mfr=true