Last post Jun 25, 2010 04:08 PM by RichardD
Jun 22, 2010 02:47 AM|brendan.hill|LINK
I'm trying to secure my web application so XML files it contains can't be downloaded. I thought it would be as simple as adding these to the "httpHandlers" section of web.config:
<remove verb="*" path="*.xml"/>
<add verb="*" path="*.xml" type="System.Web.HttpForbiddenHandler"/>
This failed - the XML files could still be downloaded easily. I tried different browsers in case they were caching, but everything could download the XML files without any trouble. I thought this might be due to some special handling of XML, so I tried mocking
up an alternative based on ".txt123" files. I added this file with some dummy content:
Confirmed it could be downloaded without any trouble. It downloads as a file, rather than displays as a webpage (presumably as there's no meaningful content-type associated with it). Then I added this to my httpHandlers section:
<add verb="*" path="*.txt123" type="System.Web.HttpForbiddenHandler"/>
Lo and behold - it made no difference. I could still download blahblah.txt123 without any trouble, and from multiple browsers (so no caching involved).
I've tried full refreshes, fully recompiling code, restarting IIS throughout all of these steps and it makes no difference.
I know that I'm using the correct web.config, since other changes I make (eg. adding system.web.extentions/scripting/webServices/jsonSerialization node) take effect.
What could I be doing wrong? I can't help feeling the httpHandlers section just fails miserable, or I'm missing something terribly obvious.
Jun 25, 2010 04:08 PM|RichardD|LINK
If you're using IIS6, or IIS7 with the classic pipeline, the extensions for your handler have to be mapped to aspnet_isapi.dll through IIS Manager.
If you're using IIS7 with the integrated pipeline, you need to add your handlers to the
system.webServer/handlers section rather than the system.web/handlers section.