I have an existing app that I've been doing some authentication work on (fixing some long standing issues) and I'm happy enough with the login redirection under normal circumstances. For IIS7 I'm implementing an authorization HttpModule that I'm running on the whole IIS7 pipeline.
This works great but I'd like to get some subdirectories (actually virtual directories) of the main site to return 403 instead of a redirect. Is it possible to do this without implementing my own authentication module?
I've seen Sky Sanders work (code poet) but I'd like to avoid that if I can.
http://www.codeproject.com/Articles/39062/Salient-Web-Security-AccessControlModule.aspx
It feels like something clever with a <location="">
section sh开发者_开发问答ould work but I can't figure out how to do that (or if it's even possible).
Try creating a separate web.config for the sub directories and denying access to them (sub directory) using the deny verb in the sub directory's web.config. Something like deny="?" (? is the verb that identifies authenticated users). If you want a 403 for everybody try * instead of ?. I think this should work.
Try this:
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm"/>
<error statusCode="404" redirect="FileNotFound.htm"/>
</customErrors>
(Source: MSDN)
If this doesn't cut it, also add this in your Global.asax:
void Application_EndRequest(object sender, EventArgs e)
{
// if login failed then display user friendly error page.
if (Response.StatusCode == 403)
{
Response.ClearContent();
Server.Transfer("~/Common/Errors/AccessDenied.html");
}
}
Hope this works.
精彩评论