ASP.NET Core web.config location use

Question

I'm trying to secure few HTML files in a folder (see my questions Protect Static Files with Authentication on ASP.NET Core and ASP.NET Core authorization permission access folder with Identity Server ). I created two projects with MVC and Razor Pages with the same result. Also, I have an integration with Identity Server. I can secure not HTML files.

Then, my idea was to use web.config to allow only authenticated users to access to the folder like:

<location path="html">
  <system.web>
    <authorization>
      <deny users ="*" />
    </authorization>
  </system.web>
</location>

and I merge it with the web.config I found on my deployed application on Azure. The result is the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\PatientJourney.dll" 
                  stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
  <location path="infographics">
    <system.web>
      <authorization>
        <deny users ="*" />
      </authorization>
    </system.web>
  </location>
  <location path="html">
    <system.web>
      <authorization>
        <deny users ="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

html folder is the physical folder under the root, infographics is the virtual folder defined in the Startup.cs

app.UseStaticFiles(new StaticFileOptions
{
    FileProvider = new PhysicalFileProvider(Path.Combine(env.ContentRootPath, "html")),
    RequestPath = "/infographics",
    OnPrepareResponse = ctx =>
    {
        if (ctx.Context.Request.Path.StartsWithSegments("/infographics"))
        {
            ctx.Context.Response.Headers.Add("Cache-Control", "no-store");

            if (!ctx.Context.User.Identity.IsAuthenticated)
            {
                // respond HTTP 401 Unauthorized with empty body.
                ctx.Context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                ctx.Context.Response.ContentLength = 0;
                ctx.Context.Response.Body = Stream.Null;

                // - or, redirect to another page. -
                // ctx.Context.Response.Redirect("/");
            }
        }
    }
});

Although I tried to deny access to both folders (physical and virtual) every user can access the files. Then, my questions.

Can I use web.config for this secure a folder or it is not supported anymore? Why location is the web.config doesn't work? Is there any limitations? I want to block the html pages for non-authenticated users: any other ideas?

Answer 1

What about to manage users rights to access folders using middleware?

ASP.NET Core Middleware

For example:

public class RequestResponseLoggingMiddleware
{
    private readonly RequestDelegate _next;

    public RequestResponseLoggingMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext context, ILogger<RequestResponseLoggingMiddleware> logger, IConfiguration configuration, UserManager<User> userManager)
    {
        /*
        ...Managing users access to folders using IConfiguration and UserManager...
        */
        
        //Call the next delegate/middleware in the pipeline
        await _next(context);
    }
}

public static class RequestResponseExtensions
{
    public static IApplicationBuilder UseRequestResponseLogging(this IApplicationBuilder builder)
    {
        return builder.UseMiddleware<RequestResponseLoggingMiddleware>();
    }
}

In your Startup.cs:

app.UseRequestResponseLogging();