I have a directory, "d:/resources/xxxxx/file-name.xxx" that stores the file types: .png, .xml, .pdf, which are accessed by a website. A virtual directory is set up in IIS, "resources," which points to this hard drive location, to allow the .png images to be accessed through an http request, but I am referencing the .pdf and .xml files by their hard drive location. These files are part of a workflow process so they must all remain in their current directory structure.
IIS needs to be allowed to serve the .png images, but I do not want it to be allowed to serve the .pdf or .xml files, for security purposes.
I tried setting up an http handler, which would have worked fine, but I can't make the path specific enough. If I set it to "/resources/*", then I need to manually output the allowed file types and that was getting a bit wonky. I can't set the path to "*.pdf" because other directories should be allowed to have their .pdf files accessed.
I'm just looking for a straight forward way to restrict access if someone tries to go to "www.mysite.com/resources/dir/mypdf.pdf," or ".../myxml.xml," but still allow .png and all other potential file types to be served.
Also, please let me know if I am going about this all the wrong way.
Try adding this before your closing tag for configuration and see how it does:
<location path="/resources">
<system.webServer>
<handlers>
<add name="PdfForbiddenHandler" path="*.pdf" verb="*" type="System.Web.HttpForbiddenHandler" resourceType="File" preCondition="integratedMode" />
<add name="XmlForbiddenHandler" path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" resourceType="File" preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>