I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:

<location path="log">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

and this element before it in system.web:

<authorization>
    <allow users="*"/>
</authorization>

but still I have access to this url: http://www.mydomain.com/log/log.txt

Any ideas?

Thanks.

.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.

If you're using IIS 7 you can use Request Filtering to achieve this.

to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.

If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)

Example:

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <system.web>
    <authorization>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

I typed up a summary since many were facing the same situation regarding subfolder authentication.

Subfolder Authorization

• ASP.NET can only have a single authentication mode for one application.
• The different applications CANNOT share resource among them.

Scenario

Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.

The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.

1 In IIS, configure Authentication as follows:

1. Enable Anonymous Authentication,
2. Enable Windows Authentication

2 Add the followings in Web.Config.

<authentication mode="Windows" />
  <authorization>
   <allow users="*" />
</authorization>

<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
  <system.web>
    <authorization>        
        <deny users="?" />
    </authorization>
  </system.web>
</location>