Click here to Skip to main content
14,880,672 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I want to restrict users to access files using URL absolute path (authenticated and not).

Users wont be able to access a CSS or Js file (for example entering

Obviously I cant deny access on web.config because if I do that the JS are not executed (for authenticated users).

So I'm thinking on an approach through some code. Something like this:

string path = Request.Url.AbsoluteUri;
        string strExt = System.IO.Path.GetExtension(path); // to get extension
        Response.Write("here: " + path);
        Response.Write(" test: " + strExt);
        if (!System.IO.Path.IsPathRooted(path)) //should get if entered absolute path
            if ((strExt == ".css") || (strExt == ".js"))

But that's not working. And is natural, because when we enter absolute path there's no more server side code processed on that page.

From what I searched the solution is using a HttpHandler to build CSS and JS, and then change authorization on those handlers.

I did on web.config
         <add verb="*" path="css/*.css" type="handler.MyHttpHandler, handler" />
      <add verb="*" path="Script/*.js" type="handler.MyHttpHandler, handler" />

and created a class Myhhtphandler

<pre lang="cs">

public class MyHttpHandler : IHttpHandler, IReadOnlySessionState
    public void ProcessRequest(HttpContext context)
            context.Response.Redirect("/login.aspx?retUrl=" + context.Request.RawUrl);
    public bool IsReusable
        get { return false; }

I have two problems: I dont know if this correct, and I get an error "could not load file or assembly 'handler' or one of its dependencies. The system cannot find the file specified."

Sorry if the solution is too obvious, but I honestly dont know.

EDIT: I created a web.config dedicated on css folder a placed html handlers, this way I dont get errors but I still can access the css file through URL absolute path.


Now using as simple as that: MyHttpHandler.cs:

using System.Web;
using System.Web.Security;
using System.Web.UI;
namespace test
   public class MyHttpHandler : IHttpHandler
      public void ProcessRequest(HttpContext context)
      public bool IsReusable
            return true;


<?xml version="1.0"?>

          <add verb="*" path="*.css"


Still dont work.
Updated 27-Dec-10 16:18pm

1 solution

Change the Web.Config to,

<add verb="*" path="css/*.css" type="handler.MyHttpHandler" />

I believe "handler" is your namespace.

IHttpModule is perfect for your scenario because Module is the one which gets execute first before all the request.

Refer here[^]
Maxdd 7 27-Dec-10 22:02pm
Without the "namespace" dont work as well.

How should I use IHttpModule ?
Venkatesh Mookkan 27-Dec-10 22:07pm
Yes. It will not work without namespace. But the type="handler.MyHttpHandler, handler" the "handler" after comma is assembly name. I hope you know what is assembly name.

IHttpModule is as similar as IHttpHandler which with different function implementation. You have register Modules to your website using web.config like Handlers.

I have added the reference link in the answer section
Maxdd 7 27-Dec-10 22:09pm
Here it is:
<add verb="supported http verbs" path="path" type="namespace.classname, assemblyname" />

I'll take a look at ihttpmodule.
Maxdd 7 27-Dec-10 22:19pm
Meanwhile what do you think of my new implementation? (I edited my question). I really believe that shoulded work.
Venkatesh Mookkan 27-Dec-10 22:38pm
"Still don't work" - means? Are you still having problem in configuring the Handler?
Maxdd 7 27-Dec-10 22:46pm
Means that the handler simply dont work.

I thing the problem is related due to the fact I have to config the IIS. But the server I use does not allow that direct config.

I hope I'm wrong.
Venkatesh Mookkan 27-Dec-10 22:51pm
<add verb="*" path="*.css" type="TestHandler.MyHttpHandler"/>


namespace TestHandler
public class MyHttpHandler : IHttpHandler
#region IHttpHandler Members

public bool IsReusable
get { return true; }

public void ProcessRequest(HttpContext context)



The above works perfectly for me.
Maxdd 7 27-Dec-10 22:59pm
Well I dont understand.

Do you have your MyHttpHandler.cs: on /webroot? that web.config is on CSS folder ?

I just copied, pasted, and when I enter http://webroot/css/style.css

I saw all my css code
Venkatesh Mookkan 27-Dec-10 23:00pm
Place a breakpoint at the starting of ProcessRequest function and check if, you are able to go into the Handler?
Maxdd 7 27-Dec-10 23:04pm
No, ProcessRequest(HttpContext context) is not being executed.
Venkatesh Mookkan 27-Dec-10 23:07pm
Actually I using FileSystem Website. I switched to IIS mode, the css gets displayed. I understand the problem now. The problem is IHttpHandler. Write your restriction logic in IHttpModule and add it your website. You will be all set.
Dalek Dave 27-Dec-10 23:12pm
Good Answer
Kasson 27-Dec-10 23:15pm
Good call Venkatesh
Maxdd 7 27-Dec-10 23:17pm
Forgot to say (really tired), thanks for your conclusion.
Venkatesh Mookkan 27-Dec-10 23:33pm
I have build a website using IHttpModule which is a security guard (Authentication and validation) for my application. It is hosted in IIS 5.1, IIS 6.0, IIS 7.5 (Window 7 Pro & Server). You have to nothing to configure on the IIS and nothing to do with OS also. Just web.config setting is enough. You can search CP for better example on IHttpModule
Maxdd 7 28-Dec-10 0:16am
Thank you very much Mookkan.

First of all, I hope my deleted posts are really being deleted, because I'm posting many posts (i cant edit them so I delete them with the updates).

I solved part of the problem. I was using too many http modules. I realized I just need one - primary web.config. Altough now when I go through absolute path file is "not found" (what I want), my CSS and JS are not being loaded on the page.

I tried to solve the problem through web.config on css and script folders:

<allow users="*"/>

but dont work. Any ideas ?

Looks like ihttp module is blocking all .css and .js files, not the only ones on absolute path..
Venkatesh Mookkan 28-Dec-10 0:22am
<deny users="*">

Should work
Maxdd 7 28-Dec-10 10:12am
Unfortunately no, because the problem with at the handler.

I'm trying this way:

string filePath = context.Request.FilePath;
string absolute = context.Request.Url.AbsoluteUri;

context.Response.Write("path: " + filePath + " abs: " + absolute);


string fileExtension =
if (fileExtension.Equals(".css") && (filePath == absolute))

I get the CSS (the same) and the output:
path: /StickyNotes3.5/css/style.css abs: http://localhost:xx/StickyNotes3.5/css/style.css

So I'm really near.
Venkatesh Mookkan 28-Dec-10 10:19am
Maxdd7, You should listen. You have to use IHttpModule.
Maxdd 7 28-Dec-10 10:34am
Well, that's what am I using now.

In your answer, you referred me this link

And that's what I'm using.

Right ?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900