IIS Express generates 403.14 Forbidden errors when a URL that would otherwise be processed by routing an ASP.NET URL matches a physical folder in my ASP.NET project. (The folder only contains code and it matches that the folder name matches the page URL, my URL structure is dynamically determined by the database, and users can edit this structure, so although I could just rename my project folder, in general, I cannot prevent such a collision.)
This seems to be happening because the DirectoryListingModule steps process the request and then quickly complete it because directory browsing is disabled. I tried to remove this:
<system.webServer> <handlers> <remove name="StaticFile" /> <add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" /> </handlers> </system.webServer>
This removes the default configuration of the StaticFile , which has modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" , and replaces it with a configuration that provides only the functions that I want. (I want the static file to work, but I donβt need to specify a directory listing or default documents in this application.) But the effect seems to be that IIS then produces a completely empty (0 byte) response (with a status of 200) when I hit an abusive page.
So, I tried to configure the StaticFile handler to process only certain physical folders that I want to make available:
<system.webServer> <handlers> <remove name="StaticFile" /> <add name="StaticFileCss" path="style/*.css" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" /> <add name="StaticFileScripts" path="Scripts/*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" /> </handlers> </system.webServer>
But when I hit the intruder URL, then error 404.4 - Not found with the message The resource you are looking for does not have a handler associated with it. . (Detailed information about the error on the error page indicates that we are in the IIS Web Core module, during the notification of MapRequestHandler the Not yet determined handler, and there is error code 0x80070002 , which is COM HRESULT which corresponds to Win32 error ERROR_FILE_NOT_FOUND .)
The hoax is that he didn't even bother to ask ASP.NET if he has a handler for it. IIS seems to solve on its own, which is definitely not a handler.
This only happens when there is a folder matching the URL. All other resources with dynamically defined URLs work very well - IIS requests ASP.NET for the handler, the ASP.NET routing mechanism works as usual, and if the URL matches one of my dynamically defined pages, everything works fine. It is simply the presence of a physical folder that stops all of this from working.
I see that IIS does this because I get one of the IIS style error pages for this 404, and they have a distinctive design that is very different from the 404 created by ASP.NET. (If I try to navigate to a URL that does not match a physical folder or a dynamic resource, I get a page 404 generated by ASP.NET. Therefore, as a rule, IIS definitely passes requests to ASP.NET, but IIS definitely interferes with these problematic resources .)
I tried to add this to my <system.WebServer> if the problem was that IIS decided that requests matching physical folders did not meet the managedHandler condition:
<modules runAllManagedModulesForAllRequests="true">
But this does not help - it still does not get ASP.NET routing for URLs matching physical folders. In any case, that would be suboptimal - I would prefer not to manage managed handlers for content that I definitely want to handle as static content. I really want the ASP.NET URL URL to be used as a backstop. I want it to come into play if the URL is definitely not referencing static content.
I do not understand why ASP.NET does not even ask ASP.NET what it thinks in this scenario. Why doesn't it call ASP.NET during the MapRequestHandler phase if there is a physical folder that matches the URL?