How do I secure a folder using SSL?

[joebeazelman]

I have a folder that I would like to protect via SSL. If I place this folder outside of the /Admin folder, AC will automatically rewrite the url to HTTP instead of HTTPS when I try to access the folder's content. I've been unsuccessful in locating the responsible code for rewriting the URL. Putting the folder inside Admin isn't acceptable for reasons that would be too complex to explain. I have a hunch that AC is using a IHttpModule to do the rewriting.

Any help here would be greatly appreciated.

[batmike]

Hi Joe,

The rewriting is controlled by a file at /App_Data/ablecommerce.config.

Open that up and then you will find a node called <securePages>

Below that there is a node <directories> and a node <pages> ... if you add in the following under the <directories> node, it will force SSL for the SecureFolder and all of it's contents:

<add path="SecureFolder" recurse="true" />

You can of course secure folders deeper in the file structure such as: path="TopFolder/SecureSubFolder"

Anyway, that's what you need to do and then you'll be all set.


-Mike

[joebeazelman]

Hi batmike,

Thank you for all the help. You definitely solved my problem, but I was hoping it would indirectly solve my bigger problem which I didn't specify. Currently, I have a WCF service.svc file that I would like secured using SSL, I am able to download the schema and configuration via SSL, but when I try to invoke any of my Web Service method, it redirects me to the login page. I tried to remove forms authentication, but it still redirects me to the login page. I was hoping that by bypassing the /Admin directory that this problem would disappear. Alas, no success here. Any help would be greatly appreciated!

[AbleMods]

I tried to remove forms authentication, but it still redirects me to the login page. I was hoping that by bypassing the /Admin directory that this problem would disappear. Alas, no success here.

Sounds like you have the web service installed in a secured folder. Move it to an unsecured folder and add authentication functionality to the web services themselves. This will bypass all the IIS authentication requirements and give you greater control over how authentication takes place.

Removing Forms Authentication altogether might have other consequences you cannot foresee.

[joebeazelman]

Thanks. I figured it out. My goal wasn't to remove forms authentication, but I removed it to help troubleshoot the problem. I am now able to place the web services folder within the admin folder. I create a separate web.config for the folder and wrap the configuration with a location tag specifying the service file.