Adding URLs That Will Always Be Allowed <add>

Overview

The <add> element of the <alwaysAllowedUrls> element specifies a unique URL that request filtering will always allow. The <alwaysAllowedUrls> element contains a collection URLs that request filtering will allow, which override the values in the <denyUrlSequences> collection.

Compatibility

Version Notes
IIS 7.5 The <add> element of the <alwaysAllowedUrls> element ships as a feature of IIS 7.5.
IIS 7.0 The <add> element of the <alwaysAllowedUrls> element was introduced as an update for IIS 7.0 that is available through Microsoft Knowledge Base Article 957508.
IIS 6.0 The <alwaysAllowedUrls> element is roughly analogous to the [AlwaysAllowedUrls] section that was added to URLScan 3.0.

Setup

The default installation of IIS 7 includes the Request Filtering role service. If the Request Filtering role service is uninstalled, you can reinstall it using the following steps.

Windows Server 2008 or Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
  5. On the Confirm Installation Selections page, click Install.
  6. On the Results page, click Close.

Windows Vista or Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, then World Wide Web Services, and then Security.
  4. Select Request Filtering, and then click OK.

How To

How to always allow a URL

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the URL tab, then click Allow URL... in the Actions pane.
  5. In the Allow URL dialog box, enter the URL that you wish to allow, and then click OK.

Configuration

The <add> element of the <alwaysAllowedUrls> element is configured at the site, application, or directory level.

Attributes

Attribute Description
url Optional string attribute.

Specifies a unique URL to always allow.

There is no default value.

Child Elements

None.

Configuration Sample

The following sample illustrates a combination of a <denyUrlSequences> element and an <alwaysAllowedUrls> element that will deny any URLs if they contain either of two specific character sequences, but will always allow a specific URL that contains both of those two specific character sequences in a particular order.

<system.webServer>
   <security>
      <requestFiltering>
         <denyUrlSequences>
            <add sequence="bad" />
            <add sequence="sequence" />
         </denyUrlSequences>
         <alwaysAllowedUrls>
            <add url="/bad_sequence.txt" />
         </alwaysAllowedUrls>
      </requestFiltering>
   </security>
</system.webServer>

Sample Code

The following examples demonstrate how to add a URL that will always be allowed on the Default Web Site.

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"alwaysAllowedUrls.[url='/_allowed_url.aspx']"

C#

using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample { private static void Main() { using (ServerManager serverManager = new ServerManager()) { Configuration config = serverManager.GetWebConfiguration("Default Web Site"); ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering"); ConfigurationElementCollection alwaysAllowedUrlsCollection = requestFilteringSection.GetCollection("alwaysAllowedUrls"); ConfigurationElement addElement = alwaysAllowedUrlsCollection.CreateElement("add"); addElement["url"] = @"/allowed_url.aspx"; alwaysAllowedUrlsCollection.Add(addElement); serverManager.CommitChanges(); } } }

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample Sub Main() Dim serverManager As ServerManager = New ServerManager Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site") Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering") Dim alwaysAllowedUrlsCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("alwaysAllowedUrls") Dim addElement As ConfigurationElement = alwaysAllowedUrlsCollection.CreateElement("add") addElement("url") = "/allowed_url.aspx" alwaysAllowedUrlsCollection.Add(addElement) serverManager.CommitChanges() End Sub End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");

var alwaysAllowedUrlsCollection = requestFilteringSection.ChildElements.Item("alwaysAllowedUrls").Collection;
var addElement = alwaysAllowedUrlsCollection.CreateNewElement("add");
addElement.Properties.Item("url").Value = "/allowed_url.aspx";
alwaysAllowedUrlsCollection.AddElement(addElement);

adminManager.CommitChanges();

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")

Set alwaysAllowedUrlsCollection = requestFilteringSection.ChildElements.Item("alwaysAllowedUrls").Collection
Set addElement = alwaysAllowedUrlsCollection.CreateNewElement("add")
addElement.Properties.Item("url").Value = "/allowed_url.aspx"
alwaysAllowedUrlsCollection.AddElement(addElement)

adminManager.CommitChanges()
Deprecated Elements