Authorization Confusion

[Jonathan Wood]

I have a subfolder on my Website that contains images. It also contains the
web.config file shown below.

When I access the site, I get the Login page as expected. But if I type in
the URL of an image in the folder that contains images, the image is
displayed in the browser.

I don't understand why I am not prevented from seeing the contents of this
folder since I have not been authenticated. Does it have something to do
with the fact that these resources are images? How would I prevent access to
this folder by users who are not logged in?

Thanks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Jonathan

 

[Juan T. Llibre]

You need to map the image files' extensions to aspnet_isapi.dll.

Here's a primer on what you need to do :
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================

 

[Juan T. Llibre]

I should add that you only need to do step 1:

1. Configure IIS so that .jpg, .gif, etc. files are mapped to the ASP.NET ISAPI extension

That will prevent the image files from being served without authorization.

Step 2 :

2. Configure ASP.NET so that *.xxx files are mapped to the HttpForbiddenHandler HTTP handler

....will prevent the files from being served, period.
You don't want to do step 2.




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================

 

[Jonathan Wood]

Soooo... It defaults to making resources not specified available to anyone
regardless of the allow/deny settings...

I thought ASP.NET usually defaulted to being secure.

Thanks for the info!

Jonathan