web.config authorization element not working as expected on ASP.NET Development Server

J

J055

Ver. VS2005

Hi

I'm using forms authentication and have set the authorization element to
deny anonymous users. This works fine except that when I view the login.aspx
page as an unauthenticated user I am denied access to non-asp files like
css, gif, jpg etc.

The only happens on the ASP.NET Development Server and not when I publish to
an IIS web server.

Can someone let me know why this happens and if there's something I can do
about it?

Thanks
Andrew

Here's the web.config file:

<system.web>
<authentication mode="Forms">
<forms name="ASPXSecurity" loginUrl="Login.aspx" protection="All" path="/"
timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
 
S

Steven Cheng[MSFT]

Hi Andrew,

Welcome to the ASPNET newsgroup.

As for the ASP.NET 2.0/vs 2005 web application with Test web server, when
using Forms Authentication, the problem you encountered does exists. So
there is nothing incorrect in your application's code and configuration.
Actually, the problem is specific to the .NET 2.0/vs 2005 TestWebServer,
because the test webserver dosn't have filter or extension like IIS, all
the requests to the web application(no matter for ASP.NET resources or
static file resource) are processed by ASP.NET runtime, this cause those
static files in our web application also be protected by
formsauthentication(when developing in test server). Of course, when
deploying in IIS server, the application won't suffer this issue. Is your
web application currectly put those static resource (images , scripts ...)
in a certain sub dir? If so, you can consider temporarly grant anonymous
permission for those dirs in forms authorization setting at development
time, that's won't voliate the security when deploying into IIS virtual
dir.

Thanks for your understanding.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Restrict access to Classic ASP pages in web.config 2
location element in web.config 1
Authorization & Theme 1
Forms Authentication not Redirecting 1
Forms authentication page not called 7
2 Login pages in web.config = ERROR! 1
Login page won't redirect to a Register (new account) page 3
Forms Authentication question in web.config 3

Top