ASP.NET 2.0 - Forms auth - no images and css on login page

Discussion in 'ASP .Net Security' started by Markus R., Jan 17, 2006.

  1. Markus R.

    Markus R. Guest

    Hi,

    I have just configured my application to use forms based authentication.
    Now, when I try to access a page I am redirected to the login page but its
    CSS and images do not load.

    It is great that ASP.NET 2 authentication finally protects non asp.net
    content but how can I change the protection level of the objects which are
    embedded in the login so that they are available without authenticaition?

    Markus
     
    Markus R., Jan 17, 2006
    #1
    1. Advertising

  2. Hi,

    first of all - ASP.NET does not protect non-ASP.NET content by default -
    only if you map the corresponding extensions to aspnet_isapi.dll in IIS manager.
    If you have not configured the application like this you might have a different
    problem.

    To exclude files - or better directories - from authentication use a <location>
    element - i would copy all files that have to be available to anon users
    in a central directory, e.g. calle public.

    add to web.config:

    <location path="public">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > I have just configured my application to use forms based
    > authentication. Now, when I try to access a page I am redirected to
    > the login page but its CSS and images do not load.
    >
    > It is great that ASP.NET 2 authentication finally protects non asp.net
    > content but how can I change the protection level of the objects which
    > are embedded in the login so that they are available without
    > authenticaition?
    >
    > Markus
    >
     
    Dominick Baier [DevelopMentor], Jan 17, 2006
    #2
    1. Advertising

  3. Markus R.

    Markus R. Guest

    Hi Dominick,

    > first of all - ASP.NET does not protect non-ASP.NET content by default -
    > only if you map the corresponding extensions to aspnet_isapi.dll in IIS
    > manager. If you have not configured the application like this you might
    > have a different problem.


    I requested Default.css and got redirected to the login page. I have not
    changes anything within the web server configuration.
    Could it be that I experienced this behaviour because I use the VS.NET 2005
    integrated "Development Server" and not IIS?

    > To exclude files - or better directories - from authentication use a
    > <location> element - i would copy all files that have to be available to
    > anon users in a central directory, e.g. calle public.


    That sounds good. Thank you!

    Markus
     
    Markus R., Jan 17, 2006
    #3
  4. Hi Markus,

    For the static resources (images , css...) being protected problem, first
    we can double check that the linked resources' path are correct. If so, are
    you using .net's buildin TestServer to developing the asp.net web app
    instead of IIS? Based on my experience, this is potential cause since the
    TestServer will accept all the requests (no matter for asp.net pages or
    static resources like css or images....), thus, when we use
    FormsAuthentication to protected our side(root dir and sub dirs...), all
    the static files in the app folder will also be protected from
    unauthenticated users....

    If this is the case, you can consider the following options:

    1. Developing the web application in IIS instead of the TestServer

    2. Or you can temporarly set <authroization> for your static resources'
    folder to let anonymous access(for forms authentication...)

    Hope helps. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)




    --------------------
    | From: "Markus R." <>
    | References: <>
    <>
    | Subject: Re: ASP.NET 2.0 - Forms auth - no images and css on login page
    | Date: Tue, 17 Jan 2006 11:58:52 +0100
    | Lines: 21
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    | X-RFC2646: Format=Flowed; Response
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    | Message-ID: <#>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: 80.152.25.19
    | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:16939
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Hi Dominick,
    |
    | > first of all - ASP.NET does not protect non-ASP.NET content by default
    -
    | > only if you map the corresponding extensions to aspnet_isapi.dll in IIS
    | > manager. If you have not configured the application like this you might
    | > have a different problem.
    |
    | I requested Default.css and got redirected to the login page. I have not
    | changes anything within the web server configuration.
    | Could it be that I experienced this behaviour because I use the VS.NET
    2005
    | integrated "Development Server" and not IIS?
    |
    | > To exclude files - or better directories - from authentication use a
    | > <location> element - i would copy all files that have to be available
    to
    | > anon users in a central directory, e.g. calle public.
    |
    | That sounds good. Thank you!
    |
    | Markus
    |
    |
    |
     
    Steven Cheng[MSFT], Jan 18, 2006
    #4
  5. Markus R.

    Markus R. Guest

    Hi Steven,

    thanks for the information. You are right. VS.NET's builtin Webserver has
    caused the problem.

    Regards,

    Markus


    "Steven Cheng[MSFT]" <> schrieb im Newsbeitrag
    news:...
    > Hi Markus,
    >
    > For the static resources (images , css...) being protected problem, first
    > we can double check that the linked resources' path are correct. If so,
    > are
    > you using .net's buildin TestServer to developing the asp.net web app
    > instead of IIS? Based on my experience, this is potential cause since the
    > TestServer will accept all the requests (no matter for asp.net pages or
    > static resources like css or images....), thus, when we use
    > FormsAuthentication to protected our side(root dir and sub dirs...), all
    > the static files in the app folder will also be protected from
    > unauthenticated users....
    >
    > If this is the case, you can consider the following options:
    >
    > 1. Developing the web application in IIS instead of the TestServer
    >
    > 2. Or you can temporarly set <authroization> for your static resources'
    > folder to let anonymous access(for forms authentication...)
    >
    > Hope helps. Thanks,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    >
    >
    > --------------------
    > | From: "Markus R." <>
    > | References: <>
    > <>
    > | Subject: Re: ASP.NET 2.0 - Forms auth - no images and css on login page
    > | Date: Tue, 17 Jan 2006 11:58:52 +0100
    > | Lines: 21
    > | X-Priority: 3
    > | X-MSMail-Priority: Normal
    > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    > | X-RFC2646: Format=Flowed; Response
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    > | Message-ID: <#>
    > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > | NNTP-Posting-Host: 80.152.25.19
    > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    > | Xref: TK2MSFTNGXA02.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.security:16939
    > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > |
    > | Hi Dominick,
    > |
    > | > first of all - ASP.NET does not protect non-ASP.NET content by default
    > -
    > | > only if you map the corresponding extensions to aspnet_isapi.dll in
    > IIS
    > | > manager. If you have not configured the application like this you
    > might
    > | > have a different problem.
    > |
    > | I requested Default.css and got redirected to the login page. I have not
    > | changes anything within the web server configuration.
    > | Could it be that I experienced this behaviour because I use the VS.NET
    > 2005
    > | integrated "Development Server" and not IIS?
    > |
    > | > To exclude files - or better directories - from authentication use a
    > | > <location> element - i would copy all files that have to be available
    > to
    > | > anon users in a central directory, e.g. calle public.
    > |
    > | That sounds good. Thank you!
    > |
    > | Markus
    > |
    > |
    > |
    >
     
    Markus R., Jan 18, 2006
    #5
  6. Hi,

    <rant topic="VsWebServer">
    and thats actually very dangerous. If you start testing on VS web server
    you might get the impression that this is the "real" behavior - then you
    deploy on IIS and all your static files sit there unprotected...
    </rant>

    http://www.leastprivilege.com/CassiniConsideredHarmful.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Steven,
    >
    > thanks for the information. You are right. VS.NET's builtin Webserver
    > has caused the problem.
    >
    > Regards,
    >
    > Markus
    >
    > "Steven Cheng[MSFT]" <> schrieb im
    > Newsbeitrag news:...
    >
    >> Hi Markus,
    >>
    >> For the static resources (images , css...) being protected problem,
    >> first
    >> we can double check that the linked resources' path are correct. If
    >> so,
    >> are
    >> you using .net's buildin TestServer to developing the asp.net web app
    >> instead of IIS? Based on my experience, this is potential cause
    >> since the
    >> TestServer will accept all the requests (no matter for asp.net pages
    >> or
    >> static resources like css or images....), thus, when we use
    >> FormsAuthentication to protected our side(root dir and sub dirs...),
    >> all
    >> the static files in the app folder will also be protected from
    >> unauthenticated users....
    >> If this is the case, you can consider the following options:
    >>
    >> 1. Developing the web application in IIS instead of the TestServer
    >>
    >> 2. Or you can temporarly set <authroization> for your static
    >> resources' folder to let anonymous access(for forms
    >> authentication...)
    >>
    >> Hope helps. Thanks,
    >>
    >> Steven Cheng
    >> Microsoft Online Support
    >> Get Secure! www.microsoft.com/security
    >> (This posting is provided "AS IS", with no warranties, and confers no
    >> rights.)
    >> --------------------
    >> | From: "Markus R." <>
    >> | References: <>
    >> <>
    >> | Subject: Re: ASP.NET 2.0 - Forms auth - no images and css on login
    >> page
    >> | Date: Tue, 17 Jan 2006 11:58:52 +0100
    >> | Lines: 21
    >> | X-Priority: 3
    >> | X-MSMail-Priority: Normal
    >> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    >> | X-RFC2646: Format=Flowed; Response
    >> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    >> | Message-ID: <#>
    >> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >> | NNTP-Posting-Host: 80.152.25.19
    >> | Path:
    >> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    >> | Xref: TK2MSFTNGXA02.phx.gbl
    >> microsoft.public.dotnet.framework.aspnet.security:16939
    >> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> |
    >> | Hi Dominick,
    >> |
    >> | > first of all - ASP.NET does not protect non-ASP.NET content by
    >> default
    >> -
    >> | > only if you map the corresponding extensions to aspnet_isapi.dll
    >> in
    >> IIS
    >> | > manager. If you have not configured the application like this you
    >> might
    >> | > have a different problem.
    >> |
    >> | I requested Default.css and got redirected to the login page. I
    >> have not
    >> | changes anything within the web server configuration.
    >> | Could it be that I experienced this behaviour because I use the
    >> VS.NET
    >> 2005
    >> | integrated "Development Server" and not IIS?
    >> |
    >> | > To exclude files - or better directories - from authentication
    >> use a
    >> | > <location> element - i would copy all files that have to be
    >> available
    >> to
    >> | > anon users in a central directory, e.g. calle public.
    >> |
    >> | That sounds good. Thank you!
    >> |
    >> | Markus
    >> |
    >> |
    >> |
     
    Dominick Baier [DevelopMentor], Jan 18, 2006
    #6
  7. You're welcome Markus,

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)


    --------------------
    | From: "Markus R." <>
    | References: <>
    <>
    <#>
    <>
    | Subject: Re: ASP.NET 2.0 - Forms auth - no images and css on login page
    | Date: Wed, 18 Jan 2006 09:49:35 +0100
    | Lines: 94
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: 80.152.25.19
    | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:16955
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Hi Steven,
    |
    | thanks for the information. You are right. VS.NET's builtin Webserver has
    | caused the problem.
    |
    | Regards,
    |
    | Markus
    |
    |
    | "Steven Cheng[MSFT]" <> schrieb im
    Newsbeitrag
    | news:...
    | > Hi Markus,
    | >
    | > For the static resources (images , css...) being protected problem,
    first
    | > we can double check that the linked resources' path are correct. If so,
    | > are
    | > you using .net's buildin TestServer to developing the asp.net web app
    | > instead of IIS? Based on my experience, this is potential cause since
    the
    | > TestServer will accept all the requests (no matter for asp.net pages or
    | > static resources like css or images....), thus, when we use
    | > FormsAuthentication to protected our side(root dir and sub dirs...), all
    | > the static files in the app folder will also be protected from
    | > unauthenticated users....
    | >
    | > If this is the case, you can consider the following options:
    | >
    | > 1. Developing the web application in IIS instead of the TestServer
    | >
    | > 2. Or you can temporarly set <authroization> for your static resources'
    | > folder to let anonymous access(for forms authentication...)
    | >
    | > Hope helps. Thanks,
    | >
    | > Steven Cheng
    | > Microsoft Online Support
    | >
    | > Get Secure! www.microsoft.com/security
    | > (This posting is provided "AS IS", with no warranties, and confers no
    | > rights.)
    | >
    | >
    | >
    | >
    | > --------------------
    | > | From: "Markus R." <>
    | > | References: <>
    | > <>
    | > | Subject: Re: ASP.NET 2.0 - Forms auth - no images and css on login
    page
    | > | Date: Tue, 17 Jan 2006 11:58:52 +0100
    | > | Lines: 21
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    | > | X-RFC2646: Format=Flowed; Response
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    | > | Message-ID: <#>
    | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | > | NNTP-Posting-Host: 80.152.25.19
    | > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    | > | Xref: TK2MSFTNGXA02.phx.gbl
    | > microsoft.public.dotnet.framework.aspnet.security:16939
    | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | > |
    | > | Hi Dominick,
    | > |
    | > | > first of all - ASP.NET does not protect non-ASP.NET content by
    default
    | > -
    | > | > only if you map the corresponding extensions to aspnet_isapi.dll in
    | > IIS
    | > | > manager. If you have not configured the application like this you
    | > might
    | > | > have a different problem.
    | > |
    | > | I requested Default.css and got redirected to the login page. I have
    not
    | > | changes anything within the web server configuration.
    | > | Could it be that I experienced this behaviour because I use the VS.NET
    | > 2005
    | > | integrated "Development Server" and not IIS?
    | > |
    | > | > To exclude files - or better directories - from authentication use a
    | > | > <location> element - i would copy all files that have to be
    available
    | > to
    | > | > anon users in a central directory, e.g. calle public.
    | > |
    | > | That sounds good. Thank you!
    | > |
    | > | Markus
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Steven Cheng[MSFT], Jan 18, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    764
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    613
    Elton Wang
    Jan 8, 2005
  3. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    477
    Chris Mohan
    Apr 29, 2004
  4. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    265
    Hernan de Lahitte
    May 3, 2005
  5. Ed Staffin
    Replies:
    1
    Views:
    402
    Ken Schaefer
    Apr 17, 2006
Loading...

Share This Page