web.config authorization element not working as expected on ASP.NET Development Server

Discussion in 'ASP .Net' started by J055, Mar 10, 2006.

  1. J055

    J055 Guest

    Ver. VS2005

    Hi

    I'm using forms authentication and have set the authorization element to
    deny anonymous users. This works fine except that when I view the login.aspx
    page as an unauthenticated user I am denied access to non-asp files like
    css, gif, jpg etc.

    The only happens on the ASP.NET Development Server and not when I publish to
    an IIS web server.

    Can someone let me know why this happens and if there's something I can do
    about it?

    Thanks
    Andrew

    Here's the web.config file:

    <system.web>
    <authentication mode="Forms">
    <forms name="ASPXSecurity" loginUrl="Login.aspx" protection="All" path="/"
    timeout="30" />
    </authentication>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    J055, Mar 10, 2006
    #1
    1. Advertising

  2. Hi Andrew,

    Welcome to the ASPNET newsgroup.

    As for the ASP.NET 2.0/vs 2005 web application with Test web server, when
    using Forms Authentication, the problem you encountered does exists. So
    there is nothing incorrect in your application's code and configuration.
    Actually, the problem is specific to the .NET 2.0/vs 2005 TestWebServer,
    because the test webserver dosn't have filter or extension like IIS, all
    the requests to the web application(no matter for ASP.NET resources or
    static file resource) are processed by ASP.NET runtime, this cause those
    static files in our web application also be protected by
    formsauthentication(when developing in test server). Of course, when
    deploying in IIS server, the application won't suffer this issue. Is your
    web application currectly put those static resource (images , scripts ...)
    in a certain sub dir? If so, you can consider temporarly grant anonymous
    permission for those dirs in forms authorization setting at development
    time, that's won't voliate the security when deploying into IIS virtual
    dir.

    Thanks for your understanding.

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Steven Cheng[MSFT], Mar 13, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    412
  2. CSharpner
    Replies:
    0
    Views:
    996
    CSharpner
    Apr 9, 2007
  3. Dan
    Replies:
    4
    Views:
    550
  4. Replies:
    2
    Views:
    472
  5. SeanRW
    Replies:
    1
    Views:
    346
    Dominick Baier [DevelopMentor]
    May 25, 2006
Loading...

Share This Page