Authorization Confusion


Jonathan Wood

I have a subfolder on my Website that contains images. It also contains the
web.config file shown below.

When I access the site, I get the Login page as expected. But if I type in
the URL of an image in the folder that contains images, the image is
displayed in the browser.

I don't understand why I am not prevented from seeing the contents of this
folder since I have not been authenticated. Does it have something to do
with the fact that these resources are images? How would I prevent access to
this folder by users who are not logged in?


<?xml version="1.0" encoding="utf-8"?>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />




Juan T. Llibre

I should add that you only need to do step 1:

1. Configure IIS so that .jpg, .gif, etc. files are mapped to the ASP.NET ISAPI extension

That will prevent the image files from being served without authorization.

Step 2 :

2. Configure ASP.NET so that *.xxx files are mapped to the HttpForbiddenHandler HTTP handler

....will prevent the files from being served, period.
You don't want to do step 2.



Jonathan Wood

Soooo... It defaults to making resources not specified available to anyone
regardless of the allow/deny settings...

I thought ASP.NET usually defaulted to being secure.

Thanks for the info!


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question