Authorization Confusion


J

Jonathan Wood

I have a subfolder on my Website that contains images. It also contains the
web.config file shown below.

When I access the site, I get the Login page as expected. But if I type in
the URL of an image in the folder that contains images, the image is
displayed in the browser.

I don't understand why I am not prevented from seeing the contents of this
folder since I have not been authenticated. Does it have something to do
with the fact that these resources are images? How would I prevent access to
this folder by users who are not logged in?

Thanks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Jonathan
 
Ad

Advertisements

J

Juan T. Llibre

I should add that you only need to do step 1:

1. Configure IIS so that .jpg, .gif, etc. files are mapped to the ASP.NET ISAPI extension

That will prevent the image files from being served without authorization.

Step 2 :

2. Configure ASP.NET so that *.xxx files are mapped to the HttpForbiddenHandler HTTP handler

....will prevent the files from being served, period.
You don't want to do step 2.
 
Ad

Advertisements

J

Jonathan Wood

Soooo... It defaults to making resources not specified available to anyone
regardless of the allow/deny settings...

I thought ASP.NET usually defaulted to being secure.

Thanks for the info!

Jonathan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top