Authentication in web.config causes all my assets to be unreachable

Question

In my web.config I have this authentication setting:

<authentication mode="Forms">
            <forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
            </forms>
        </authentication>
<authorization>
            <deny users="?"/>
        </authorization>

For some reason, if I comment it out I can see my website just perfectly with all the assets (js, css, images), but if I uncomment it, none of the assets can be reached, instead it just redirects to login page.

score 2 · Accepted Answer · answered Oct 19 '11 at 06:44

here is a nice in-depth article for you. basically, it says you can configure this in your web.config by adding <location> blocks like so:

<!-- file level access -->
            <location path="default1.aspx">
            <system.web>
            <authorization>
                <allow users ="*" />
            </authorization>
            </system.web>
            </location>
<!--  folder access (and its contents)  -->
            <location path="subdir1">
            <system.web>
            <authorization>
                <allow users ="*" />
            </authorization>
            </system.web>
            </location>
    </configuration>

from this KB article and a bit more info here.

score 1 · Answer 2 · answered Oct 19 '11 at 06:44

1

Use Location element.

   <location path="~/css">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>

answered Oct 19 '11 at 06:44

KV Prajapati

93,659
19
148
186

It seems like you're just providing a sample but wouldn't it be better with * instead of ? to provide some help? – Asken Oct 19 '11 at 08:26

score 0 · Answer 3 · edited May 23 '17 at 12:06

0

Looks like assets are served via ASP.NET pipeline. Check the following topic:

Prevent IIS from serving static files through ASP.NET pipeline

edited May 23 '17 at 12:06

Community

1
1

answered Oct 19 '11 at 06:42

Artem Koshelev

10,548
4
36
68

score 0 · Answer 4 · answered Oct 19 '11 at 08:37

The

    deny users="?"

is saying that no unauthenticated users can access the site at the root and it will redirect to the login page. I normally always keep the root (/) public (allow users="*") and have protected folders set up using the location. That will keep images, css and script folders under the root available for public access.

This should probably work for you if you can move your protected pages into another folder easily:

<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
            </forms>
        </authentication>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>

    <location path="protected">
        <authorization>
            <deny users="?" />
        </authorization>
    </location>
</configuration>

Authentication in web.config causes all my assets to be unreachable

4 Answers4