Labels

Tuesday, February 3, 2009

Forms Authentication Blocks Static Resources on Login Page - Images (.jpg, .gif, etc) & CSS

Hi,

 

This blog post summarizes – How Forms Authentication Blocks Static Resources on Login Page - Images (.jpg, .gif, etc) & CSS

 

Problem –

 

Mostly building a secure website using forms-authentication is achieved using below.

 

<authorization>

     <deny users="?"/>

</authorization>

 

·          This tells ASP.NET to block all anonymous (non logged-in) users from accessing the web-site, and instead redirect them to a login.aspx page.

·          Because the above authorization directive is not scoped within a <location> element, it applies to all content on the site (except for the login.aspx page).

·          The issue results – Images & CSS does not work on their login.aspx page.

 

 

How to Fix This –

 

Fixing this is pretty easy.  Just add a new authorization rule to your root web.config site that grants access to the stylesheet and/or other file resources that you want to allow anonymous access to.  For example, the below configuration section denies access to all resources except stylesheet.css:

 

<system.web>

   <authorization>

       <deny users="?"/>

   </authorization>

</system.web>

 

<location path="stylsheet.css">

    <system.web>

        <authorization>

            <allow users="*"/>

        </authorization>

    </system.web>

 

<location path="ImagesDirectory">

    <system.web>

        <authorization>

            <allow users="*"/>

        </authorization>

    </system.web>

</location>

 

 

 

Hope this helps.

 

Arun Manglick

 

No comments:

Post a Comment