0

We have a web application that does not display images, css unless users are logged in. We are using forms authentication

    <authentication mode="Forms">
    <forms loginUrl="~/Account/LogOn" timeout="2880" cookieless="UseCookies" />
    </authentication>

Now we have specifically using this under configuration section in web.config file to give access to anonymous user to the "content" folder. 

    <location path="Content">
    <system.web>
    <authorization>
    <allow users="?"/>
    </authorization>
    </system.web>
    </location>

But still no images, no css showing up unless logged in. And if we try to access an image directly it takes us to login page. Does anybody have any idea what is happening?

dgw
  • 13,418
  • 11
  • 56
  • 54
user1299195
  • 1
  • 2

1 Answers1

0

if you are trying to show images in IIS 7.5, did you notice that there are two ways (the first is here) to use <location> tag that it is even confusing for me.

Anyway this might be helpful if you are using IIS 7.5.

The sample below is working for a MVC application targeting NET 4.5, which will display a folder for a group and hide it for another group.

<configuration>
  <system.web>
    <!-- allow only windows users to use app (no anonymous will access it)-->
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>
  <system.web>

  <!-- main security, allowing only groups: Clowns and Nerds -->
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" roles="Domain\Clowns" />
                <add accessType="Allow" roles="Domain\Nerds" />
            </authorization>
        </security>
        <defaultDocument enabled="false" />
  </system.webServer>

  <!-- Here we show /images_for_clowns folder ONLY to Clowns group -->
  <location path="images_for_clowns" inheritInChildApplications="false">
     <system.webServer>
       <validation validateIntegratedModeConfiguration="false" />
        <security>
            <authorization>
                <clear />
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" roles="Domain\Clowns" />
            </authorization>
        </security>
        <defaultDocument enabled="false" />
     </system.webServer>
  </location>

  <!-- Here we show /images_for_nerds folder ONLY to Nerds group -->
  <location path="images_for_nerds" inheritInChildApplications="false">
     <system.webServer>
       <validation validateIntegratedModeConfiguration="false" />
        <security>
            <authorization>
                <clear />
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" roles="Domain\Nerds" />
            </authorization>
        </security>
        <defaultDocument enabled="false" />
     </system.webServer>
  </location>

Maybe another trick would be using 

<location path=".">
     <system.webServer>...

in order to set the root folder permissions! Hopefully this can help more people.

Community
  • 1
  • 1
Junior Mayhé
  • 16,144
  • 26
  • 115
  • 161