Republished with Permission - Original Article
I've helped two people with a problem related to this
recently on the ASP.NET Forums,
so I thought it might make sense to put out a quick blog post explaining it to
others. Specifically, they were building a secure website using forms-authentication.
They added the below authorization rule within their web.config file:
Listing 1
<authorization>
<deny users="?"/>
</authorization>
This tells ASP.NET to block all anonymous (non logged-in)
users from accessing the content of the web-site, and instead redirect them to
a login.aspx page for them to enter their username+password to login.
Because the above authorization directive is not scoped within a
<location> element, it applies to all content on the site (except for the
login.aspx page).
The issue I've seen folks run into is that they are finding
that static images (.jpg, .gif, etc) as well as CSS stylesheets aren't working
on their login.aspx page - and they don't understand why.