Authorization with the built-in VS 2005 Web Server (aka Cassini)
 
Published: 31 Jan 2006
Unedited - Community Contributed
Abstract
This article will help you to learn how to provide Authorization with the built-in Visual Studio 2005 web server named Cassini.
by Scott Guthrie
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 16266/ 78

Introduction

Republished with Permission - Original Article

I've helped two people with a problem related to this recently on the ASP.NET Forums, so I thought it might make sense to put out a quick blog post explaining it to others.  Specifically, they were building a secure website using forms-authentication.  They added the below authorization rule within their web.config file:

Listing 1

<authorization>
  <deny users="?"/>
</authorization> 

This tells ASP.NET to block all anonymous (non logged-in) users from accessing the content of the web-site, and instead redirect them to a login.aspx page for them to enter their username+password to login.  Because the above authorization directive is not scoped within a <location> element, it applies to all content on the site (except for the login.aspx page).

The issue I've seen folks run into is that they are finding that static images (.jpg, .gif, etc) as well as CSS stylesheets aren't working on their login.aspx page - and they don't understand why.

Why is this is happening?

The reason this is happening is because they are running the web-site using the built-in VS 2005 Web Server (aka Cassini) -- which processes all requests (including static files) through ASP.NET.  This means that authorization rules apply to all URL resources -- and not just dynamic ones (by default in IIS static files don't have the above authorization rules applied).  Because there is a directive to block all resources if the user is anonymous, the built-in web-server is not allowing a user to retrieve the images or stylesheet from the login.aspx page when they aren't logged in.

How to Fix This

Fixing this is pretty easy. Just add a new authorization rule to your root web.config site that grants access to the stylesheet and/or other file resources that you want to allow anonymous access to.  For example, the below configuration section denies access to all resources except stylesheet.css:

Listing 2

<system.web>
   <authorization>
       <denyusers="?"/>
   </authorization>
</system.web>
<location path="stylsheet.css">
    <system.web>
       <authorization>
           <allow users="*"/>
       </authorization>
    </system.web>
</location>

Alternatively, if you have a directory with a lot of static files in it, you can just add a web.config file at its root and add a global authorization rule like above allowing access to it. 

Hope this helps,

Scott

Resources



User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2019 ASPAlliance.com  |  Page Processed at 2019-07-16 12:34:51 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search