Authorization Confusion

[Jonathan Wood]

I have a subfolder on my Website that contains images. It also contains the
web.config file shown below.

When I access the site, I get the Login page as expected. But if I type in
the URL of an image in the folder that contains images, the image is
displayed in the browser.

I don't understand why I am not prevented from seeing the contents of this
folder since I have not been authenticated. Does it have something to do
with the fact that these resources are images? How would I prevent access to
this folder by users who are not logged in?

Thanks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Jonathan

 

[Juan T. Llibre]

You need to map the image files' extensions to aspnet_isapi.dll.

Here's a primer on what you need to do :
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx

 

[Juan T. Llibre]

I should add that you only need to do step 1:

1. Configure IIS so that .jpg, .gif, etc. files are mapped to the ASP.NET ISAPI extension

That will prevent the image files from being served without authorization.

Step 2 :

2. Configure ASP.NET so that *.xxx files are mapped to the HttpForbiddenHandler HTTP handler

....will prevent the files from being served, period.
You don't want to do step 2.

 

[Jonathan Wood]

Soooo... It defaults to making resources not specified available to anyone
regardless of the allow/deny settings...

I thought ASP.NET usually defaulted to being secure.

Thanks for the info!

Jonathan