I should add that you only need to do step 1:
1. Configure IIS so that .jpg, .gif, etc. files are mapped to the ASP.NET ISAPI extension
That will prevent the image files from being served without authorization.
Step 2 :
2. Configure ASP.NET so that *.xxx files are mapped to the HttpForbiddenHandler HTTP handler
....will prevent the files from being served, period.
You don't want to do step 2.
Juan T. Llibre, asp.net MVP
asp.net faq :
http://asp.net.do/faq/
foros de asp.net, en español :
http://asp.net.do/foros/
======================================
"Juan T. Llibre" <no***********@nowhere.comwrote in message news:OG**************@TK2MSFTNGP06.phx.gbl...
You need to map the image files' extensions to aspnet_isapi.dll.
Here's a primer on what you need to do :
http://aspnet.4guysfromrolla.com/articles/020404-1.aspx
Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Jonathan Wood" <jw***@softcircuits.comwrote in message news:Od**************@TK2MSFTNGP04.phx.gbl...
>>I have a subfolder on my Website that contains images. It also contains the web.config file shown below.
When I access the site, I get the Login page as expected. But if I type in the URL of an image in the folder that
contains images, the image is displayed in the browser.
I don't understand why I am not prevented from seeing the contents of this folder since I have not been
authenticated. Does it have something to do with the fact that these resources are images? How would I prevent access
to this folder by users who are not logged in?
Thanks.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Client,Trainer,Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Jonathan