I have successfully implemented forms authentication on my site:
Expand|Select|Wrap|Line Numbers
- <authentication mode="Forms">
- <forms loginUrl="/Members/Login.aspx" timeout="20" defaultUrl="/Members/Welcome.aspx" protection="All" requireSSL="false" path="/" />
- </authentication>
- Media
- Admin
... I have made the following entry in my web.config to test denying all access to the /Members/Media subfolder:
Expand|Select|Wrap|Line Numbers
- <location path="Members/Media" >
- <system.web>
- <authorization>
- <deny users="*"></deny>
- </authorization>
- </system.web>
- </location>
The user I am logging in as does NOT have the role of "Media".
To test, I navigate to http://www.somesite.com/Members/Media/Default.aspx and http://www.somesite.com/Members/Media/Test.txt and in both cases forms authentication properly routed me the login page.
I then proceed to authenticate as the user without the Media role then try to access the resources in /Members/Media.
I am properly denied from accessing Default.aspx, but I can successfully get to Test.txt.
To test further, I placed a GIF into the /Members/Media and am able to access that as well.
I guess my question is, does Role based authorization only apply to requests for ASPX files and not requests for non-ASPX files such as txt, pdf, gif, etc... or have I totally screwed something up along the way?
If Role based authorization does only work with ASPX files, should I write an HTTPModule to authorize the requests for non-ASPX files?
Thanks a million!
Andrew