By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,201 Members | 937 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,201 IT Pros & Developers. It's quick & easy.

Forms authentication + roles + non-aspx files

P: 5
Hey guys/gals,

I have successfully implemented forms authentication on my site:

Expand|Select|Wrap|Line Numbers
  1.        <authentication mode="Forms">
  2.             <forms loginUrl="/Members/Login.aspx" timeout="20" defaultUrl="/Members/Welcome.aspx" protection="All" requireSSL="false" path="/" />
  3.         </authentication>
Now I would like to restrict certain subfolders within /Members by Role. I have the following roles for testing:
  • Media
  • Admin

... I have made the following entry in my web.config to test denying all access to the /Members/Media subfolder:

Expand|Select|Wrap|Line Numbers
  1.     <location path="Members/Media" >
  2.         <system.web>
  3.             <authorization>
  4.                 <deny users="*"></deny>
  5.             </authorization>
  6.         </system.web>
  7.     </location>
... I have then made a Default.aspx and a Test.txt within the /Members/Media directory.

The user I am logging in as does NOT have the role of "Media".

To test, I navigate to http://www.somesite.com/Members/Media/Default.aspx and http://www.somesite.com/Members/Media/Test.txt and in both cases forms authentication properly routed me the login page.

I then proceed to authenticate as the user without the Media role then try to access the resources in /Members/Media.

I am properly denied from accessing Default.aspx, but I can successfully get to Test.txt.

To test further, I placed a GIF into the /Members/Media and am able to access that as well.

I guess my question is, does Role based authorization only apply to requests for ASPX files and not requests for non-ASPX files such as txt, pdf, gif, etc... or have I totally screwed something up along the way?

If Role based authorization does only work with ASPX files, should I write an HTTPModule to authorize the requests for non-ASPX files?

Thanks a million!
Andrew
Dec 23 '08 #1
Share this Question
Share on Google+
1 Reply


kenobewan
Expert 2.5K+
P: 4,871
Here is an article that may help:
Protecting Files with ASP.NET
Dec 24 '08 #2

Post your reply

Sign in to post your reply or Sign up for a free account.