Solved

Forms Authentication not protecting html files

Posted on 2014-09-30
4
327 Views
Last Modified: 2014-09-30
Hi Experts I have a sub folder with .aspx and .html files. I have Forms Authentication set up in such a way to allow access to the entire site but restrict access to an admin folder. I have noticed that navigating to the full path of an HTML file inside the admin folder allows me access however all .aspx files operate as expected i.e. redirect to login page if user is not authenticated. Any ideas?

Root web.config is as follows;

    <authentication mode="Forms">
      <forms name="appNameAuth" loginUrl="login.aspx" timeout="30" defaultUrl="~/Admin/Tools.aspx">
      </forms>
    </authentication>
    <authorization>
      <allow users="*" />
    </authorization>

  </system.web>

  <location path="Admin">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

Open in new window

0
Comment
Question by:takwirirar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 26

Expert Comment

by:Shaun Kline
ID: 40352199
Change the extension of the pages to .aspx. ASPX pages are handled through an add-on in IIS, while HTML pages are handled directly by IIS.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 40352229
Hi Shaun, thanks for that, what would happen then if I had other file types to be protected that I could not change to .aspx without breaking they way they work e.g. a .PDF file?
0
 
LVL 26

Accepted Solution

by:
Shaun Kline earned 500 total points
ID: 40352370
One suggestion is to add the following to the system.webserver section of your web.config file:
<modules runAllManagedModulesForAllRequests="false">
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
      <remove name="RoleManager" />
      <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
      <remove name="DefaultAuthentication" />
      <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>

Open in new window


The first module handles the forms authentication that you are already doing. The second module handles URL authentication (Microsoft website.
The third module handles role authentication, if you are using it.
The fourth module verifies that the user has been authenticated.
0
 
LVL 1

Author Closing Comment

by:takwirirar
ID: 40352439
Wow!!!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
This article discusses the ASP.NET AJAX ModalPopupExtender control. In this article we will show how to use the ModalPopupExtender control, how to display/show/call the ASP.NET AJAX ModalPopupExtender control from javascript, how to show/display/cal…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question