Solved

Forms Authentication not protecting html files

Posted on 2014-09-30
4
309 Views
Last Modified: 2014-09-30
Hi Experts I have a sub folder with .aspx and .html files. I have Forms Authentication set up in such a way to allow access to the entire site but restrict access to an admin folder. I have noticed that navigating to the full path of an HTML file inside the admin folder allows me access however all .aspx files operate as expected i.e. redirect to login page if user is not authenticated. Any ideas?

Root web.config is as follows;

    <authentication mode="Forms">
      <forms name="appNameAuth" loginUrl="login.aspx" timeout="30" defaultUrl="~/Admin/Tools.aspx">
      </forms>
    </authentication>
    <authorization>
      <allow users="*" />
    </authorization>

  </system.web>

  <location path="Admin">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

Open in new window

0
Comment
Question by:takwirirar
  • 2
  • 2
4 Comments
 
LVL 26

Expert Comment

by:Shaun Kline
ID: 40352199
Change the extension of the pages to .aspx. ASPX pages are handled through an add-on in IIS, while HTML pages are handled directly by IIS.
0
 
LVL 1

Author Comment

by:takwirirar
ID: 40352229
Hi Shaun, thanks for that, what would happen then if I had other file types to be protected that I could not change to .aspx without breaking they way they work e.g. a .PDF file?
0
 
LVL 26

Accepted Solution

by:
Shaun Kline earned 500 total points
ID: 40352370
One suggestion is to add the following to the system.webserver section of your web.config file:
<modules runAllManagedModulesForAllRequests="false">
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
      <remove name="RoleManager" />
      <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
      <remove name="DefaultAuthentication" />
      <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>

Open in new window


The first module handles the forms authentication that you are already doing. The second module handles URL authentication (Microsoft website.
The third module handles role authentication, if you are using it.
The fourth module verifies that the user has been authenticated.
0
 
LVL 1

Author Closing Comment

by:takwirirar
ID: 40352439
Wow!!!
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question