Develop Reference

Does web.config authorization work on files other than aspx?

I have ASP.NET application with forms authentication. It works well but I have one directory with olly .txt files (no aspx files) that I want users not to access (or only logged in users).
I added web.config to this directory:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
EDIT:
This works only for .aspx files. It does not work for .txt files and similar. Users cannot browse this directory nor subdirectories however knowing .txt file name they can access it.
I tries IIS6 and IIS 7.5. On IIS6 .txt files are also restricted but on IIS 7.5 not so it may be IIS configuration issue.

Your question depends on the web server you are using. ASP.NET authorization works only with file types that are handled by ASP.NET. If you have IIS 5 or 6, this is normally not true for .txt files or even for .jpg, .gif and pure .html files, but only for aspx, asmx etc.
No problem if you have IIS7 and integrated mode, because ASP.NET is integrated and will be called for every type of file. So if you have IIS5 or 6 you have to register the mime types such as the aspnet.isapi is called for .txt files as well.
UPDATE:
The configuration of
<deny users="*">
locks out all users. It would work only in combination with allow, e.g.
<allow roles="administrators" />
<deny users="*">
like this all users but administrators will be locked out. If a user is authenticated but not adminstrator, he will be redirected to the login page.
The other option is to lock out anonymous users only:
<deny users="?">

Add location section to the web.config with appropriate settings location Element (ASP.NET Settings Schema)

If you use IIS 7+, then you can use the system.webServer/security/authorization http://www.iis.net/ConfigReference/system.webServer/security/authorization section, and have that automatically work for any kind of content in any pipeline mode.
IF you still want to use system.web seciton, then you will need to use Integreated Mode and do the changes that are mentioned in the modules to run for all content, but by far, the simplest is use system.webServer/security/authorization instead.

Unauthenticated users can't see images in website

When I run my website through debug mode in visual studio everything looks great and all the images on the page show up fine. But once I deploy my website to an IIS7 web server (doubt that other versions would make any difference, but you never know) then users can't see the images on the site until they log in.
The website is an asp.net MVC site and I'm new to MVC, though I do have lots of experience with asp.net forms. It seems that only authenticated users are allowed to access the images folder, and there is an authorization section in my web.config saying that only admins can access the site, so how do I make it so that all users, authenticated or otherwise can view the images?
-- Update --
I tried putting in the configuration block suggested, which from everything I can tell makes perfect sense, but it didn't seem to make a difference. The sample below has Content/Images for the path but before that I tried just Content, since it's OK for everything in there to be accessible. I also tried setting the allowOverride setting to false, which also didn't seem to make a difference.
<location path="Content/Images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
--Update 2--
Funny thing is that I don't even see any explicit deny entries in my web.config, just an allow for admin's, and when I went into IIS 7 and used the UI to allow all users access to the Content directory it didn't show any deny's on the list either. But then again, this project works fine when I just debug it from my personal computer, it's only after I deploy it that I have problems...
<authorization>
<allow roles="admin" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

In your web.config file, after the </system.web> tag, add the following
<location path="images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
where path="images" is the name of the folder with your images/css.
Update:
If you're using ASP.NET MVC, I would remove the authorization declaration in the web.config file and use the [Authorize] attribute on the controllers that need to be locked down.
You can also specify the roles you want to grant access to using [Authorize("admin")].

By default, the configuration you define in a Web.config file, applies to every subdirectory of its containing folder. If you have a Web.config in the application root, that configuration will propagate to every subdirectory, including those where you have images and Css style sheets. So, if you have in your root Web.config a rule like this one:
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
anonymous users will not be able to access the resources needed to display the page like you would expect it.
To fix it, you need to include another Web.config in every subdirectory that has presentation resources, and apply the rules you want to override. In your case, this should do the work:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
If you are using Themes, place a single Web.config file in the theme folder.

Just ran into the same problem. We noticed it on our Login page. The CSS and images weren't loading (they were under the content directory). Adding IUSR to the folder with Read privileges fixed it for us.

Old question but I came across the same problem and found the answer.
I had created a new folder for the Membership pages that I wanted logged-in users to have access to, but the images wouldn't show up in them!
It turns out that no matter what I tried I couldn't set a relative path to the images from within the Members folder.
The problem was the html image (as far as I could tell anyway, correct me if I'm wrong).
I swapped it out for an asp:image with a relative path and now it works great.
My new code: asp:image runat="server" id="Logo" ImageUrl="~/Images/logo.jpg"
Notice the ' ~/ ', that wouldn't work for me with
I tried: img src="../Images/logo.jpg", img src="~/Images/logo.jpg", img src="/Images/logo.jpg", etc. to no avail.
Hope this answer helps someone solve this problem more quickly in the future.

Try browsing the image file directly and see if that comes up for an anonymous user. In IIS 7, there is a way in which you can authorize anonymous users directly from your UI [which in turn would create the web.config if it doesn't exist].
Folder -> .NET Authorization Rules -> Add Allow Rule

Are you using membership framework. I suspect that you have misconfigured your permission settings in web.config and your images folder is only allowing authorised requests. This can be easily change via web.config. Just remove the folder name from your authorised section and this should solve the problem.
For your reference this should be the section in web.config if you are using membership framework :
<authorization>
<deny roles="xyz" />
</authorization>

We came across the same problem in our project and found a solution, although we are not sure about the reasons of this behaviours.
We had a similar scenario, with a folder containing all our png images. Our marketing colleague wanted to rename some of them, so to make it easier for her, we shared (this might be the key) that folder, granting read/writer rights to her.
From this point, the images started behaving as you describe, requiring authorization for being accessed. No unauthorized user could see them any more.
We realized that the problem was related to sharing the folder because it started happening at that point of time. Otherwise we still don't see any relationship among ASP.NET MVP user authorization/login and hard disk user rights. We could have expected an IO Exception or something similar, but not this behaviour.
After checking the folder, and comparing with other folders, we realized that after sharing, the permissions on the folder had slightly changed. Mainly they did not inherit from its parent folder anymore and some permissions such as CREATOR OWNER and MACHINE_NAME\Users had dissapeared (although IUSR and the app pool user were still there).
So, we renamed that folder, created a new one with the same name, and copied the content from the old folder to the new one. The new folder had the permissions inherited from its parent and everything started to work perfectly again.
It solved our problem, but we are still not sure why this all happened this way.
Regards

Deny access to directory in IIS 6.0

How can I deny access to particular directory in IIS.
In Apache I could just add .htaccess file:
Order allow,deny
Deny from all
to Logs or cache directory and nobody will allowed to see any content in that directory.
However when I add Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
it works only for files handled by asp and doesn't work for i.e. log.txt.
I don't have access to IIS server, I can only add and change files.
Thanks in advance for help.

In IIS6 when you open folder properties you will see a checkbox labeled "Read". Try unsettling it

If you don't have access to IIS, do you at least have access to the file system? As in, can you set security on folders?
If so, go to the security tab on the particular folder and remove all rights to whatever guest account the site is running under.
Seeing as the only .net file are handled by the .net process and security model under IIS 6 (which you learned), I don't see what else you can do.
One other possibility - that may not work in your application - you could move all non .net files that require permission into the /App_Data/ folder. .Net does seem to just into the pipeline and prevent these files from being loaded. You could stream them instead.
FYI - if you DID have access to IIS this is a good article on how to restrict access to non .net files:
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/tipstricks/default.aspx#securingnonaspnetcontent

Go to the folder properties in IIS Manager -> Directory Security tab -> Authentication and access control.
Uncheck 'Anonimous access' checkbox and disable all the authentication methods below.
There is no built-in file-based access management like htaccess. This can be achieved using third-party ISAPI modules like Helicon Ape

ASP.NET web.config authorization settings ignored

I have an asp.net (dynamic data) website set up as an application in a subdirectory of another site. This site requires different security settings from the top level site. Something like:
<authorization>
<allow roles="ADMIN"/>
<deny users="*"/>
</authorization>
These settings are ignored in the sub site. However, they work on the top level site, but even when set on the top level site, they are not inherited by the sub-site, and it's freely accessible. What could cause these settings to be ignored? I've tried adding:
<location path="." inheritInChildApplications="false">
to the top level web.config and then setting the above authorization rule in the sub site, even tried just denying all users. When visiting the site it looks like: http://mysite/mybrokensite
I am using windows authentication.

I think the key thing is this
website set up as an application in a
subdirectory of another site
If it's a separate application within IIS it should have it's own web.config file and the security settings can be set from there. So you'll have one web.config for the main site and one for the subsite. really they are two applications.
If it's just a subfolder under your website then this doesn't apply. It depends how you've set it up under IIS. If it's a seperate app then the icon will be a world/cabbage type icon. If it's a sub-folder they the icon will be ... well a folder.

To elaborate on Tim's answer, make sure in IIS that it is set up as a virtual directory. Look at the property page for that directory in IIS Admin, Directory (or Home Directory) tab. If the Application label is greyed out, hit the Create button. Now IIS will load the web.config from that directory.

I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

CSS not being applied on non authenticated ASP.NET page

When developing (works fine live) the pages for our website don't pick up the correct CSS until the user has authenticated (logged on).
So the Logon and Logoff forms look bad, but once inside the site, the CSS works again.
I'm guessing it's some kind of authentication issue? Haven't really looked into it too much because it's only when working on dev so not a huge issue, but would be nice to know how to fix it.

To allow an unauthenticated user to see your .css files (or any other file/directory) you can add a location element to your web.config file pointing to the .css file.
<configuration>
<system.web>
// system.web configuration settings.
</system.web>
<location path="App_Themes/Default/YourFile.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>

Check and make sure that the CSS file itself is not in an area that you are securing. You can manually exclude the file via the web.config if needed.

I just ran into this problem myself and manually adding the location made no difference. I found that I had given the IIS_IUSRS access to the folders so my application pool had no problem accessing the files but IIS was using the IUSR account for anonymous access.
To fix it, I opened IIS Manager -> IIS: Authentication -> Select 'Anonymous Authentication' -> Click Actions: Edit.. (or right click) -> Select 'Application pool identity'
Now anonymous access attempts use the IIS_IUSRS which have the correct file permissions.

Can you try using a tool like Fiddler or HttpWatch and check if a request actually goes for the .css file from the login page. Verify the return codes are 200. Could be because of relative path issue in your dev box.