Unauthenticated users can't see images in website - asp.net

When I run my website through debug mode in visual studio everything looks great and all the images on the page show up fine. But once I deploy my website to an IIS7 web server (doubt that other versions would make any difference, but you never know) then users can't see the images on the site until they log in.
The website is an asp.net MVC site and I'm new to MVC, though I do have lots of experience with asp.net forms. It seems that only authenticated users are allowed to access the images folder, and there is an authorization section in my web.config saying that only admins can access the site, so how do I make it so that all users, authenticated or otherwise can view the images?
-- Update --
I tried putting in the configuration block suggested, which from everything I can tell makes perfect sense, but it didn't seem to make a difference. The sample below has Content/Images for the path but before that I tried just Content, since it's OK for everything in there to be accessible. I also tried setting the allowOverride setting to false, which also didn't seem to make a difference.
<location path="Content/Images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
--Update 2--
Funny thing is that I don't even see any explicit deny entries in my web.config, just an allow for admin's, and when I went into IIS 7 and used the UI to allow all users access to the Content directory it didn't show any deny's on the list either. But then again, this project works fine when I just debug it from my personal computer, it's only after I deploy it that I have problems...
<authorization>
<allow roles="admin" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

In your web.config file, after the </system.web> tag, add the following
<location path="images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
where path="images" is the name of the folder with your images/css.
Update:
If you're using ASP.NET MVC, I would remove the authorization declaration in the web.config file and use the [Authorize] attribute on the controllers that need to be locked down.
You can also specify the roles you want to grant access to using [Authorize("admin")].

By default, the configuration you define in a Web.config file, applies to every subdirectory of its containing folder. If you have a Web.config in the application root, that configuration will propagate to every subdirectory, including those where you have images and Css style sheets. So, if you have in your root Web.config a rule like this one:
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
anonymous users will not be able to access the resources needed to display the page like you would expect it.
To fix it, you need to include another Web.config in every subdirectory that has presentation resources, and apply the rules you want to override. In your case, this should do the work:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
If you are using Themes, place a single Web.config file in the theme folder.

Just ran into the same problem. We noticed it on our Login page. The CSS and images weren't loading (they were under the content directory). Adding IUSR to the folder with Read privileges fixed it for us.

Old question but I came across the same problem and found the answer.
I had created a new folder for the Membership pages that I wanted logged-in users to have access to, but the images wouldn't show up in them!
It turns out that no matter what I tried I couldn't set a relative path to the images from within the Members folder.
The problem was the html image (as far as I could tell anyway, correct me if I'm wrong).
I swapped it out for an asp:image with a relative path and now it works great.
My new code: asp:image runat="server" id="Logo" ImageUrl="~/Images/logo.jpg"
Notice the ' ~/ ', that wouldn't work for me with
I tried: img src="../Images/logo.jpg", img src="~/Images/logo.jpg", img src="/Images/logo.jpg", etc. to no avail.
Hope this answer helps someone solve this problem more quickly in the future.

Try browsing the image file directly and see if that comes up for an anonymous user. In IIS 7, there is a way in which you can authorize anonymous users directly from your UI [which in turn would create the web.config if it doesn't exist].
Folder -> .NET Authorization Rules -> Add Allow Rule

Are you using membership framework. I suspect that you have misconfigured your permission settings in web.config and your images folder is only allowing authorised requests. This can be easily change via web.config. Just remove the folder name from your authorised section and this should solve the problem.
For your reference this should be the section in web.config if you are using membership framework :
<authorization>
<deny roles="xyz" />
</authorization>

We came across the same problem in our project and found a solution, although we are not sure about the reasons of this behaviours.
We had a similar scenario, with a folder containing all our png images. Our marketing colleague wanted to rename some of them, so to make it easier for her, we shared (this might be the key) that folder, granting read/writer rights to her.
From this point, the images started behaving as you describe, requiring authorization for being accessed. No unauthorized user could see them any more.
We realized that the problem was related to sharing the folder because it started happening at that point of time. Otherwise we still don't see any relationship among ASP.NET MVP user authorization/login and hard disk user rights. We could have expected an IO Exception or something similar, but not this behaviour.
After checking the folder, and comparing with other folders, we realized that after sharing, the permissions on the folder had slightly changed. Mainly they did not inherit from its parent folder anymore and some permissions such as CREATOR OWNER and MACHINE_NAME\Users had dissapeared (although IUSR and the app pool user were still there).
So, we renamed that folder, created a new one with the same name, and copied the content from the old folder to the new one. The new folder had the permissions inherited from its parent and everything started to work perfectly again.
It solved our problem, but we are still not sure why this all happened this way.
Regards

Related

IIS 7.5 and making anonymous authentication/forms authentication play nicely together

I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.

Same website different port Javascript and Stylesheets

I've a website running under IIS7. Everything works fine with this website. I've copied the directory and created a clone website on a different port. When I browse to the new website on the different port, I do not get any of the style settings until I log in -- then all appears normally.
The problem appears to do with the ASP.NET Membership/Authorization. I have a web.config in the subdirectories to allow all users (web.config) but the clone website is not using them even though all the config, directories, etc are the same. Only the port is different or non .config settings that IIS 7 uses.
I've discovered the problem but not the whole answer. The directories needed the IUSR permission to work but the original website doesn't have those permissions. It only had IIS_IUSRS. IF anyone can fully explain this behavior and how to fix the problem without granting IUSR then I will award the bounty for that answer.
The answer should be fully explanatory.
One potential issue would be with authorization settings in your config.
Look for something like this:
<location path="MyResourcesFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
The above example would produce the effect that you've described assuming that your resources (css, jscript, etc) were located in a folder named MyResourcesFolder. Check the web.config that's in the actual website and not necessarily the project. This is because your website config may not be the same as your project config if you are using config transformations.

Disabling folder with pages in asp.net

i have a simple question
How to disable a folder with aspx pages in asp.net
Thw folder is "Administration" and i want to disable it that it cannot be called in browser by typing .../Administratin/edit.aspx, or that simple to redirect to a login page if we want to go to the administration part
First enable forms based authentication. This can be done for VB and C#.
Next you have to specify who will have access to what. This can be done in the web.config.
Apologies if these articles are a little out of date.
Use a locations element and config settings to restrict access to folders.
<location path="Administration">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
Change the NTFS security permissions on the Administration Folder for
<drive>:\intepub\wwwroot\...\Administration
and restrict access via that way.
You can also right click go to properties in IIS for the folder and remove various granular browsing permissions.
You can also edit the web.config and change permissions there.

Cannot access CSS file from ASP.NET login page

I have just noticed a problem accessing a CSS file using forms authentication from an ASP.NET application.
Until I have logged in, then any styles I have set in my login page are not used, as IIS seems to be preventing the login page from accessing this file.
Is there an easy solution for this?
Place the css file in a publicly accessible folder. This will require a change in your web.config that will look something like this:
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Granted, this shouldn't be how you setup the permissions in the first place. The css folder ought always to be publicly accessible.
My CSS didn't display in the login page as well.
I noticed that Anonymous Access was using the IUSR account not the IIS_IUSRS account so I just added IUSR to the website folder and everything got back to normal.

CSS not being applied on non authenticated ASP.NET page

When developing (works fine live) the pages for our website don't pick up the correct CSS until the user has authenticated (logged on).
So the Logon and Logoff forms look bad, but once inside the site, the CSS works again.
I'm guessing it's some kind of authentication issue? Haven't really looked into it too much because it's only when working on dev so not a huge issue, but would be nice to know how to fix it.
To allow an unauthenticated user to see your .css files (or any other file/directory) you can add a location element to your web.config file pointing to the .css file.
<configuration>
<system.web>
// system.web configuration settings.
</system.web>
<location path="App_Themes/Default/YourFile.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Check and make sure that the CSS file itself is not in an area that you are securing. You can manually exclude the file via the web.config if needed.
I just ran into this problem myself and manually adding the location made no difference. I found that I had given the IIS_IUSRS access to the folders so my application pool had no problem accessing the files but IIS was using the IUSR account for anonymous access.
To fix it, I opened IIS Manager -> IIS: Authentication -> Select 'Anonymous Authentication' -> Click Actions: Edit.. (or right click) -> Select 'Application pool identity'
Now anonymous access attempts use the IIS_IUSRS which have the correct file permissions.
Can you try using a tool like Fiddler or HttpWatch and check if a request actually goes for the .css file from the login page. Verify the return codes are 200. Could be because of relative path issue in your dev box.

Resources