|
Hello,
To secure my dotnet sites i like to use the built-in authorization module of dotnet using the login control. I usually set the main web.config to allow="*" and deny="?" and by setting the authentication mode="Forms" and supplying a loginUrl="~/Login.aspx" (or some other login page) sends the user to the login page if they havn't already logged in, thus requiring authentication before access the site.
The problem with this is having the web.config sitting in the root of the site and denying all unauthorized users. This now secures *everything* including stylesheets and images etc. To get around this you can specify security exclusions in the web.config file using the location node.
Heres a sample:
< configuration>
<system.web>
<authentication mode="Forms">
<forms name="SiteLogin" loginUrl="~/Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
< location path="SiteStyle.css">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<configuration>
The above is the web.config which sits in the root of the site. The two location nodes specifies that anonymous users can access the SiteStyle.css file and all files within the images folder!
Cheers,
James
|