Allow anonymous user to browse the Style and Images folder

Question

I am writing an ASP.NET web application.

I have a login screen that has some CSS styles and images on it. I ran into an issue where the styles and images weren't displaying. I read online and it said I needed a web.config inside my Content folder. I added the following to the web.config:

<configuration>
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</configuration>

This seemed to work on my local machine. However, when I publish to inetpub on the server, it does not work.

Here is my folder structure:

Login/Login.aspx - my login screen
Content - this is my root content folder
Content/Styles - this is where my CSS is housed
Content/Images - this is where my images are stored

I tried putting the same web.config inside Styles and Images as well but that didn't work either.

Any help would be appreciated.

Updated:

Here is what I have in my main web.config related to user access:

<location path="Content">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

Updated 2: Here is all that's in my root web.config besides connection string info:

<system.web>
<httpRuntime requestValidationMode="2.0"/>
<compilation debug="true" targetFramework="4.0"/>
<sessionState cookieless="UseCookies"/>
<authentication mode="Forms">
  <forms name="CMS" loginUrl="Login/Login.aspx" timeout="25" slidingExpiration="true"/>
</authentication>
<authorization>
  <deny users="?"/>
</authorization>
<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
  </providers>
</membership>
<profile>
  <providers>
    <clear/>
    <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
  </providers>
</profile>
<roleManager enabled="false">
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/"/>
    <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/"/>
  </providers>
</roleManager>
</system.web>
<location path="Content" allowOverride="false">
<system.web>
   <authorization>
     <allow users="*" />
   </authorization>
 </system.web>
</location>
<system.webServer>
  <modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>

Could there be something in here interfering with the user access?

Answer 1

By way of documenting what helped in my case: This discussion was useful

• I had another application where I didn't have the problem and the only difference was that IUSR had permissions in the folders. Adding IUSR permissions helped
• Using 'inspect' in the browser to display the console makes it clear when files are not accessible (otherwise local caching obscures the results)
• I tried using web.configs at various levels as described above but those solutions didn't work for me.

Answer 2

I realize this is an old question, but I had this same trouble and hope this helps someone.

In my case, I had to alter the Authentication settings in IIS to let it work. This sounds like what happened once you moved it to a remote server where the default configuration may have been different.

We have Windows Authentication mode enabled by default, but when the web.config specifies Forms Authentication, it will actually enable both of them on in the IIS configuration.

With your web.config, you have something like this

<system.web>
    <authentication mode="Forms">
        <forms name="CMS" loginUrl="Login/Login.aspx" timeout="25" slidingExpiration="true"/>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>
    <!-- ...etc... -->
</system.web>

If the server you moved to has Windows Authentication enabled, it will look like this in IIS

Notice both Forms and Windows are enabled, despite your config saying only Forms. What this will do is undermine your added web.config files in the subdirectories.

When you have the below in your Content folder, it appears to have a conflict with Windows vs Forms and no matter what you put, it doesn't appear to honor your web.config

<configuration>
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</configuration>

If you are in this same situation, make sure to disable Windows Authentication, or any other unused authentication modes, like in the image below. You need to also make sure Anonymous is enabled to allow it to be open to all.

Hope this helps someone.

Answer 3

See my answer here. Some people would recommend putting a web.config file in the folder you want to be open to the public, but I prefer to monitor everything from the root web.config element. Basically, you insert the same snippet that you already have, but into the web.config file in the root of your website. Don't forget the "allowOverried=false" attribute, too. :)

Something else than can be really tricky is getting the path right. Make sure you've got it just right! :)

<location path="Path to your folder" allowOverride="false">
   <system.web>
      <authorization>
         <allow users="*"/>
      </authorization>
   </system.web>
</location>

Answer 4

Basically, you want to allow any user to access files in the Content folder.

add this to your main web.config:

<location path="Content">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>