Reputation: 1577
Why is IIS allowing access to static files on MVC site?
I have created a simple MVC 4 web site that uses Windows Identity Foundation for authentication. When accessing static content with a default file the authentication works fine, but when accessing a specific file, the user is granted access without having to authenticate. For example the path to the static content: https://test.wgint.com/help/robohelp/fmsuserguide Forwards to the AD FS server for authentication but https://test.wgint.com/help/robohelp/fmsuserguid/login_support.htm allows access without forwarding to the AD FS server.
The path 'robohelp' is a virtual directory off of the MVC site and is not directly managed by the MVC code.
The web config was set up by the 'Identity and Access' tool:
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
I cannot figure out why direct access to static files in the virtual directory are not protected but access to paths in the virtual directory are protected. Any ideas?
Upvotes: 1
Views: 2061
Answers (1)
Reputation: 46720
What do the handler mappings in IIS look like?
Static files should have the same mapping as .aspx. Otherwise, they won't be directed to the WIF handler.
Also, what is the setting for runAllManagedModulesForAllRequests?
Refer : Modules runAllManagedModulesForAllRequests=“true” Meaning.
Upvotes: 2
Related Questions
- ASP.NET MVC on IIS falls through to the static file handler
- MVC website - how to prevent access to static files
- Serving static files in ASP.NET to authorized users only
- How to apply security permissions to static files with ASP.NET MVC?
- ASP MVC allow static html files
- IIS 7.5 MVC requires authentication to get static files
- Authorization for Static Files in ASP.NET MVC w/ Owin
- Requests for static files are hitting the managed code in ASP.NET MVC3
- Prevent MVC from serving static files like .js, .css, etc
- Prevent IIS from serving static files through ASP.NET pipeline