IIS7 Forms Authentication Doesn't Deny Image Access

Question

I have a basic ASP.NET website set up in IIS7 with forms authentication enabled on the server. Just for grins, I deny everyone:

<?xml version="1.0"?>
<configuration>
  <system.web>

    <authentication mode="Forms">
        <forms name=".ASPXAUTH" loginUrl="Login.aspx" defaultUrl="Test.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true"/>
    </authentication>

    <authorization>
        <deny users="*"/>
    </authorization>

    <compilation debug="true"/>
  </system.web>
</configuration>

When I visit the default.aspx page, I get dutifully redirected to the Login.aspx page. However, I can browse to a .txt file or .png file on the root of the same site, and it displays it with no challenge.

This is odd, because in the Cassini dev server, access to those files is blocked. This only occurs once I publish to my IIS7 server.

I must be missing something in IIS7, but I can't figure it out for the life of me.

• I have the site on it's own .NET 4.0 app pool with integrated mode enabled.
• Forms Authentication is enabled at the server
• On the Edit managed Module popup for the FormsAuthentication module, I tried unchecking the "invoke only for requests...", but that tosses some kind of strange error when I do so (assembly of some sort missing? This is a fresh server install with no frills, so I can't imagine what that's about).

Can anyone point me in the right direction on this?

Thanks! Droidilate

Answer 1

first of all you have to use integrated pipeline and then add this in your web.config:

<system.webServer>
  <modules runAllManagedModulesForAllRequests="false">
    <remove name="FormsAuthenticationModule" />
    <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />

    <remove name="UrlAuthorization" />
    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
  </modules>
</system.webServer>