Let's say I have the following in the web.config file:
<allow roles="Developers" /> <deny users="*"/>
This blocks access to .aspx, .asmx, and other .NET types, but still allows unauthorized users to open static files such as image.jpg. I understand why authorization information is not requested in web.config when someone requests image.jpg (this is not a .NET type, and IIS can get around it), but how can I block the entire application?
The advice I found on the Internet includes:
- create a
<location> entry for the directory in question, and IIS / .NET will pick it up. (This does not seem to be the case.) - you need to write your own ISAPI filter and apply all the extensions for important files to it.
- you do not need to write your own ISAPI filter. A simple extension mapping in aspnet_isapi.dll will do this.
- You donβt need to edit IIS at all, just create an httpHandler entry in web.config for your extensions. (I really would not try to do this for every extension in the application.)
None of this works as easily as I remember, it was in Apache. What is the simplest thing that can work to ask a visitor about a password and not serve any files (static or not) for any user who does not have one?
dnord source share