We have a site using Forms authentication with Anonymous authentication enabled in IIS7.
However, with above setting, everyone can access static files in this site such as CSS, JavaScript and Html.
If I disable anonymous authentication, users can't access login page since they aren't login yet.
From my understanding, Forms authentication needs to work with Anonymous authentication enabled.
So how can I secured all resource files ?
Thanks !
In order to have every file be secured by forms authentication, route all requests through the asp .net pipeline. This is not the default behavior of IIS. For files that are static content, IIS typically hands them out based on the settings described at the site level (i.e. Anonymous, Basic, Windows, Digest).
While you can do what I mentioned, I would be questioning why you would want to do this. This adds overhead because the .NET pipeline will start processing each file to determine whether or not to serve it up.
Doable, but not recommended.
I think I kinda find the answer.
Base on @Josh's answer, I found this page talking about how to use Forms Authentication for the Entire Application.
I think it works like what I want.
you need to install Url Authorization functionality
Add the following to your web.config
< system.webServer>
< modules>
< remove name="FormsAuthenticationModule" />
< add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
< remove name="UrlAuthorization" />
< add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
< remove name="DefaultAuthentication" />
< add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
