Authorization with the built-in VS 2005 Web Server (aka Cassini)

I've helped two people with a problem related to this recently on the ASP.NET Forums, so I thought it might make sense to put out a quick blog post explaining it to others.  Specifically, they were building a secure website using forms-authentication.  They added the below authorization rule within their web.config file:


     <deny users="?"/>


This tells ASP.NET to block all anonymous (non logged-in) users from accessing the content of the web-site, and instead redirect them to a login.aspx page for them to enter their username+password to login.  Because the above authorization directive is not scoped within a <location> element, it applies to all content on the site (except for the login.aspx page).

The issue I've seen folks run into is that they are finding that static images (.jpg, .gif, etc) as well as CSS stylesheets aren't working on their login.aspx page - and they don't understand why.

Why is this is happening?

The reason this is happening is because they are running the web-site using the built-in VS 2005 Web Server (aka Cassini) -- which processes all requests (including static files) through ASP.NET.  This means that authorization rules apply to all URL resources -- and not just dynamic ones (by default in IIS static files don't have the above authorization rules applied).  Because there is a directive to block all resources if the user is anonymous, the built-in web-server is not allowing a user to retrieve the images or stylesheet from the login.aspx page when they aren't logged in.

How to Fix This

Fixing this is pretty easy.  Just add a new authorization rule to your root web.config site that grants access to the stylesheet and/or other file resources that you want to allow anonymous access to.  For example, the below configuration section denies access to all resources except stylesheet.css:



       <deny users="?"/>



<location path="stylsheet.css">



            <allow users="*"/>




Alternatively, if you have a directory with a lot of static files in it, you can just add a web.config file at its root and add a global authorization rule like above allowing access to it. 

Hope this helps,




  • Maybe I overlooked something simple.

    I run my site locally before deploying it.

    How can I most easily bypass the login screen when running locally?

    I would love it to know it's being run locally and simply log me in as a user I pre-select.

    It's a royal pain to have to continually login each time I hit run!

    That possible and easy?

    Thanks for the awesome work you do for us Scott!


  • Of course the big question (which I'm sure you've already thought of) is:

    When IIS7 arrives with it's unified configuration infrastructure, will that send all filetypes via ASP.Net authorization and therefore break a whole bunch of existing sites?

  • Is the behaviour that Cassini exposes with static files and authorization scheduled to be implemented in the longhorn version of IIS? As of now, there is imho a big problem that IIS and Cassini has different behaviours. I have personally seen a number of developers that really should settle with the Cassini when developing locally, but instead use IIS since this behaviour differs, arguing that 'if there's a difference here, there may be differences in other areas as well'.

  • Maybe you could add a pointer/idea to this blog post how to protect downloads, gifs, css, etc. with FormsAuthentification.

    How do I tell ISS 6 that it should pass all downloads of static files to for authorization?


  • Would you consider this to be a bug in the Cassini web server? I'd have thought Cassini ought to emulate the IIS environment as closely as possible, which would mean it should not be applying the authorization directive to static resources.

  • I always know why this is happening but never thought about adding location to static content. I have added location in web.config to pages like register, contact etc. This clears up why built-in webserver behaves like that.


  • Hi Jim,

    There isn't a built-in &quot;always bypass login feature locally&quot; with forms-auth, and in general you want to be very careful about probably not trying to implement something like that.

    The reason is that it is often pretty easy to spoof the remote client IP address with HTTP -- and so someone could try and attack your site by sending bogus IP packets that make it appear that someone is coming from the local address (note: when someone does this they wouldn't get the http response back -- but they could in theory still cause something to execute that you don't want).

    What I'd recommend instead is that you use the persist cookie option to log in once, and then have it remember you. That way you can just immediately go to the site without having to login.

    Hope this helps,


  • Hi Joe,

    I don't think of it as a bug -- since it is possible to have IIS emulate this exact same behavior (although it doesn't by default do so). I'll respond to Richard's post slightly below yours with steps on how to have IIS emulate this same behavior.

    Hope this helps,


  • Thanks,advice with directory come in handy:-)

  • Wouldn't it be easier to add a web.config file to your styles directory / images directories and allow anon. users there?

  • Hi Ryan,

    Yep -- if they are all under the same directory you could ceretainly do that as well.



  • Hi Scott,

    Thanks for the great information on this behavior in Cassini. I spent several hours trying to find out why my stylesheet was not working with the Login.aspx page. My plan is to put all needed resources (i.e., stylesheets, images, static files, etc.) for the Login.aspx page in a separate folder and then just include a web.config file in that folder to allow these resources to be made available for the anonymous user.

    Great job -- keep the information flowing!!


  • Is there a way to dynamically (or should I say programatically) write an authorization rule to the web.config file?

    Say I have an ASP.NET 2.0 application that has an admin screen to create a new role and a new directory for that role that only users in that role can access. I know how to create roles, but I'm not sure how I'd programatically add an authorization rule to tie that role to the new directory.

    Is this possible or should I just use a templated web.config file in which I replace certain tokens in the file with the new role name and drop that in the new directory.

    Am I even on the right path?

  • Thank you so much! I am also creating a secure website using forms-authentication and pictures under the Image directory can't be displayed when you logged in as an anonymous user. This article helps me a lot!!

  • I just ran into this very thing! After spending a few hours on it, I decided to go to the web, and there was your article. Thanks for saving my sanity!

  • Hi folks,

    I am using Visual Web Developer and have added a web.config in the root to deny unauthenticated users.

    I still wanted users to be able to browse some other pages without having to log in so I used the which worked fine.

    I then decided I wanted to add some roll over functionality on the MasterPage which forms the header of all the other pages in the app. I replaced an ASP.NET Image with an IMG and used the onmouseover event to do what I wanted.

    The problem I have is that this image will only now show on the login.aspx page. I thought that classic ASP was ignored by .NET authentication unless you specifically told IIS to include it ? Does it make a difference that I am using Visual Web Developer (which I think someone said had it's own internal IIS type management ?)

    Does anyone know how I can "unprotect" the IMG file so the banner appears on all the pages the user can visit while not logged in ?

    Help !!!!!! Please !


  • Hi Chris,

    To allow the image to be used on all pages unauthenticated, you should add another directive in your web.config file that allows all users access to the images. For example:

    Hope this helps,


  • HI Scott,

    I've finally figured out how to properly run the MasterPage when using Forms Authentication. The stylesheet can now be called and the static images in my Images folder can now be called by adding a new web.config file under the Images folder. Many thanks!


Comments have been disabled for this content.