Authorization with the built-in VS 2005 Web Server (aka Cassini)

I've helped two people with a problem related to this recently on the ASP.NET Forums, so I thought it might make sense to put out a quick blog post explaining it to others.  Specifically, they were building a secure website using forms-authentication.  They added the below authorization rule within their web.config file:

<authorization>

     <deny users="?"/>

</authorization>

This tells ASP.NET to block all anonymous (non logged-in) users from accessing the content of the web-site, and instead redirect them to a login.aspx page for them to enter their username+password to login.  Because the above authorization directive is not scoped within a <location> element, it applies to all content on the site (except for the login.aspx page).

The issue I've seen folks run into is that they are finding that static images (.jpg, .gif, etc) as well as CSS stylesheets aren't working on their login.aspx page - and they don't understand why.

Why is this is happening?

The reason this is happening is because they are running the web-site using the built-in VS 2005 Web Server (aka Cassini) -- which processes all requests (including static files) through ASP.NET.  This means that authorization rules apply to all URL resources -- and not just dynamic ones (by default in IIS static files don't have the above authorization rules applied).  Because there is a directive to block all resources if the user is anonymous, the built-in web-server is not allowing a user to retrieve the images or stylesheet from the login.aspx page when they aren't logged in.

How to Fix This

Fixing this is pretty easy.  Just add a new authorization rule to your root web.config site that grants access to the stylesheet and/or other file resources that you want to allow anonymous access to.  For example, the below configuration section denies access to all resources except stylesheet.css:

<system.web>

   <authorization>

       <deny users="?"/>

   </authorization>

</system.web>

<location path="stylsheet.css">

    <system.web>

        <authorization>

            <allow users="*"/>

        </authorization>

    </system.web>

</location>

Alternatively, if you have a directory with a lot of static files in it, you can just add a web.config file at its root and add a global authorization rule like above allowing access to it. 

Hope this helps,

Scott

 

Published Tuesday, January 31, 2006 9:27 PM by ScottGu

Comments

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 12:50 AM by Jim Cheseborough
Maybe I overlooked something simple.
I run my site locally before deploying it.
How can I most easily bypass the login screen when running locally?
I would love it to know it's being run locally and simply log me in as a user I pre-select.

It's a royal pain to have to continually login each time I hit run!

That possible and easy?

Thanks for the awesome work you do for us Scott!

Jim

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 2:35 AM by RichB
Of course the big question (which I'm sure you've already thought of) is:
When IIS7 arrives with it's unified configuration infrastructure, will that send all filetypes via ASP.Net authorization and therefore break a whole bunch of existing sites?

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 4:03 AM by Thomas L
Is the behaviour that Cassini exposes with static files and authorization scheduled to be implemented in the longhorn version of IIS? As of now, there is imho a big problem that IIS and Cassini has different behaviours. I have personally seen a number of developers that really should settle with the Cassini when developing locally, but instead use IIS since this behaviour differs, arguing that 'if there's a difference here, there may be differences in other areas as well'.

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 5:37 AM by Christian
Maybe you could add a pointer/idea to this blog post how to protect downloads, gifs, css, etc. with FormsAuthentification.

How do I tell ISS 6 that it should pass all downloads of static files to asp.net for authorization?

Thanks!

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 5:52 AM by Joe
Would you consider this to be a bug in the Cassini web server? I'd have thought Cassini ought to emulate the IIS environment as closely as possible, which would mean it should not be applying the authorization directive to static resources.

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 8:59 AM by Richard Costall
Nicely explained Scott.

I came across this when i was building an extranet site under beta 2.

The behaviour is different to that of IIS, do you see this as a bug and would it be looked at in the future?

some sites (no need for detail) may want to protect images, building under cassini would give the illusion these resources are protected, although when they deploy under IIS they will be exposed.

just a thought.

keep up the great work :-)

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 9:44 AM by Vasu
I always know why this is happening but never thought about adding location to static content. I have added location in web.config to pages like register, contact etc. This clears up why built-in webserver behaves like that.

Thanks

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 10:10 AM by scottgu
Hi Jim,

There isn't a built-in "always bypass login feature locally" with forms-auth, and in general you want to be very careful about probably not trying to implement something like that.

The reason is that it is often pretty easy to spoof the remote client IP address with HTTP -- and so someone could try and attack your site by sending bogus IP packets that make it appear that someone is coming from the local address (note: when someone does this they wouldn't get the http response back -- but they could in theory still cause something to execute that you don't want).

What I'd recommend instead is that you use the persist cookie option to log in once, and then have it remember you. That way you can just immediately go to the site without having to login.

Hope this helps,

Scott

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 10:14 AM by scottgu
Hi Joe,

I don't think of it as a bug -- since it is possible to have IIS emulate this exact same behavior (although it doesn't by default do so). I'll respond to Richard's post slightly below yours with steps on how to have IIS emulate this same behavior.

Hope this helps,

Scott

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 10:26 AM by Andrey Skvortsov
Thanks,advice with directory come in handy:-)

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, February 1, 2006 1:43 PM by Ryan Ternier
Wouldn't it be easier to add a web.config file to your styles directory / images directories and allow anon. users there?

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Friday, February 3, 2006 3:27 AM by scottgu
Hi Ryan,

Yep -- if they are all under the same directory you could ceretainly do that as well.

Thanks,

Scott

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Thursday, February 23, 2006 5:04 PM by Randall Price
Hi Scott,

Thanks for the great information on this behavior in Cassini. I spent several hours trying to find out why my stylesheet was not working with the Login.aspx page. My plan is to put all needed resources (i.e., stylesheets, images, static files, etc.) for the Login.aspx page in a separate folder and then just include a web.config file in that folder to allow these resources to be made available for the anonymous user.

Great job -- keep the information flowing!!

--Randall

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Tuesday, July 25, 2006 2:47 PM by Brian Beaudet
Is there a way to dynamically (or should I say programatically) write an authorization rule to the web.config file? Say I have an ASP.NET 2.0 application that has an admin screen to create a new role and a new directory for that role that only users in that role can access. I know how to create roles, but I'm not sure how I'd programatically add an authorization rule to tie that role to the new directory. Is this possible or should I just use a templated web.config file in which I replace certain tokens in the file with the new role name and drop that in the new directory. Am I even on the right path?

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Wednesday, August 23, 2006 10:07 PM by Toby Li
Thank you so much! I am also creating a secure website using forms-authentication and pictures under the Image directory can't be displayed when you logged in as an anonymous user. This article helps me a lot!!

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Tuesday, August 29, 2006 4:16 PM by Elise Rbinson
I just ran into this very thing! After spending a few hours on it, I decided to go to the web, and there was your article. Thanks for saving my sanity!

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Thursday, January 18, 2007 8:38 PM by Chris

Hi folks,

I am using Visual Web Developer and have added a web.config in the root to deny unauthenticated users.

I still wanted users to be able to browse some other pages without having to log in so I used the <location path="folder_name"> which worked fine.

I then decided I wanted to add some roll over functionality on the MasterPage which forms the header of all the other pages in the app. I replaced an ASP.NET Image with an IMG and used the onmouseover event to do what I wanted.

The problem I have is that this image will only now show on the login.aspx page. I thought that classic ASP was ignored by .NET authentication unless you specifically told IIS to include it ? Does it make a difference that I am using Visual Web Developer (which I think someone said had it's own internal IIS type management ?)

Does anyone know how I can "unprotect" the IMG file so the banner appears on all the pages the user can visit while not logged in ?

Help !!!!!! Please !

Chris

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Friday, January 19, 2007 9:06 PM by ScottGu

Hi Chris,

To allow the image to be used on all pages unauthenticated, you should add another <location> directive in your web.config file that allows all users access to the images.  For example:

<location path="images">

   <system.web>

       <authorization>

           <allow users="*"/>

       </authorization>

   </system.web>

</location>

Hope this helps,

Scott

# re: Authorization with the built-in VS 2005 Web Server (aka Cassini)

Monday, February 26, 2007 9:06 PM by Florante

HI Scott,

I've finally figured out how to properly run the MasterPage when using Forms Authentication. The stylesheet can now be called and the static images in my Images folder can now be called by adding a new web.config file under the Images folder. Many thanks!

Navaja