I've helped two people with a problem related to this recently on the ASP.NET Forums, so I thought it might make sense to put out a quick blog post explaining it to others. Specifically, they were building a secure website using forms-authentication. They added the below authorization rule within their web.config file:
This tells ASP.NET to block all anonymous (non logged-in) users from accessing the content of the web-site, and instead redirect them to a login.aspx page for them to enter their username+password to login. Because the above authorization directive is not scoped within a <location> element, it applies to all content on the site (except for the login.aspx page).
The issue I've seen folks run into is that they are finding that static images (.jpg, .gif, etc) as well as CSS stylesheets aren't working on their login.aspx page - and they don't understand why.
Why is this is happening?
The reason this is happening is because they are running the web-site using the built-in VS 2005 Web Server (aka Cassini) -- which processes all requests (including static files) through ASP.NET. This means that authorization rules apply to all URL resources -- and not just dynamic ones (by default in IIS static files don't have the above authorization rules applied). Because there is a directive to block all resources if the user is anonymous, the built-in web-server is not allowing a user to retrieve the images or stylesheet from the login.aspx page when they aren't logged in.
How to Fix This
Fixing this is pretty easy. Just add a new authorization rule to your root web.config site that grants access to the stylesheet and/or other file resources that you want to allow anonymous access to. For example, the below configuration section denies access to all resources except stylesheet.css:
Alternatively, if you have a directory with a lot of static files in it, you can just add a web.config file at its root and add a global authorization rule like above allowing access to it.
Hope this helps,