locked
Images not authorized in MVC application? RRS feed

  • Question

  • User-425991614 posted

    I have a requirement to authorize static resources present in my application so that only logged in users can access those including images.

    I have form authentication enabled in my application and i am using authorization attrribute in web.config and localized web.config in folders for which i want to provide access to anonymous users.

    But the images are not secured and getting accessed even when the user is not logged in. Rest of the resources such as css and js are secured.

    I am using below code in global web.config

     <authentication mode="Forms">
      <forms loginUrl="<URL>" timeout="10" slidingExpiration="true" />
    </authentication>
    <authorization>
      <deny users="?" />
    </authorization>

    and in localized web.config

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
    <location path="Content/Custom/login.scss">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
    </location>
    
    <location path="Content/Images/CSSbundle">
     <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
     </system.web>
    </location>
    <location path="Content/images">
     <system.web>
      <authorization>
         <deny users="?"/>
      </authorization>
     </system.web>
    </location>
    </configuration>

    where am i missing something ?

    Tuesday, May 8, 2018 8:31 AM

All replies

  • User1724605321 posted

    Hi ronniekapoor ,

    May i confirm that other  css and js files are in the same Content  folder , and only images folder content "http://localhost:xxxx/Content/Images/xxx.png" can access ?

    Best Regards,

    Nan Yu

    Wednesday, May 9, 2018 6:13 AM
  • User-425991614 posted

    Hi Nan Yu,

    Yes. I have although found a solution to my problem. I am using IIS 8 and i have added below handlers to my web.config.

    <add name="PNG" path="*.png" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
    <add name="JPG" path="*.jpg" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
    <add name="GIF" path="*.jepg" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
    <add name="JPEG" path="*.gif" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />

    now files are not accessible without authentication.

    Wednesday, May 9, 2018 6:36 AM