I am using forms authentication in IIS7 to password-protect a dev site, but the authentication seems to get by-passed when the site contains only static HTML files + login.aspx + web.config.
When I renamed the files to .aspx, I am prompted with the login form
I am not doing anything fancy. I have a very simple login script and it should just redirect to index.html afterward.
Any suggestions? To summarize, the entire site is using HTML (for now) and needs to be password protected.
<authentication mode="Forms">
<forms name="appNameAuth" path="/" loginUrl="~/login.aspx" defaultUrl="index.html" protection="All" timeout="525600">
<credentials passwordFormat="Clear">
<user name="[user]" password="[password]" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
To make the HTML files locked down by your forms authetication, you need have them served by ASP.NET. You can do this in IIS by associating the extension(s) you need (eg. .html, .htm, etc) with the aspnet_isapi.dll.
Onces ASP.NET is servicing those files you can specify the permissions for them just like any aspx page.
For more information refer to MSDN:
By default, IIS processes static
content itself - like HTML pages and
CSS and image files - and only hands
off requests to the ASP.NET runtime
when a page with an extension of
.aspx, .asmx, or .ashx is requested.
IIS 7, however, allows for integrated
IIS and ASP.NET pipelines. With a few
configuration settings you can setup
IIS 7 to invoke the
FormsAuthenticationModule for all
requests. Furthermore, with IIS 7 you
can define URL authorization rules for
files of any type. For more
information, see Changes Between IIS6
and IIS7 Security, Your Web Platform
Security, and Understanding IIS7 URL
Authorization.
Long story short, in versions prior to
IIS 7, you can only use forms
authentication to protect resources
handled by the ASP.NET runtime.
Likewise, URL authorization rules are
only applied to resources handled by
the ASP.NET runtime. But with IIS 7 it
is possible to integrate the
FormsAuthenticationModule and
UrlAuthorizationModule into IIS's HTTP
pipeline, thereby extending this
functionality to all requests.
In IIS7 if you want to protect *.html or *.htm files (or other non .net extensions) under forms authentication then add the following lines to your web.config:
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
<add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
AND
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
<add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
</handlers>
</system.webServer>
I've solved the same problem a few days ago, by following the post by fr33m3 @ 11-21-2007, 3:19 PM on this thread:
http://forums.asp.net/t/1184547.aspx
follow all the steps from 2. to 5. and you're done!
hope this can help you like it helped me.
Although this is an old question, I find the link in pomarc's answer really useful. Below is the summary which is suit for IIS7.
In your web.config
, add or modify <handlers>
under <system.webServer>
:
<handlers>
<add name="HTML" path="*.html" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" />
</handlers>
Replace verb
value with your required one; scriptProcessor
value with correct path of your environment.
Then, add or modify <compilation>
and <httpHandlers>
under <system.web>
:
<compilation debug="false" strict="false" explicit="true">
<buildProviders>
<!--Add below so .html file will be handled by ASP.NET (for use of Forms Authentication)-->
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
<httpHandlers>
<!--Add below so .html file will be handled by ASP.NET (for use of Forms Authentication)-->
<add verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory" />
</httpHandlers>
Replace verb
value with your required one.
You may also include more extension separated by comma ','