Forms auth redirecting css/script includes to the

2019-01-16 12:09发布

问题:

I have some includes on a login page, a css file and a js file.

<link rel="stylesheet" type="text/css" href="../../ext/resources/css/ext-all.css" />
<script type="text/javascript" src="../../ext/bootstrap.js"></script>

Unfortunately the requests the browser makes for these get the 302 response. Forms Auth is seeing the request as unauthorized and redirecting them to the login page. It doesn't realise that the request are coming from the login page in the first place.

GET http://localhost:50880/ext/resources/css/ext-all.css HTTP/1.1

HTTP/1.1 302 Found
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Account/LogOn?ReturnUrl=%2fext%2fresources%2fcss%2fext-all.css">here</a>.</h2>
</body></html>

I thought perhaps setting the permissions of the includes folder (ext) to everyone might help.

I've not had this issue in other projects.

回答1:

You need to exclude the css files and images from getting authenticated as following in the configuration file. Using the location tag you can exclude a single file or a directory.

<location path="<RELATIVE_PATH_OF_YOUR_RESOURCE_FILES>">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>


回答2:

I had the same problem. Here's how I solved it.

In IIS7, click on your website, then double-click the Authentication button. Click on Anonymous Authentication, then click the Edit... link on the right hand side. Make sure the "Application pool identity" checkbox is checked.

My application pool is running under the "Network Service" user (not "ApplicationPoolIdentity"). You can choose the Identity in the Advanced Settings of your application pool in IIS. This user has been given full access to the file system for the website.



回答3:

So, here's what I did that entirely solved the issue.

First, I made the change to the web.config like everyone else said to do.

I am using Anonymous Authentication in IIS, and as stated in this issue, I went into IIS > Application Pools > Right-clicked my application pool > Edit > changed the app pool to use the Application Pool Identity.

THEN - I went to the parent folder that contains my site, went into permissions for that folder, and added the server's NETWORK SERVICE account to access the folder. That did it for me. It's because the Application Pool is running under ApplicationPoolIdentity, which is the NETWORK SERVICE account on the local machine.

Hope this helps someone!



回答4:

The issue I had on this was that I had downloaded a jquery plugin from the internet and copied it into my content directory on the webserver and Windows had all the files under it blocked so that they couldn't be access properly by the webserver. Unblocking the files in Windows solved the issue.



回答5:

Late answer here, but I wanted to help shed some light on this IISsue. (see what I did?)

First, I want to say that David Conlisk's answer is the sure-fire-nail-it-in-the-head-fix-it-every-time answer. But in case you're like me and have deployed many applications with Forms and Anonymous auth where the Anonymous Auth Identity is set to IUSR and all the sudden I'm seeing this problem now, then listen to how I reproduced the issue and hopefully be spared from the same plight.


My standard practice is to have my web application's AppPoolIdentity run as Network Service. Then I just go to the actual directory on disk that the virtual directory is pointing to -> right click -> Properties -> Security Tab -> Edit -> Add the Network Service User -> Grant read/write permissions.

Then I enable Anonyous Authentication on the directories that I need (js, css, etc.) The app pool identity is IUSR by default.

OK. Now all of the sudden in my dev environment, I start getting 302 forms auth redirects on all my css and js! What happened? I did an SVN switch on my web application to a different branch in source control. Ugh. It completely jacked all of my on disk permissions for every single file. The only way I've ever been able to fix it is to delete the whole web app, and do a fresh checkout and re-apply Network Service read permissions (or apply permissions on every single file... and yes I've tried removing and re-adding the permissions on the parent level folder).

So this time, I decide "hell with it. I'm running my web app as Local System. That will show the disk permissions whose boss. This has worked for me from time to time as a short term workaround." But alas, not today. I swear to you that before my eyes I am looking at two deployments of a forms auth web app with exactly the same configuration and the 302 issue is only reproducing on my dev machine. The only difference is the recent SVN switch on my machine.

As soon as I Log in and get a Forms Auth Cookie, the js and css download just fine.


Bear with me, I've just made a shocking discovery. All of the servers I have this deployed on have read permissions granted to MACHINE_NAME\Users. And my dev machine does not. Once I added that to my dev machine, I was able to download my css.


TLDR;

Moral of the story is you can keep the Anonymous Auth Identity as IUSR, but then you have to grant all users read permissions on your web app on disk.

Since this is a bad idea (for security reasons), I'm going to make it my new practice to adopt David C's answer and make the Anonymous Auth Identity run as the application pool identity.