ASP.NET Membership: CSS being blocked by Deny user

2020-03-15 10:22发布

I have a page that functions correctly but when i issue a deny user for the whole site it redirects me to the logon page which seems to work BUT the css is not working. Hence there is no styling..

Can anyone help? My web.config is like so

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>

This logon page uses a site.master has the following style sheet but fails to style the document when the above is included

 <link href="../../Content/Site.css" rel="stylesheet" type="text/css" />

To confirm i i remove the part above in web.config then it works hence the css is included and beng styled

I thought it might be something to do with the css being denied .. so i included the following but it makes no difference. I know the site.master is being rendered in the logon page because i see the headers etc..

 <location path="~/Content">
   <system.web>
     <authorization>
       <allow users="*" />
     </authorization>
   </system.web>
 </location>

I have also used firebug in firefox to view the css, if the authorization tags are included in web.config then it states there is no CSS. If i remove the tags then i can see the css and the page is rendered correctly.

I must be missing something. Any help really appreciated

thanks in advance

EDIT

Fiddler states that the site.css is moved??

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8  
Location: /InmoCasaWebClient/Account /LogOn?ReturnUrl=%2fInmoCasaWebClient%2fContent%2fSite.css
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 17 Aug 2010 17:19:12 GMT
Content-Length: 201

<html><head><title>Object moved</title></head><body>

Object moved to here.

6条回答
Deceive 欺骗
2楼-- · 2020-03-15 11:04

You can simply allow app to access your css file :

<location path="Style.css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
查看更多
Root(大扎)
3楼-- · 2020-03-15 11:07

Try removing the tilda (~) in your location's path attribute. If you look at the fiddler result, its a callback request for your css. so the unauthenticated request for the page is in turn making unauthenticated requests for resources (the css).

I generally try to place a styles directory at the root of the application, and then use a helper tool like T4MVC or my own helper methods to translate and avoid having to figure out the ../../ directory crawling.

查看更多
太酷不给撩
4楼-- · 2020-03-15 11:13

i had a similar problem. if it helps, i added permission (IUSR or depending on your OS) to the root web directory, it worked.

查看更多
够拽才男人
5楼-- · 2020-03-15 11:15

The 302 is from the login framework redirecting you to login when requesting the CSS.

The trick here is your MVC app should not be configuring the security via web.config but rather you should be using the [Authorize] attributes on your controllers which will not interfere with your CSS.

查看更多
爷、活的狠高调
6楼-- · 2020-03-15 11:16

For starters, avoid hardcoded paths to resources like JS or CSS files in your ASP.NET MVC views. Using /Content/Site.css does no better than ../../..

Use Url.Content helper:

<%=Url.Content("~/public/scripts/jquery-1.4.2.min.js")%>
查看更多
Fickle 薄情
7楼-- · 2020-03-15 11:19

Use fiddler to see exactly what is happening to that resource? May shed light on the mystery. It should 403 if it is unauthorized. May be 404ing? If it's not in a virtual directory you could just write:

<link href="/Content/Site.css" rel="stylesheet" type="text/css" />

(directory traversing is flimsy)

Update - now more info

Nice fiddler use ;) Anyway, since it is 302ing (temporarily redirecting) your css files to require validation too the problem is your forms authentication.

You are probably running into the runAllManagedModuleForAllRequest="true" problem. Read that post for info.

Or set the all access to the Content folder to allow access. You're almost there but it would need to be:

<location path="Content">             
   <system.web>             
     <authorization>             
       <allow users="*" />             
     </authorization>             
   </system.web>             
 </location> 
查看更多
登录 后发表回答