It’s friday and I should be doing other stuff… However I’m working on my open source scheduling application again and this time doing some front-end implementation work. While I was building the basic layout of the website I noticed somethig weird when setting up authorization.
I want users on my site to be authenticated before accessing any pages in my application. I configured this by denying access to anonymous users.
This works as expected, except for the part where it also denies access to the css files needed to render a proper login page. In my opinion this is a bit too restrictive. On the other hand it also sounds pretty logical when you think of how the webserver should enforce authorization rules. So it’s back to the drawing board for me and make my rules somewhat less restricitve.
Be aware! This happens on the development server, my experience thusfar is that IIS 6 and below have different rules and may still allow access to files that aren’t served through the aspnet_isapi.dll filter. IIS 7 works a bit like the development server in visual studio 2008 (Which I use for this project) and may enforce the rules in exactly the same way the development server does now. Unfortunatly I haven’t got IIS 7 installed on my vista machine, so I can’t test this behaviour.