0

I'm using forms authentication for my MVC 3 application. I've added this line in my configuration:

<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>

When i run the application (on my local box) I get the errors listed below and none of the CSS styles come through. But when I log-in, everything looks fine. So I guess I have a couple of questions:

  1. Is it best practice to add the authorization rules in the web.config or should I add it to the [Authorize] attribute within the controller.
  2. I only get the errors listed below when I add the authorization rules in the web.config. What am i missing?

Help would be appreciated. Thank you.

p.s. I'm using Internet Explorer 8

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; InfoPath.2; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Timestamp: Fri, 13 May 2011 15:48:19 UTC

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery-1.4.4.min.js

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery.validate.min.js

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery.validate.unobtrusive.min.js

Improve this question

2 Answers 2

Reset to default
2

In your web.config, you are restricting access to everyone but administrators in all cases. Check out this link to give you more options on what you can do. (like allowing access to specific folders)

http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you. The link is extremely valuable for forms authentication.
1

The problem is, as you seem to have guessed, that the CSS files are protected by your authorization rules. The reason that this differs between applying the rules in web.config and applying via Authorize attributes, is that since the MVC framework doesn't send requests for files that exist on disc via your controllers, the requests for the CSS files (which exist on disc) never see the attribute. They do, however, see the authorization rules in web.config.

There are a couple of ways you can solve this. Either one will work fine.

  1. Use the <location> tag to allow any users to request your CSS files.
  2. Skip authorization in web.config and use the Authorize attribute instead. If you do this, you can apply the attribute globally in global.asax.cs so you won't have to remember doing it on every controller.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.