Url Authorization with MVC and ASP.NET Identity

Question

I want to secure specific folders and resources in my application that are outside of the routes for my mvc application. I want these resources to only be available to authenticated users (which role is not of concequence as long as they are authenticated).

Initially it seemed that the UrlAuthorizationModule would be the answer. I followed this article, Understanding IIS 7.0 URL Authorization, and I can get the module to work in the sense that it responds to the configuration elements in the web.config.

My current problem is that I think it is enacting the rules based on the anonymous user in IIS and not the authenticated user in asp.net identity.

Test Environment

I use a standard html file for testing instead of trying to load a script as this would also be loaded outside of the MVC pipeline.

• In Visual Studio 2015.
  • New default .net 4.6.2 web project
  • MVC template
  • Authentication = Individual User Accounts
• IIS 8 (for testing outside Visual Studio)
  • Authentication -> Anonymous Authentication (enabled)

Add to web.config

<configuration>
...
<location path="Data">
  <system.webServer>
    <security>
      <authorization>
        <clear/>
        <add accessType="Deny" users="*"/>
        <add accessType="Allow" users="?"/>
      </authorization>
    </security>
  </system.webServer>
</location>
...
</configuration>

Add to folder structure

/Data/Protected.html // this file just has some basic Hello World content to display so you can see if it is loaded or not.

Observed Results

• With this configuration everything in the Data path is always denied, it does not matter if the user is authenticated or not.
• The same is true if I switch the 2 lines for Deny and Allow in the web.config.
• If I completely remove the line with Deny then access is always allowed even when the user is not authenticated.
• If I add a role and use roles with the role name instead of users attribute the role is also completely ignored.

Now What?

What am I missing? How can I get the Url Authorization module to work with MVC/WebAPI and ASP.NET Identity Individual user accounts or is this simply not doable?

I am open to alternative ideas as well, maybe the answer is to write a custom HttpModule or HttpHandler?

---

Side notes

Why & Specifics

These resources are javascript files, in short only a portion of the scripts should be available to unauthenticated users. There are 2 directories in the root, one for the authenticated part of the app and one for the non-authenticated part of the app. The reason for this has nothing to do with user authorization or security in the application, it is to limit the exposed surface area of the application to non-authenticated requests.

Answer 1

[TL;DR;]
Go to "Complete root web.config" section to see the needed web.config setup.

Test this in incognito-mode to prevent browser caching issues! And use Ctrl+F5 because scripts and html files get cached.

First deny access to all anonymous users in the root web.config.

<authorization>
    <deny users="?"/>        
</authorization>

The web.config here allows one folder to be publicly accessible. This folder, in my example here, is called css and sits in the root of the MVC application. For the css folder I add the following authorization to the root web.config:

<location path="css">
    <system.web>
        <authorization>          
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

You can add more of these location paths if you want more public folders.

While all other files will not be accessible until the user logs in, the css folder and its contents will always be accessible.

I have also added a static file handler to the root web.config, This is critical as you want the request to be managed by the asp.net pipeline for the specific file type(s):

<handlers>
    <add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
</handlers> 

Complete root web.config

<system.web>
    <authentication mode="None" />
    <authorization>
        <deny users="?"/>        
    </authorization>
    <compilation debug="true" targetFramework="4.6.2" />
    <httpRuntime targetFramework="4.6.2" />
</system.web>
<location path="css">
    <system.web>
        <authorization>          
            <allow users="*"/>
        </authorization>
    </system.web>
</location>
<system.webServer>
    <modules>
        <remove name="FormsAuthentication" />           
        <remove  name="UrlAuthorization" />
        <add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />     
    </modules>
    <handlers>
        <add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
    </handlers>      
</system.webServer>

---

ASP.NET by default will only apply the allow and deny rules to files handled by the managed handler. Static files are not managed by the managed handler.

You could also set: (Don't do this, if not really needed!)

 <modules runAllManagedModulesForAllRequests="true">

With runAllManagedModulesForAllRequests="true" all the HTTP modules will run on every request, not just managed requests (e.g. .aspx, ashx). This means modules will run on every .jpg ,.gif ,.css ,.html, .pdf, ... request.

---

One important thing
You don't have to add the UrlAuthorizationModule to the modules section as it is already part of the ASP.NET pipeline. This means, it will run only for managed files, not static!

If you now remove and then re-add the UrlAuthorizationModule to the modules section, it will run under precondition "integratedMode" and not under "managedHandler" anymore! And will therefore have access to static files.

<remove  name="UrlAuthorization" />
<add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />

---

If you set the precondition to managed: <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="managedHandler" />, then the UrlAuthorizationModule will not restrict access to static files anymore.

You can test this by accessing a script file in the scripts folder successfully while being logged out. Hit Ctrl+F5 to make sure you get a fresh copy of the script file.

---

Difference between ASP.NET UrlAuthorization <--> IIS URL Authorization

It is important to keep in mind that the managedHandler precondition is on the ASP.NET UrlAuthorization module. The precondition tells you that the URL authorization module is invoked only when the code that handles the request is mapped to managed code, typically an .aspx or .asmx page. IIS URL Authorization, on the other hand, applies to all content. You can remove the managedHandler precondition from the ASP.NET Url Authorization module. It is there to prevent a performance penality you have to pay when every request (such as a request to .html or .jpg pages) would have to go through managed code.

P.S.: Some web.config attributes are case sensitive!