Home/ Questions/Q 8093591
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T20:32:03+00:00

It is easy to restrict access to aspx pages, just use role-checking logic in

  • 0

It is easy to restrict access to aspx pages, just use role-checking logic in the code-behind. But resource files like a photo does not have a code behind to put role-checking logic, so how to restrict access?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, you will need to set up IIS. If you have IIS7+, it’s a snap. Change your app pool from Classic to Integrated Pipeline. This allows managed modules and handlers to be applied to your static resource files. If you are using IIS6, see this article.

    Second, you may need to ensure this setting in your web.config (for IIS7):

      <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

    Things like FormsAuth should now work the same as they would for ASPX, etc., meaning you can restrict paths to authorized users only by using web.config (for example).

    Update

    In response to Aperture’s comment below:

    Outside of using RoleProviders, ASP.NET can figure out the roles for a principal either by reading groups a user belongs to when using Windows auth, or manually changing the roles by replacing the current IPrincipal in your application, preferably during AuthenticateRequest.

    Global.asax.cs

    public void Application_AuthenticateRequest(object sender, EventArgs e)
{
    var application = sender as HttpApplication;
    var context = application.Context;

    if (!context.User.Identity.IsAuthenticated) return; // if the user hasn't been authenticated by another module such as FormsAuth, don't do anything further

    string[] roleNames = FindRolesForUser(context.User.Identity.Name); // this method you will create to figure out what roles the specified user has
    context.User = new GenericPrincipal(new GenericIdentity(context.User.Identity.Name), roleNames); // updates the current principal. 
}

    Now, as far as checking the roles we’ve specified above, there are a number of ways. You could create a custom HttpModule that looks for paths that end in JPG, GIF, JS, etc. and then simply check context.User.IsInRole. You could also simply use location and authorization in your web.config:

       <location path="images">
      <system.web>
         <authorization>
            <allow users="?"/> <!-- or perhaps <allow roles="Admins" /> it's up to you -->
         </authorization>
      </system.web>
   </location>

    The bottom line is, you can’t execute any managed code during the request to static resources until you either configure Integrated Pipeline, or map static resources to the ASP.NET ISAPI module. So, my answer is appropriate.

    • 0