current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I'm using forms authentication for my MVC 3 application. I've added this line in my configuration:

<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>

When i run the application (on my local box) I get the errors listed below and none of the CSS styles come through. But when I log-in, everything looks fine. So I guess I have a couple of questions:

  1. Is it best practice to add the authorization rules in the web.config or should I add it to the [Authorize] attribute within the controller.
  2. I only get the errors listed below when I add the authorization rules in the web.config. What am i missing?

Help would be appreciated. Thank you.

p.s. I'm using Internet Explorer 8

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; InfoPath.2; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Timestamp: Fri, 13 May 2011 15:48:19 UTC

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery-1.4.4.min.js

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery.validate.min.js

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery.validate.unobtrusive.min.js

share|improve this question

2 Answers 2

up vote 2 down vote accepted

In your web.config, you are restricting access to everyone but administrators in all cases. Check out this link to give you more options on what you can do. (like allowing access to specific folders)

http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx

share|improve this answer
    
Thank you. The link is extremely valuable for forms authentication. –  Shahzad May 13 '11 at 17:04
up vote 1 down vote

The problem is, as you seem to have guessed, that the CSS files are protected by your authorization rules. The reason that this differs between applying the rules in web.config and applying via Authorize attributes, is that since the MVC framework doesn't send requests for files that exist on disc via your controllers, the requests for the CSS files (which exist on disc) never see the attribute. They do, however, see the authorization rules in web.config.

There are a couple of ways you can solve this. Either one will work fine.

  1. Use the <location> tag to allow any users to request your CSS files.
  2. Skip authorization in web.config and use the Authorize attribute instead. If you do this, you can apply the attribute globally in global.asax.cs so you won't have to remember doing it on every controller.
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.