Authentication means figuring out who you are and Authorization means figuring out what you can do. Both are fundamental parts of the ASP.NET Security Model.
One thing to notice in ASP.NET authentication mechanism is that ASP.NET authenticates requests for resources such as .aspx, .asmx, .ashx, .axd, .ascx and others that are mapped to the ASP.NET ISAPI DLL (aspnet_isapi.dll). ASP.NET does not authenticate requests for images (GIF, JPEG, etc), CSS or JavaScript files. If you want these resources also to be secured by ASP.NET (Forms Authentication, Windows Authentication or Passport), add them to the list of ASP.NET ISAPI mappings. This can be done from the Internet Information Services Manager (IIS Manager) by following these steps:
- Open IIS Manager (Start/Run, type inetmgr and Enter)
- From the left-side tree view, select the web application you want to change the mappings for
- Right-click on the web application and select Properties
- Swirch to Home Directory Tab and click Configuration
- On the Mappings tab, click Add and enter the extension (one of .js, .css, .jpeg) and ASP.NET ISAPI DLL path for Executable. You can copy/paste the complete path to the ISAPI DLL from any other mapping, .aspx, for example.
- Repeat the above step for other file extensios too, if required
- Click OK thrice
Once done, requests to non-ASP.NET resources will also be subjected to ASP.NET authentication. The downside of this approach however is that it negatively impacts the performance of the web application because ASP.NET has to authenticate additional resource requests.
Be sure to visit the subpages for more information on specific kinds of authorization like Forms, Windows, Passport, Basic, and custom. This is just the start!
