IIS vs. ASP.NET authorization - easiest way to secure static files?

Question

Let's say I have the following in a web.config:

<allow roles="Developers" />
<deny users="*"/>

This locks down access on .aspx, .asmx, and other .NET file types, but it's still allowing unauthorized users to open static files like image.jpg. I understand why the web.config isn't asked for authorization information when someone asks for image.jpg (it's not a .NET type, and IIS can bypass it), but how can I lock down a whole application?

Advice I've found online includes:

• create a <location> entry for the directory in question and IIS / .NET will pick it up. (It doesn't seem to.)
• you need to write your own ISAPI filter and map all sensitive files' extensions to that.
• you don't need to write your own ISAPI filter - just mapping the extensions to aspnet_isapi.dll will do it.
• you don't need to edit IIS at all, just create an httpHandler entry in the web.config for your extensions. (I'd really rather not try to do this for every extension in the application.)

None of this works quite as easily as I remember it being in Apache. What's the simplest thing that might work to ask a visitor for a password and not serve any files (static or not) to any user that doesn't have it?

Answer 1

A nice simple way is to upgrade to IIS 7- it now has an integrated pipeline.

Answer 2

Enable wild card mapping for IIS 6. This will send all files through the ASP.NET pipeline, guarantee form auth happens for all files. It will degrade performance (dunno how much).

For IIS 5, um, upgrade to IIS 6.

You list 4 ideas:

• location only works if you have wild card mapping (or specific extensions mapped).

• Who wants to write an isapi filter? You can't easily do it in managed langauges unless you have IIS7. And who wants to write a c++ isapi filter?

• wild card mapping does work with the above caveat (performance)

• Again, last option wont work without registering those specific extensions with IIS and routing them through aspnet.