tags:

views:

251

answers:

5
+1  Q: 

ASP.NET Membership: CSS being blocked by Deny users, page doesn't render correctly?

Hi there,

I have a page that functions correctly but when i issue a deny user for the whole site it redirects me to the logon page which seems to work BUT the css is not working. Hence there is no styling..

Can anyone help? My web.config is like so

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>

This logon page uses a site.master has the following style sheet but fails to style the document when the above is included

 <link href="../../Content/Site.css" rel="stylesheet" type="text/css" />

To confirm i i remove the part above in web.config then it works hence the css is included and beng styled

I thought it might be something to do with the css being denied .. so i included the following but it makes no difference. I know the site.master is being rendered in the logon page because i see the headers etc..

 <location path="~/Content">
   <system.web>
     <authorization>
       <allow users="*" />
     </authorization>
   </system.web>
 </location>

I have also used firebug in firefox to view the css, if the authorization tags are included in web.config then it states there is no CSS. If i remove the tags then i can see the css and the page is rendered correctly.

I must be missing something. Any help really appreciated

thanks in advance

EDIT

Fiddler states that the site.css is moved??

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8  
Location: /InmoCasaWebClient/Account /LogOn?ReturnUrl=%2fInmoCasaWebClient%2fContent%2fSite.css
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 17 Aug 2010 17:19:12 GMT
Content-Length: 201

<html><head><title>Object moved</title></head><body>

Object moved to here.

+1  A: 

Use fiddler to see exactly what is happening to that resource? May shed light on the mystery. It should 403 if it is unauthorized. May be 404ing? If it's not in a virtual directory you could just write:

<link href="/Content/Site.css" rel="stylesheet" type="text/css" />

(directory traversing is flimsy)

Update - now more info

Nice fiddler use ;) Anyway, since it is 302ing (temporarily redirecting) your css files to require validation too the problem is your forms authentication.

You are probably running into the runAllManagedModuleForAllRequest="true" problem. Read that post for info.

Or set the all access to the Content folder to allow access. You're almost there but it would need to be:

<location path="Content">             
   <system.web>             
     <authorization>             
       <allow users="*" />             
     </authorization>             
   </system.web>             
 </location>
BritishDeveloper  2010-08-17 15:59:13
I am getitng object moved, i have updated my question with the fiddler stuff.... So i think what is happening is its requesting the site.css but its being redirected to the logon page as well for the site.css .. but i have entered the location info ... a little confused
mark smith  2010-08-17 17:43:53
glad that helped. I've updated my answer with the fix (fingers crossed)
BritishDeveloper  2010-08-17 22:40:59
+1  A: 

Try removing the tilda (~) in your location's path attribute. If you look at the fiddler result, its a callback request for your css. so the unauthenticated request for the page is in turn making unauthenticated requests for resources (the css).

I generally try to place a styles directory at the root of the application, and then use a helper tool like T4MVC or my own helper methods to translate and avoid having to figure out the ../../ directory crawling.

Jonathan Bates  2010-08-17 17:42:19
Thanks ! that was it .. i remove the tilda and the / .. and all is well.... But a helper tool or t4mvc wouldn't help in the web.config though?? But i love the idea for t4mvc.. i will look at implementing in my code for using strongly typed views etc...
mark smith  2010-08-17 17:57:43
ermm one thing .. do you know if its possible to say that ALL directories under "CONTENT" should be allow users=* or do i need to add a location for each sub directory in the web.config?
mark smith  2010-08-17 17:59:04
@mark, no, the helper tool would be for the master page files and any markup that would need a reference to a directory (images, css, scripts, etc). My experience with subdirectories has been to set it in the web.config or to place an additional web.config in the subdirectory with the authorization node defined with the rules I want. So I am not sure if it cascades down as I have always explicitly set it.
Jonathan Bates  2010-08-17 20:39:02
+1  A: 

The 302 is from the login framework redirecting you to login when requesting the CSS.

The trick here is your MVC app should not be configuring the security via web.config but rather you should be using the [Authorize] attributes on your controllers which will not interfere with your CSS.

Wyatt Barnett  2010-08-17 21:35:55
Hi Wyatt, thanks! This a great tip thankyou... but considering that my app requires you to authenticate before having access to "ANY" page (only login) i think the web.config is a better approach...??? Otherwise i would have to inser the authorize attribute on every single method in every single controller... Maybe i am not seeing the full picture?
mark smith  2010-08-17 22:11:00
I think if my app was basically open apart from certain pages then this would be a great idea, hence i could force someone to login if they wanted to use a specific page /controller function.. otherwise just let them through... I hope i am on the right lines here??
mark smith  2010-08-17 22:13:30
Well, your app is open for certain pages -- such as login. Easy trick is to extend all secured controller from a base class. Also note that [Authorize] can cover entire controllers as well, no need to cover every method.
Wyatt Barnett  2010-08-18 04:08:59
+1  A: 

For starters, avoid hardcoded paths to resources like JS or CSS files in your ASP.NET MVC views. Using /Content/Site.css does no better than ../../..

Use Url.Content helper:

<%=Url.Content("~/public/scripts/jquery-1.4.2.min.js")%>
mare  2010-08-18 01:27:50
Agreed, thanks...
mark smith  2010-08-18 05:46:20
A: 

i had a similar problem. if it helps, i added permission (IUSR or depending on your OS) to the root web directory, it worked.

deepak  2010-09-29 04:50:33

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps