IIS 7.5 and making anonymous authentication/forms authentication play nicely together

Question

I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.

So the dir structure looks like this:

\IIS
    \Site
        \bin
        \Content
        \Views

The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.

The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.

Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.

I'm using bundling so those file are there and don't get used by me besides when I bundle things up.

Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?

Answer 1

Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.

Make sure in your web.config you have the following

<modules runAllManagedModulesForAllRequests="true"></modules>

In your system.webserver section.

Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.

For example, you could put this in your web.config

  <location>
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
     </system.web>
  </location>

This ensures that only authenticated users can access the site. You can then further refine this.

  <location path="External">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
   </location>

Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.

If there was a specific directory you didn't want anyone to access, you could do something like

      <location path="/Content/Scripts">
        <system.web>
          <authorization>
            <deny users="*" />
          </authorization>
        </system.web>
       </location>

Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.

Answer 2

I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.

Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.

This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.

Answer 3

You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous] .

As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.