Has there been a change to the way asp.net authorization / authentication deals with non asp.net files?

Whenever I've worked with asp.net authentication / authorization in the past, I can remember that it never used to secure .htm .js .css files (actually, any file that isn't processed by asp.net isapi dll).

After a while of doing other work I've now come back to doing some web development, this time using VS2010 and now the opposite is true. It appears as if all files are secured because the images and .js files on my login page aren't working.

My question is, was my initial assumption about how non asp.net files are dealt with wrong? If not, when did this change happen? Has there been a change in the VS2010 development server that now means that all files are processed by asp.net?

Many thanks.

Edit to add:

I've just noticed that when I run my project from a local IIS server, non asp.net files (eg images and .js) are NOT secured. However, when run from the VS Development server they are. Clearly this down to configuration differences between IIS and the dev server. This leads me to another question.. Is it possible to co开发者_高级运维nfigure the VS dev server?

I've since found out some more info relating to this issue.

IIS 7 in integrated pipeline mode will indeed process the requests for all files through the same pipe as asp.net content, meaning that the behaviour of Authorizing non asp.net files will change.

However, to maintain backwards compatibility, Authorization has been set up with a precondition that will ignore anything that is not asp.net content. This creates the appearance that the behaviour hasn't changed.

If you would like to change this behaviour and secure non asp.net content, you can override this precondition by adding the following to the web.config.

<system.webServer>
  <modules>
    <remove name="FormsAuthenticationModule" />
    <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule"  />
    <remove name="UrlAuthorization" />
    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
    <remove name="DefaultAuthentication" />
    <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
  </modules>
</system.webServer>

This effectively removes the HttpModules along with their precondition and re-adds them without it.

Cassini is set up to use integrated pipeline mode and it doesn't have the backwards compatibility precondition. This means that if you're using the VS2010 dev server with forms authentication, you have no choice in the matter, non asp.net content will always be secured.

No it wasn't. It is how it works by defualt in IIS 6 (an older) and in IIS7+ with classic pipeline but it can be changed by routing all content through aspnet isapi.

If you use integrated pipeline in IIS7+ or VS Developement Web server (Cassini) all requests are routed through asp.net authentication.