ASP.NET MVC 3: I cannot navigate to my "Content" directory until authorized

All, I am deploying an MVC 3 Application to a test server for the first time. The app runs just as expected locally out of Cassini. However, On the server through IIS, it will not display CSS until I am authenticated. If I try to navigate to localhost/Content/Site.css, it redirects me to the login page. I checked in IIS and anonymous authentication is enabled.

Any i开发者_JS百科deas what might be the problem?

Thanks!

I had a similar problem. For me, the answer was to give Read permissions to the folder to IUSR as well as IIS_IUSRS.

Add the following to your web.config. You have to tell asp.net that the following directory can be accessed whether you are authenticated or not. This belongs in the configuration setting in your web.config.

<configuration>
...

<location path="Content">
<system.web>
  <authorization>
    <allow users="*" />
  </authorization>
</system.web>
</location>

...

<system.web>
<authorization>
  <deny users="?" />
</authorization>
</system.web>
.....

</configuration>

Look at the permissions on the files and make sure they match the files you can match. Secondly check your web.config to ensure you are not using authorization elements in there such as:

<authorization>
    <allow users="user1, user2"/>
    <deny users=”?”/>
</authorization>

You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the [Authorize] attribute to each controller and action method (except for the login/register methods). Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.

You can read more here.

You can control your authentication method in your web.config file:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" defaultUrl="~/Home/Index" timeout="2880" protection="All" slidingExpiration="true" />
</authentication>

then you have to use the [Authorize] attribute for the controller/action you want to protect.
Generally you don't want to protect the Account controller.

Another useful link.