ASP.NET MVC 3 error when using forms authentication

I'm using forms authentication for my MVC 3 application. I've added this line in my configuration:

<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>

When i run the application (on my local box) I get the errors listed below and none of the CSS styles come through. But when I log-in, everything looks fine. So I guess I have a couple of questions:

1. Is it best practice to add the authorization rules in the web.config or should I add it to the [Authorize] attribute within the controlle开发者_C百科r.
2. I only get the errors listed below when I add the authorization rules in the web.config. What am i missing?

Help would be appreciated. Thank you.

p.s. I'm using Internet Explorer 8

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; InfoPath.2; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Timestamp: Fri, 13 May 2011 15:48:19 UTC

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery-1.4.4.min.js

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery.validate.min.js

Message: Syntax error Line: 1 Char: 1 Code: 0 URI: http://localhost:1361/Account/LogOn?ReturnUrl=%2fScripts%2fjquery.validate.unobtrusive.min.js

In your web.config, you are restricting access to everyone but administrators in all cases. Check out this link to give you more options on what you can do. (like allowing access to specific folders)

http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx

The problem is, as you seem to have guessed, that the CSS files are protected by your authorization rules. The reason that this differs between applying the rules in web.config and applying via Authorize attributes, is that since the MVC framework doesn't send requests for files that exist on disc via your controllers, the requests for the CSS files (which exist on disc) never see the attribute. They do, however, see the authorization rules in web.config.

There are a couple of ways you can solve this. Either one will work fine.

1. Use the <location> tag to allow any users to request your CSS files.
2. Skip authorization in web.config and use the Authorize attribute instead. If you do this, you can apply the attribute globally in global.asax.cs so you won't have to remember doing it on every controller.