How to do Forms Authentication on purely HTML pages using ASP.NET?

Abe picture Abe · Aug 28, 2010 · Viewed 22.9k times · Source

I am using forms authentication in IIS7 to password-protect a dev site, but the authentication seems to get by-passed when the site contains only static HTML files + login.aspx + web.config.

When I renamed the files to .aspx, I am prompted with the login form I am not doing anything fancy. I have a very simple login script and it should just redirect to index.html afterward.

Any suggestions? To summarize, the entire site is using HTML (for now) and needs to be password protected.

<authentication mode="Forms">
  <forms name="appNameAuth" path="/" loginUrl="~/login.aspx" defaultUrl="index.html" protection="All" timeout="525600">
    <credentials passwordFormat="Clear">
      <user name="[user]" password="[password]" />
    </credentials>
  </forms>
</authentication>
<authorization>
  <deny users="?" />
</authorization>

Answer

Kelsey picture Kelsey · Aug 28, 2010

To make the HTML files locked down by your forms authetication, you need have them served by ASP.NET. You can do this in IIS by associating the extension(s) you need (eg. .html, .htm, etc) with the aspnet_isapi.dll.

Onces ASP.NET is servicing those files you can specify the permissions for them just like any aspx page.

For more information refer to MSDN:

By default, IIS processes static content itself - like HTML pages and CSS and image files - and only hands off requests to the ASP.NET runtime when a page with an extension of .aspx, .asmx, or .ashx is requested.

IIS 7, however, allows for integrated IIS and ASP.NET pipelines. With a few configuration settings you can setup IIS 7 to invoke the FormsAuthenticationModule for all requests. Furthermore, with IIS 7 you can define URL authorization rules for files of any type. For more information, see Changes Between IIS6 and IIS7 Security, Your Web Platform Security, and Understanding IIS7 URL Authorization.

Long story short, in versions prior to IIS 7, you can only use forms authentication to protect resources handled by the ASP.NET runtime. Likewise, URL authorization rules are only applied to resources handled by the ASP.NET runtime. But with IIS 7 it is possible to integrate the FormsAuthenticationModule and UrlAuthorizationModule into IIS's HTTP pipeline, thereby extending this functionality to all requests.