Hello, I have a problem with the security on my website. There is a folder containing documentation (doc and pdf files) which only logged-in users can access.

It's working correctly in development environment (with the virtual server provided by Visual Studio 2005) but when my website is running on IIS, security does not take effect for documentation folder (but yes for the rest). That's to say, when I write the url of a document on the browser, it's opened properly, though i'm not logged-in.

I have read on a develpment site that security just work for aspx pages but not for asp, html or other type of documents, but I'm no sure fo that. Can anybody help me

Here is the security code on my web.config file:

<authentication mode="Forms">
<forms loginUrl="login.aspx">
</forms>
</authentication>

<authorization>
<deny users=" "/>
<allow users="*"/>
</authorization>

IIS works by mapping each file type to an ISAPI handler. In the case of .doc and .pdf files it won't map it to ASP.NET. Therefore the ASP.NET security infrastructure is not available for these file types. Alternatives are to put the documents in a folder that can't be accessed directly through the web or to remap the file types to the ASP.NET handler. The following article gives you more information: http://aspnet.4guysfromrolla.com/articles/020404-1.aspx

Michael Taylor - 12/1/06