So, I recently had to write a small application that would basically prevent anonyomous users from accessing a site...which normally would take all of 5 minutes. The catch, though, was that the site I had to prevent access to was static content...predominantly HTML and Flash movies. Setting up forms authentication at first glance seems to work without issue...until you try to access an HTML file directly. Upon doing so, you'll go to the HTML page without issue for the simple fact that HTML pages aren't pushed through the ASPX pipeline which prevents HTTP requests from being intercepted and redirected to what would be a login page.
The good news is this is very easy to solve, using the following technique you'll be able to prevent access to any file-type, HTML, JPG, etc. For the purposes of my instructions I'll assume we're just adding .HTML, but you'll need to modify the extension as it pertains to your file-type. Please note, I came across the instructions for this here - I decided to put them here for others to leverage...as well as myself when I forget the steps 8 months from now :)
1. Configure forms authentication as you normally would
2. Navigate to the IIS Snap-in and right-click your virtual directory or web-site, and select properties.
3. Navigate to the "Home Directory" tab within the properties window, and click "Configuration" At this point, you'll hopefully see something similar to the following:
4. Not surprisingly, this is where file extensions and handlers are associated. We'll simply need to add the association between the .HTML extension and the ISAPI.
5. First, though, we'll need to grab the path for the ISAPI filter we want to use. I think the path is probably standard depending on what framework you're using, but to stay on the safe side scroll to the .aspx file extension in the "Application Extensions" listing. Once you find it, either double-click it or highlight it and click "Edit". You'll see a window that resembles the following:
6. All we need to do here is copy some information. Go ahead and launch notepad or your preferred text editor. Copy the full path to the aspnet_isapi.dll and copy the verbs in the "Limit to:" text-field. In this case, that'll be GET,HEAD,POST,DEBUG. After you grab that information, cancel out of this window.
7. You should be back at the "Application Configuration" screen. Go ahead and click "Add". The add button will launch a window identical to the window above. You just need to populate it by copying and pasting in the path to the aspnet_isapi.dll and the verbs in the "Limit to:" text-box. Basically, it should look identical to the following:
8. That should do it for the IIS portion. Now, all you need to do to take advantage of this set-up is modify your web.config by adding these lines the following. In the httpHandlers section add:
<httpHandlers>
<!-- other verbs removed to stay concise -->
<add verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory"/>
</httpHandlers>
9. Last step...add the following to the web.config within the compilation section...
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
10. In theory, you're done. You'll need to do the same type of thing with the other extensions you'd like to do this with (that means one for .htm, too). Also, you may want to think about doing this for things like images, CSS, etc.
Enjoy...