I’ve been following the information in https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-9.0 to learn about how to secure a part of a static site I’m writing.
The concept is reasonably clear – anything within wwwroot
is not secured and will be served according to the app.UseStaticFiles();
middleware.
The secured static content is served from outside the wwwroot
folder by the following call.
app.UseStaticFiles(new StaticFileOptions
{
FileProvider = new PhysicalFileProvider(Path.Combine(builder.Environment.ContentRootPath, "Secured")),
RequestPath = "/Private",
});
The crucial point is that this happens after the call to app.UseAuthorization
with a default fallback implemented as this:
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
This appears to be mostly working, in that when I hit anything under /Private/
, the authentication scheme is kicking in.
What I can’t figure out is that any resource that doesn’t exist (i.e. a 404
), is resulting in the same fallback, including anything in the root path which I believe shouldn’t require any authorization. For example /favicon.ico
, or /notapageyet.html
will cause a redirect to the “login” page as defined by my authentication scheme.
What have I missed?