Whenever I've worked with asp.net authentication / authorization in the past, I can remember that it never used to secure .htm .js .css files (actually, any file that isn't processed by asp.net isapi dll).
After a while of doing other work I've now come back to doing some web development, this time using VS2010 and now the opposite is true. It appears as if all files are secured because the images and .js files on my login page aren't working.
My question is, was my initial assumption about how non asp.net files are dealt with wrong? If not, when did this change happen? Has there been a change in the VS2010 development server that now means that all files are processed by asp.net?
Many thanks.
Edit to add:
I've just noticed that when I run my project from a local IIS server, non asp.net files (eg images and .js) are NOT secured. However, when run from the VS Development server they are. Clearly this down to configuration differences between IIS and the dev server. This leads me to another question.. Is it possible to configure the VS dev server?
No it wasn't. It is how it works by defualt in IIS 6 (an older) and in IIS7+ with classic pipeline but it can be changed by routing all content through aspnet isapi.
If you use integrated pipeline in IIS7+ or VS Developement Web server (Cassini) all requests are routed through asp.net authentication.