Silverlight XAP File Security


I’m using a standard ASP.NET login page to protect a Silverlight XAP file – I don’t want users to be able to download the XAP unless they login in.

To do this I added the following to system.web in the web application’s web.config:

<authentication mode="Forms">
   <forms loginUrl="login.aspx" timeout="30" />
   <deny users="?"/>

If I use the application using the Visual studio development web server then everything works as I expect. However, if I use IIS then you can browse and download the XAP without logging in.

Am I missing something or is this not possible?

You would have to protect your directory in IIS itself in order to deny the user. Here's some information that should help you out: IIS Secure Content