In my ASP.NET Core project, I have the integration with Identity Server. So, users have to login in Identity Server and then they have access to the application.

The design department gave me some static page in HTML5 to publish but only authenticated people or with a specific role can see those pages.

I thought to use the old web.config to protect this folder like

<location path="subdir1">
    <system.web>
        <authorization>
            <allow users ="*" />
        </authorization>
    </system.web>
</location>

but it doesn't work also because I want to use Roles instead of users.

Any idea?

Update

A quick solution is to add some setting in the Startup.cs

public void ConfigureServices(IServiceCollection services)
{
// ...
services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseHttpsRedirection();

app.UseRouting();

app.UseCookiePolicy();
app.UseAuthentication();
app.UseAuthorization();
app.UseSession();

const string cacheMaxAge = "604800";
app.UseStaticFiles(new StaticFileOptions
{
OnPrepareResponse = ctx =>
{
ctx.Context.Response.Headers.Append(
"Cache-Control", $"public, max-age={cacheMaxAge}");
},
FileProvider = new PhysicalFileProvider(
Path.Combine(env.ContentRootPath, "html")),
RequestPath = "/infographics"
});

app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}

The directory html is in the project's root. The folder is protected but the rest of the website can't read the wwwroot folder and for example my home page looks like that:

and I can see in the Devtool that all files under wwwroot are not accessible