I have kestrel using anonymous + NTLM (Windows) authentication and it is working just fine through controllers via [authorize]
However, all the site files (i.e. css, javascript etc.) are still accessible to all because of the anonymous authentication to the site.
Is there a way to set directory authorization through kestrel, so, for example, a specific directory content can only be read by NTLM authenticated users?
I know this can be done simply through IIS and directory based web.config roles, but I am trying to avoid using IIS.
Also, I know the alternative of serving static files from a private directory to a public one when the controller method is invoked, but it seems overly complicated to copy files, then erase them after a timeout. And anyone would be able to access them before they were deleted, so I don't believe that this is the best method.