in the following example? Wildcard ? represents non-authenticated users, but * represents all authenticated and non-auth...">
Best IT Recipes

Why <deny users = "?" / "> in the following example?

Wildcard ? represents non-authenticated users, but * represents all authenticated and non-authenticated users. My book shows the following URL authorization example:

 <authorization> <deny users="?" /> <allow users="dan,matthew" /> <deny users="*" /> </authorization>


But does the above code have the same effect as:

 <authorization> <allow users="dan,matthew" /> <deny users="*" /> </authorization>

or the author also included the rule <deny users="?" /> <deny users="?" /> for any reason?

+56
authentication authorization forms-authentication asp.net-membership
May 6, '09 at 21:58
source share
4 answers

ASP.NET provides access from the configuration file as a priority. In the event of a potential conflict, the first counter grant is of utmost importance. So,

 deny user="?"

denies access to an anonymous user. Then

 allow users="dan,matthew"

provides access to this user. Finally, he denies access to all. This is shaken, as everyone except Dan is denied access to Maltoy.

Edited to add: and, as @Deviant points out, denying access to unauthenticated is pointless, since the last entry also includes unauthenticated. A good blog post discussing this topic can be found at: Guru Sarkar's Blog

+73
May 6 '09 at 10:14
source share

"At run time, the authorization module iterates through the enable and reject elements, starting from the local configuration file, until the authorization module finds the first access rule that matches a specific user account. Then, the authorization module grants or denies access to the resource URLs depending on whether the first access rule is found to allow or deny the rule. The default authorization rule. Thus, by default access is allowed if not configured. en otherwise. "

MSDN Article

 deny = * means deny everyone deny = ? means deny unauthenticated users

In your first example, deny * will not affect dan, matthew, since they were already allowed by the previous rule.

According to the docs, there is no difference in your 2 sets of rules.

+32
May 06 '09 at 10:11 p.m.
source share

Example 1 for asp.net applications using form authentication. This is a common practice for Internet applications, as the user is not authenticated until after authentication of any security module.

Example 2 for an asp.net application using Windows authentication. Windows Authentication uses Active Directory to authenticate users. Will will prevent access to your application. I use this feature in intranet applications.

+3
May 6 '09 at
source share

See two links:

deny Authorization element (ASP.NET settings diagram) http://msdn.microsoft.com/en-us/library/vstudio/8aeskccd%28v=vs.100%29.aspx

allow an item for authorization (ASP.NET settings scheme): http://msdn.microsoft.com/en-us/library/vstudio/acsd09b0%28v=vs.100%29.aspx

+1
Aug 19 '13 at 20:54 on
source share


More articles:


All Articles