473,748 Members | 10,737 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Authorization elements in web.config

Hi.

I would like to confirm a behaviour in the authorization element from
the web.config file. Suppose the following (using Forms authentication) :

<authorizatio n>
<deny users="?" />
<deny users="User1" />
<allow users="User1" />
</authorization>

When I try to logon as the User1, I am not redirected to my default
page. But if I change the elements to:

<authorizatio n>
<deny users="?" />
<allow users="User1" />
<deny users="User1" />
</authorization>

I am redirected. It leads me to imagine that there is not some
precedence between the allow and deny tags, so the user will be allowed
or denied to access based on the configuration that first appears. Is it
right?
If using windows authentication, suppose the User1 is in the Admins role
and the configuration is:
<authorizatio n>
<allow roles="Admins" />
<deny users="User1" />
</authorization>

Will the user be denied or allowed to access the site resources?
Regards,
Chris Leffer
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 18 '05 #1
1 4542
I would assume the user would be denied, as you expressly denied the user.
In the first examples, you have the same user name twice, which means you
have a conflict.

Now, as to the reason the first "wins". It is most likely the way XML config
files are parsed, which, I believe, is in reverse order. As such, the deny,
in the first example, overrides your allow and visa versa in the second.
Someone can correct me on this if I am wrong. I know this is the way many
files were parsed in the not so distant past, so it makes sense, looking at
your example.

I have not tested my assumption, so a good test is in order. If someone has
already tested this, please post. Confirmations are always good things.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** *************** *************** *************** **********
Think Outside the Box!
*************** *************** *************** *************** **********
"Chris Leffer" <ch****@wank.co m> wrote in message
news:uK******** *****@TK2MSFTNG P09.phx.gbl...
Hi.

I would like to confirm a behaviour in the authorization element from
the web.config file. Suppose the following (using Forms authentication) :

<authorizatio n>
<deny users="?" />
<deny users="User1" />
<allow users="User1" />
</authorization>

When I try to logon as the User1, I am not redirected to my default
page. But if I change the elements to:

<authorizatio n>
<deny users="?" />
<allow users="User1" />
<deny users="User1" />
</authorization>

I am redirected. It leads me to imagine that there is not some
precedence between the allow and deny tags, so the user will be allowed
or denied to access based on the configuration that first appears. Is it
right?
If using windows authentication, suppose the User1 is in the Admins role
and the configuration is:
<authorizatio n>
<allow roles="Admins" />
<deny users="User1" />
</authorization>

Will the user be denied or allowed to access the site resources?
Regards,
Chris Leffer
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 18 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
2
1995
AUTHORIZATION with WINDOWS AUTHENTICATION -- HELP!!
by: phreeskier | last post by:
i want to implement authorization with windows authentication and don't have the slightest clue of how to do this implementation. the basic windows authentication for this .NET application is already setup. my problem lies within my inability to manipulate the username captured in the authentication process and my knowledge of how IIS is involved. specifically, i have the following questions: 1) what object(s) can be used so that the...
ASP / Active Server Pages
3
10997
Web.config Authorization Help
by: Craig | last post by:
I have a web app where one page should be publicly accessable and another restricted to a certain local group (integrated windows auth) How can I do this in a web.config? Can I specify different authorization settings per file? per folder? (i.e. create an /admin folder for private content?) TIA, Craig
ASP.NET
9
2746
Detecting Failed Authorization
by: Bijoy Naick | last post by:
I've implemented forms authentication and authorization on my application. In my Web.Config, my authorization section looks like this.. <authorization> <allow roles="admin" /> <deny users="*" /> </authorization> If an authenticated user, who is NOT designated the role "admin" attempts to access this folder, he/she is simply redirected to the login page.
ASP.NET
1
1833
authorization problem
by: sonu | last post by:
Mark is creating a website using ASP.NET. He is using Forms authentication for authenticating and authorizing users. He has the following layout of files and directories in his website: Root ....File Manager/ ....Files Employee/
C# / C Sharp
0
1517
Authorization Failed - 401 - Custom Errors
by: gilly3 | last post by:
How do I use a Custom Error page for 401 - Authorization Failed errors? I tried the web.config method: <customErrors mode="On" defaultRedirect="/GeneralError.aspx"> <error statusCode="401" redirect="/AccessDenied.aspx" /> </customErrors> My application uses Windows Integrated Authentication, and restricts access to a single Windows User Group like this (in web.config):
ASP.NET
0
1258
authorization policy help
by: yofnik | last post by:
Hello, Using policy (modifying web.config) and FormsAuthentication, is it possible to return an error message (or redirect to error page) instead of redirecting to the login page for specific users only? Here's an example: I have a section of my web app that is for admins only. The authorization section of my web.config looks like.
ASP.NET
0
4497
ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.
by: Douglas J. Badin | last post by:
Hi, The problem with Authorization is it stops at the first match and doesn't permit Grouping. On the Web Site, I am trying to Secure Page Access and SiteNaviagation by implementing the following ASP.NET 2.0 features: - Membership - Site Maps
ASP.NET
4
2421
authorization based on url parameters
by: xke | last post by:
Using web.config authorization settings, is it possible to allow my users to access default.aspx but not default.aspx?action=edit ?? <location path="default.aspx"> <system.web> <authorization> <allow users ="*" /> </authorization> </system.web> </location>
ASP.NET
4
5342
Problem with web.config inheritance and <authorization> section
by: Max2006 | last post by:
Hi, I have the following tags in my root web.config file: <authorization> <allow roles="RoleA,RoleB"/> <deny users="*"/> </authorization> I also have a public folder in my application called "~/Public"
ASP.NET
0
8991
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9541
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
9370
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
9247
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
8242
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6796
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6074
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
1
3312
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
2782
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us