Consider an IIS6 Application under a web site:
This is an ASP.NET MVC application with Areas. The root web.config has the authentication and authorization nodes as follows:
<authentication mode="Windows"></authentication>
<authorization>
<allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>
</authorization>
My identity is NOT in the list of allowed users. Entering the URL in the browser, I can view and navigate to all the pages within. I know I am being authorized properly, as my Active Directory name is displayed on the site.
Problem: I am given access to the site.
Question: Using the web.config, how can I restrict users based on their Windows credentials to this IIS6 Application?
Try this:
<authorization>
<allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>
<deny users="*"/>
</authorization>
如何在允许的内容后面添加一个拒绝部分?
<deny users="*" />
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.