Web.Config Authorization for folder access
Question
When managing access rules in the login module. Is there an explicit deny all at the end?
Let's say I have two roles: Administrator and Member
Administrators are allowed into the folder iPhone and Members are allowed in the folder Blackberry
I manage my rules and get the following code in each web.config:
"iPhone"
<system.web>
<authorization>
<allow roles="Administrator" />
</authorization>
</system.web>
"Blackberry"
<system.web>
<authorization>
<allow roles="Member" />
</authorization>
</system.web>
But can Administrators access the Blackberry folder and Members the iPhone folder? Or do I need to add a rule saying deny roles="Administrator" in the Blackberry folder and deny roles="Member" in the iPhone folder?
Thanks!!
1 answers
solution1
1 ACCPTED 2011-05-12 12:58:56
I take it you mean using an ASP.net application...
Add in a:
<deny users="*">
after your authorized users.
I think you should also be using user rather than role
http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
When you create a new web application, all web.config settings (global, site and local) are merged together to form the configuration that's really in effect for this application. By default a local web.config does not contain an authorization section but inherits the one defined globally. So you alway end up with a entry.
http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.