Aspx authorization in Web.Config
Question
I need to modify the web.config file to ensure that First.aspx can be accessed by only members of the Subscribers group.
What is correct:
A
<location path="First.aspx">
<system.web>
<authorization>
<allow roles="Subscribers"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
or
B
<location path="First.aspx">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Subscribers"/>
</authorization>
</system.web>
</location>
and why?
2 answers
solution1
3 ACCPTED 2012-10-30 11:16:29
The first is correct, because the second will deny everyone before it even tries to check their roles. deny and allow entries are tested in the order they are entered.
solution2
0
Here I found this ( http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx ) so A is correct:
Since the authorization is done from top to bottom, rules are checked until a match is found. Here we have first and so it will not check for allow any more and deny access even if in Admin role.
So PUT all allows BEFORE ANY deny.
NOTE: deny works the same way as allow. You can deny particular roles or users as per your requirement.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.