Chapter 28A. Authorization in Web Forms
Authorization refers to the process of determining what a user is authorized to do in your web application. In Lessons 26 and 27 you learned how to use various types of authentication to determine who the user is. In this lesson you learn how to control to which pages users have access.
AUTHORIZATION ELEMENT
Authorization works the same way regardless of how the user is authenticated. Authorization is configured by using the authorization element in the web.config file. If you place the following authorization element into the root web.config file, all anonymous users are denied access to your web site:
<configuration>
...
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>Note
Even if you deny access to all anonymous users, the login page is still accessible to anonymous users.
The authorization element can include multiple deny and allow elements. These elements are used to deny and grant access to resources, respectively. These are the attributes of the deny and allow elements:
users — This attribute is used to identify one or more users. You can identify users by name or you can use the question mark (?) to represent all anonymous users and the asterisk (*) to represent all authenticated users.
roles — This attribute is used to identify one or more roles.
verbs — This attribute is used to identify the HTTP verb. The default is all.
The deny and allow elements must include at least one user or role ...
Get ASP.NET 4 24-Hour Trainer now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
