Authorization refers to the process of determining what a user is authorized to do in your web application. In Lessons 26 and 27 you learned how to use various types of authentication to determine who the user is. In this lesson you learn how to control to which pages users have access.
Authorization works the same way regardless of how the user is authenticated. Authorization is configured by using the
authorization element in the
web.config file. If you place the following
authorization element into the root
web.config file, all anonymous users are denied access to your web site:
<configuration> ... <system.web> ... <authorization> <deny users="?"/> </authorization> </system.web> </configuration>
Even if you deny access to all anonymous users, the login page is still accessible to anonymous users.
authorization element can include multiple
allow elements. These elements are used to deny and grant access to resources, respectively. These are the attributes of the
users — This attribute is used to identify one or more users. You can identify users by name or you can use the question mark (?) to represent all anonymous users and the asterisk (*) to represent all authenticated users.
roles — This attribute is used to identify one or more roles.
verbs — This attribute is used to identify the HTTP verb. The default is all.
allow elements must include at least one user or role ...