Securing your Web Application
Now we have two roles, and two users (admin and cristian), but we still need to
secure the application. You should have restricted access earlier in this chapter
by modifying Web.config like this:
File: Web.config (excerpt)
<authorization>
<deny users="?" />
</authorization>
If you haven’t already done so, you can add this code now, or use Visual Web
Developer to add it for you. Open the ASP.NET Web Site Administration Tool,
click the Security tab, and click Create access rules. Create a new access rule for
the Dorknozzle directory, as shown in Figure 13.14, to Deny all Anonymous users.
Figure 13.14. No anonymous users in Dorknozzle
559
Securing your Web Application
Check the options indicated in Figure 13.14 and click OK. If you look at your
updated Web.config file, you’ll see the new authorization element that denies
anonymous access.
Creating Access Rules Using the Administration Tool
Note that, while useful, this tool can be misleading. When you add a new
access rule using the ASP.NET Web Site Administration Tool, the new rule
is added to Web.config—even if it existed before! If you used the tool
multiple times in the previous example, you could end up with repetitions
like this:
<authorization>
<deny users="?" />
<deny users="?" />
<deny users="?" />
</authorization>
Also, keep in mind that the new rules you add using the tool are appended
to the bottom of the list. This is important because these rules are applied
in sequence! For example, adding a new rule that allows anonymous users
doesn’t change the line created previously. Instead, it creates a new entry:
<authorization>
<deny users="?" />
<allow users="?" />
</authorization>
As these rules are processed in sequence, all anonymous users would be re-
jected even after we added the new rule. The tool isn’t smart enough to detect
such logical contradictions, so you must be careful with your rule-setting.
Before moving on, make sure your authorization element looks like this:
File: Web.config (excerpt)
<authorization>
<deny users="?" />
</authorization>
At this point, no unauthenticated users can access your application. Since this
is an intranet application that is supposed to be accessed only by Dorknozzle’s
employees, this security requirement makes sense.
However, we’d like to impose more severe security restrictions to the Admin-
Tools.aspx file, which is supposed to be accessed only by administrators. Unfor-
tunately, the ASP.NET Web Site Application Configuration tool can’t help you
560
Chapter 13: Security and User Authentication
Get Build Your Own ASP.NET 2.0 Web Site Using C# & VB, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
