requesting client has been authenticated, the server must then
determine whether this user is allowed to access the resources it is
requesting. This process is known as authorization. You have already seen an
example of authorization in Example 19-4 and Example 19-5, in the
<authorization> sections in web.config. The details of authorization will
now be explained. There are two ways of authorizing users: file
authorization and URL authorization.
Any Windows operating system that supports NTFS (this includes Windows NT, Windows 2000, and Windows XP) uses a security system based on Access Control Lists (ACLs). ACLs control access to any specific file or directory based on the requesting user’s membership in a Windows Domain or Active Directory and the group(s) to which that user belongs. You have seen users and groups in Figure 19-4.
You will only be able to use file authorization if the hard drive(s) containing the resources are formatted using NTFS.
If all the legitimate users of a web application are known to have Windows user accounts, then you can use file authorization to authorize a user’s access to a resource. Each user is assigned to an appropriate group and that group is given the necessary permissions, using the Computer Management console, to use the application.
For further information on the minimum file access rights required by a web application, see the Microsoft Knowledge Base Article Q187506, “List of NTFS Permissions ...