Authorization determines whether an identity should be granted access to a specific resource
The following shows the syntax for the authorization section:
This section of the web.config determines the users who will be authorized to or denied from the website
<authorization>
<[allow|deny] users roles verbs />
</authorization>
Attribute | Description |
| users | Identifies the targeted identities (user accounts) for this element. Anonymous users are identified using a question mark (?). You can specify all authenticated users using an asterisk (*). |
| roles | Identifies a role for the current request that is allowed or denied access to the resource. |
| verbs | Defines the HTTP verbs to which the action applies, such as GET, HEAD, and POST. The default is "*", which specifies all verbs. |
For Example:
The default value <deny users="?" /> means to deny any anonymous (unauthenticated) user trying to access the website<deny users="john, smith, Ahmed /><deny users="*" /> <allow users="john, smith, Ahmed />
ASP.NET provides the concept of roles that gives each role a different view on specific pages.
<location path="HRpages">
<system.web>
<authorization>
<allow roles="HR" />
<deny users="*" />
</authorization>
</system.web>
</location>
location here means the folder name which holds the .aspx for some specific role.
As the example shows, <location path="HRpages"> means that all .aspx files under the HRpages folder are protected. <allow roles="HR" /><deny users="*" /> mean deny every one from accessing pages under HRpages except those having the HR role.
The following authorization section shows how to allow access to the John identity and deny access to all other users:<authorization>
<allow users="John"/>
<deny users="*"/>
</authorization>
The following example allows all users to perform an HTTP GET for a resource, but allows only the Kim identity to perform a POST operation:<authorization>
<allow verbs="GET" users="*"/>
<allow verbs="POST" users="Kim"/>
<deny verbs="POST" users="*"/>
</authorization>
which means, deny all users except john, smith, and Ahmed. means to deny the users: john, smith and Ahmed from accessing this website
No comments:
Post a Comment