Getting Started
  Introduction
  What is ASP.NET?
  Language Support

ASP.NET Web Forms
  Introducing Web Forms
  Working with Server Controls
  Applying Styles to Controls
  Server Control Form Validation
  Web Forms User Controls
  Data Binding Server Controls
  Server-Side Data Access
  Data Access and Customization
  Working with Business Objects
  Authoring Custom Controls
  Web Forms Controls Reference
  Web Forms Syntax Reference

XML Web services
   created using ASP.NET
  Introducing XML Web services
  Writing a Simple XML Web service
  XML Web service Type Marshalling
  Using Data in XML Web services
  Using Objects and Intrinsics
  The XML Web service Behavior
  HTML Pattern Matching

ASP.NET Web Applications
  Application Overview
  Using the Global.asax File
  Managing Application State
  HttpHandlers and Factories

Cache Services
  Caching Overview
  Page Output Caching
  Page Fragment Caching
  Page Data Caching

Configuration
  Configuration Overview
  Configuration File Format
  Retrieving Configuration

Deployment
  Deploying Applications
  Using the Process Model
  Handling Errors

Security
  Security Overview
  Authentication & Authorization
  Windows-based Authentication
  Forms-based Authentication
  Authorizing Users and Roles
  User Account Impersonation
  Security and WebServices

Localization
  Internationalization Overview
  Setting Culture and Encoding
  Localizing ASP.NET Applications
  Working with Resource Files

Tracing
  Tracing Overview
  Trace Logging to Page Output
  Application-level Trace Logging

Debugging
  The SDK Debugger

Performance
  Performance Overview
  Performance Tuning Tips
  Measuring Performance

ASP to ASP.NET Migration
  Migration Overview
  Syntax and Semantics
  Language Compatibility
  COM Interoperability
  MTS Transactions

Sample Applications
  A Personalized Portal
  An E-Commerce Storefront
  A Class Browser Application
  IBuySpy.com

  Get URL for this page

Authorizing Users and Roles

ASP.NET is used to control client access to URL resources. It is configurable for the HTTP method used to make the request (GET or POST) and can be configured to allow or deny access to groups of users or roles. The following example shows access being granted to a user named someone and a role named Admins. All other users are denied access.

<authorization> <allow users="someone@www.contoso.com" /> <allow roles="Admins" /> <deny users="*" /> </authorization>

Permissible elements for authorization directives are either allow or deny. Each allow or deny element must contain a users or a roles attribute. Multiple users or roles can be specified in a single element by providing a comma-separated list.

<allow users="John,Mary" />

The HTTP method can be indicated using the Verb attribute:

<allow VERB="POST" users="John,Mary" /> <deny VERB="POST" users="*" /> <allow VERB="GET" users="*" />

This example lets Mary and John POST to the protected resources, while only allowing everyone else to use GET.

There are two special usernames:

  • *: All users
  • ?: Anonymous (unauthenticated) users
These special usernames are commonly used by applications using forms-based authentication to deny access to unauthenticated users, as shown in the following example:

<authorization> <deny users="?" /> </authorization>

URL authorization is computed hierarchically and the rules used to determine access are as follows:

  • Rules relevant to the URL are collected from across the hierarchy and a merged list of rules is constructed.
  • The most recent rules are placed at the head of the list. This means that configuration in the current directory is at the head of the list, followed by configuration in the immediate parent, and so on, up to the top-level file for the computer.
  • Rules are checked until a match is found. If the match is allowable, access is granted. If not, access is disallowed.
What this means is that applications that are not interested in inheriting their configuration should explicitly configure all of the possibilities relevant to their applications.

The default setting in the machine-wide configuration file (machine.config) is to grant access to all users. Unless an application is configured to the contrary (and assuming that a user is authenticated and passes the file authorization ACL check), access is granted.

When roles are checked, URL authorization effectively marches down the list of configured roles and does something that looks like the following pseudocode: 


If User.IsInRole("ConfiguredRole") Then
  ApplyRule()
End If
VB

What this means for your application is that you use your own class that implements System.Security.Principal.IPrincipal to provide your own role-mapping semantics, as explained in Windows-based Authentication.

The following sample uses forms-based authentication services. It explicitly denies access to someone@www.contoso.com and anonymous users. Try logging into the sample with Username="someone@www.contoso.com" and Password="password". Access will be denied and you will be redirected back to the logon page. Now log on as Username="someone.else@www.contoso.com" and Password="password". You will see that access is granted.

 
VB Forms-Based/Cookie Authentication with URL Authorization

[Run Sample] | [View Source]

Copyright 2001-2002 Microsoft Corporation. All rights reserved.