|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Question regarding in Forms authenticationIn Asp.net forms authentication. In order to restrict certain files from
anonymous users we should set like <deny users="?"/> in web.config file Though .NET classes are able to detect the difference between the anonymous users and authenticated users then why it's not made like <allow users="<certain symbol>"/> Is there any particular reason by restricting with deny keyword ? I have already posted in many forums, but results in vain hope microsoft professionals may know it Thanks in advance Sorry, but I don't quite understand what it is you're asking. Is there some
particular authorization scenario you're not sure how to set up, or is your question about the syntax chosen by Microsoft for implementing the denial of permissions to unauthenticated users? Show quoteHide quote "Naveen" <Nav***@discussions.microsoft.com> wrote in message news:7778630C-1688-4683-A449-0098010F8008@microsoft.com... > In Asp.net forms authentication. In order to restrict certain files from > anonymous users we should set like > <deny users="?"/> in web.config file > Though .NET classes are able to detect the difference between the > anonymous > users and authenticated users then why > it's not made like > <allow users="<certain symbol>"/> > Is there any particular reason by restricting with deny keyword > ? > I have already posted in many forums, but results in vain > hope microsoft professionals may know it > Thanks in advance April 6, 2005
Hi! Denying users that you know cannot access something is always better than specifying only which users are allowed. Don't get me wrong, you have to specify all users that can access it, BUT if you have a widespread blanket group or role such as ? then it is best to deny it. Take a look at this web.config 'Windows Authentication <authorization> <deny users="?"/> <allow roles="Domain\IT"/> </a..> You might think that this will block everybody but the IT role, but it in fact allows ALL authenticated users. This is because the Machine.config has <allow users="*"/>. If you add this line to the web.config file: <authorization> <deny users="?"/> <allow roles="Domain\IT"/> <allow users="*"/> </a..> You see that this will allow all users that are authenticated. Therefore you should always specify a <deny users="*"/> at the end if you want to allow only certain roles. This "*" role also covers unauthenticated users, so you can remove the <deny users="?"/>, as these people will be denied as well. Hope this helps! Joseph MCAD Show quoteHide quote "Naveen" wrote: > In Asp.net forms authentication. In order to restrict certain files from > anonymous users we should set like > <deny users="?"/> in web.config file > Though .NET classes are able to detect the difference between the anonymous > users and authenticated users then why > it's not made like > <allow users="<certain symbol>"/> > Is there any particular reason by restricting with deny keyword > ? > I have already posted in many forums, but results in vain > hope microsoft professionals may know it > Thanks in advance 
Other interesting topics
local admin security question
AzMan threading problems How to run aspnet with system account web application can not access event log Difference between VS2003 / VS20005 causes CRYPTO BAD DATA excepti Cannot Run Application on Windows Server 2003 Cannot run program from network drive Rijndael decryption succeeds SOMETIMES User's Privileges Forms authentication to enter a static website |
|||||||||||||||||||||||
