Doubt in Forms authentication configuration settings

Discussion in 'ASP .Net Security' started by Naveen Kumar, Apr 1, 2005.

  1. Naveen Kumar

    Naveen Kumar Guest

    In Asp.net forms authentication. In order to restrict certain files from
    anonymous users the settings in web.config should be
    <deny users="?"/>
    which will not allow anonymous users.
    My doubt is, Though .NET classes are able to detect the difference between
    the anonymous users and authenticated users then why it's not made like
    <allow users="<certain symbol>"/>
    which will allow the authenticated users only.
    Is there any particular reason by restricting with deny keyword
    ?
    Please make it clear
    Thanks in advance
    Naveen Kumar, Apr 1, 2005
    #1
    1. Advertising

  2. Naveen Kumar

    Teemu Keiski Guest

    Hi,

    settings between <authorization> tag (<llow> or <deny>) are evaluated in the
    order they are placed. This is described in docs:

    "
    At run time, the authorization module iterates through the <allow> and
    <deny> tags until it finds the first access rule that fits a particular
    user. It then grants or denies access to a URL resource depending on whether
    the first access rule found is an <allow> or a <deny> rule. The default
    authorization rule in the Machine.config file is <allow users="*"/> so, by
    default, access is allowed unless configured otherwise.
    "

    And if you check this page where I took this text:
    http://msdn.microsoft.com/library/d...s/cpgenref/html/gngrfauthorizationsection.asp

    There are told that ? (question mark) means anonymous users, * (asterisk)
    means all users. Therefore to limit the access by default, you need to deny
    the access from unauthenticated users, so that they get redirected to the
    logon page and possibly get authenticated.

    But why there isn't "allow all authenticated" users is probably due to that
    it is easier to say who should be able access certain restricted page, like
    that to allow admins only to certain section (and denies all other users,
    despite being authenticated or not)

    <authorization>
    <allow roles="admins"/>
    <deny users="*"/>
    </authorization>

    I cannot speak for the ASP.NET team, but IMO this way the settings are more
    explicit, (semantically denying all unauthenticated users is the same as
    allowing all authenticated however allowing users case-by-case is then more
    explicit) , as it should be so that access is denied by default unless there
    is a reason to access that page.

    --
    Teemu Keiski
    ASP.NET MVP, AspInsider
    Finland, EU






    "Naveen Kumar" <Naveen > wrote in message
    news:...
    > In Asp.net forms authentication. In order to restrict certain files from
    > anonymous users the settings in web.config should be
    > <deny users="?"/>
    > which will not allow anonymous users.
    > My doubt is, Though .NET classes are able to detect the difference between
    > the anonymous users and authenticated users then why it's not made like
    > <allow users="<certain symbol>"/>
    > which will allow the authenticated users only.
    > Is there any particular reason by restricting with deny keyword
    > ?
    > Please make it clear
    > Thanks in advance
    Teemu Keiski, Apr 5, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,462
    Tommy
    Feb 13, 2004
  2. Angel
    Replies:
    0
    Views:
    5,048
    Angel
    Oct 9, 2004
  3. n33470
    Replies:
    1
    Views:
    676
    n33470
    Mar 13, 2007
  4. donet programmer
    Replies:
    3
    Views:
    1,541
    Gregory A. Beamer
    Nov 20, 2009
  5. Eric
    Replies:
    2
    Views:
    504
Loading...

Share This Page