Doubt in Forms authentication configuration settings

N

Naveen Kumar

In Asp.net forms authentication. In order to restrict certain files from
anonymous users the settings in web.config should be
<deny users="?"/>
which will not allow anonymous users.
My doubt is, Though .NET classes are able to detect the difference between
the anonymous users and authenticated users then why it's not made like
<allow users="<certain symbol>"/>
which will allow the authenticated users only.
Is there any particular reason by restricting with deny keyword
?
Please make it clear
Thanks in advance
 
T

Teemu Keiski

Hi,

settings between <authorization> tag (<llow> or <deny>) are evaluated in the
order they are placed. This is described in docs:

"
At run time, the authorization module iterates through the <allow> and
<deny> tags until it finds the first access rule that fits a particular
user. It then grants or denies access to a URL resource depending on whether
the first access rule found is an <allow> or a <deny> rule. The default
authorization rule in the Machine.config file is <allow users="*"/> so, by
default, access is allowed unless configured otherwise.
"

And if you check this page where I took this text:
http://msdn.microsoft.com/library/d...s/cpgenref/html/gngrfauthorizationsection.asp

There are told that ? (question mark) means anonymous users, * (asterisk)
means all users. Therefore to limit the access by default, you need to deny
the access from unauthenticated users, so that they get redirected to the
logon page and possibly get authenticated.

But why there isn't "allow all authenticated" users is probably due to that
it is easier to say who should be able access certain restricted page, like
that to allow admins only to certain section (and denies all other users,
despite being authenticated or not)

<authorization>
<allow roles="admins"/>
<deny users="*"/>
</authorization>

I cannot speak for the ASP.NET team, but IMO this way the settings are more
explicit, (semantically denying all unauthenticated users is the same as
allowing all authenticated however allowing users case-by-case is then more
explicit) , as it should be so that access is denied by default unless there
is a reason to access that page.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top