URL Authorization does not override File Authorization?

Discussion in 'ASP .Net Security' started by SeanRW, May 25, 2006.

  1. SeanRW

    SeanRW Guest

    Hello,

    I have a question as to how URL Authorization and File Authorization
    work together. In particular, how can one supercede the other.

    In our setup, the impersonated user has an ACL on the resource (File
    Authorization would be successful).
    Yet, the URL Authorization rules are written so that they should
    prevents that user from accessing a resource (URL Authorization should
    deny this user access).

    Why can a successful File Authorization bypass the denied URL
    Authorization evaluation?

    Example:

    The user, DOMAIN\doug has a full access to Home.aspx.
    The URL Authorization rules prevent anyone but "AuditUsers" from
    </system.web>
    <location path="home.aspx">
    <system.web>
    <authorization>
    <allow roles="DOMAIN\AuditUsers" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    Any thoughts? The documentation isn't clear on precedence rules (if
    any).
    -SeanRW
     
    SeanRW, May 25, 2006
    #1
    1. Advertising

  2. hi,

    some facts:

    a) FileAuth runs only when Windows auth is activated
    b) UrlAuth runs before FileAuth
    c) FileAuth uses the IIS authenticated user to do the ACL check - you can
    inspect that identity on Request.LogonUserIdentity

    If UrlAuth determines the user has no access - HttpApplication.CompleteRequest
    is called which bypasses all other events and goes directly to EndRequest.

    are you sure your <authorization> tag is correct - check my ShowContexts.aspx
    diagnostics page - this is very helpful to diagnose such problems.

    http://www.leastprivilege.com/content/binary/ShowContexts21.zip

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    >
    > I have a question as to how URL Authorization and File Authorization
    > work together. In particular, how can one supercede the other.
    >
    > In our setup, the impersonated user has an ACL on the resource (File
    > Authorization would be successful).
    > Yet, the URL Authorization rules are written so that they should
    > prevents that user from accessing a resource (URL Authorization should
    > deny this user access).
    > Why can a successful File Authorization bypass the denied URL
    > Authorization evaluation?
    >
    > Example:
    >
    > The user, DOMAIN\doug has a full access to Home.aspx.
    > The URL Authorization rules prevent anyone but "AuditUsers" from
    > </system.web>
    > <location path="home.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="DOMAIN\AuditUsers" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > Any thoughts? The documentation isn't clear on precedence rules (if
    > any).
    > -SeanRW
     
    Dominick Baier [DevelopMentor], May 25, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    483
  2. hrh1818
    Replies:
    1
    Views:
    668
    hrh1818
    Feb 14, 2008
  3. Gery D. Dorazio
    Replies:
    0
    Views:
    474
    Gery D. Dorazio
    Aug 13, 2004
  4. Replies:
    3
    Views:
    418
    Joe Kaplan \(MVP - ADSI\)
    Mar 10, 2006
  5. Mike

    ASP.NET Role Authorization Override

    Mike, Jun 9, 2009, in forum: ASP .Net Security
    Replies:
    4
    Views:
    1,067
Loading...

Share This Page