S
SeanRW
Hello,
I have a question as to how URL Authorization and File Authorization
work together. In particular, how can one supercede the other.
In our setup, the impersonated user has an ACL on the resource (File
Authorization would be successful).
Yet, the URL Authorization rules are written so that they should
prevents that user from accessing a resource (URL Authorization should
deny this user access).
Why can a successful File Authorization bypass the denied URL
Authorization evaluation?
Example:
The user, DOMAIN\doug has a full access to Home.aspx.
The URL Authorization rules prevent anyone but "AuditUsers" from
</system.web>
<location path="home.aspx">
<system.web>
<authorization>
<allow roles="DOMAIN\AuditUsers" />
<deny users="*" />
</authorization>
</system.web>
</location>
Any thoughts? The documentation isn't clear on precedence rules (if
any).
-SeanRW
I have a question as to how URL Authorization and File Authorization
work together. In particular, how can one supercede the other.
In our setup, the impersonated user has an ACL on the resource (File
Authorization would be successful).
Yet, the URL Authorization rules are written so that they should
prevents that user from accessing a resource (URL Authorization should
deny this user access).
Why can a successful File Authorization bypass the denied URL
Authorization evaluation?
Example:
The user, DOMAIN\doug has a full access to Home.aspx.
The URL Authorization rules prevent anyone but "AuditUsers" from
</system.web>
<location path="home.aspx">
<system.web>
<authorization>
<allow roles="DOMAIN\AuditUsers" />
<deny users="*" />
</authorization>
</system.web>
</location>
Any thoughts? The documentation isn't clear on precedence rules (if
any).
-SeanRW