URL Authorization does not override File Authorization?

[SeanRW]

Hello,

I have a question as to how URL Authorization and File Authorization
work together. In particular, how can one supercede the other.

In our setup, the impersonated user has an ACL on the resource (File
Authorization would be successful).
Yet, the URL Authorization rules are written so that they should
prevents that user from accessing a resource (URL Authorization should
deny this user access).

Why can a successful File Authorization bypass the denied URL
Authorization evaluation?

Example:

The user, DOMAIN\doug has a full access to Home.aspx.
The URL Authorization rules prevent anyone but "AuditUsers" from
</system.web>
<location path="home.aspx">
<system.web>
<authorization>
<allow roles="DOMAIN\AuditUsers" />
<deny users="*" />
</authorization>
</system.web>
</location>

Any thoughts? The documentation isn't clear on precedence rules (if
any).
-SeanRW

 

[Dominick Baier [DevelopMentor]]

hi,

some facts:

a) FileAuth runs only when Windows auth is activated
b) UrlAuth runs before FileAuth
c) FileAuth uses the IIS authenticated user to do the ACL check - you can
inspect that identity on Request.LogonUserIdentity

If UrlAuth determines the user has no access - HttpApplication.CompleteRequest
is called which bypasses all other events and goes directly to EndRequest.

are you sure your <authorization> tag is correct - check my ShowContexts.aspx
diagnostics page - this is very helpful to diagnose such problems.

http://www.leastprivilege.com/content/binary/ShowContexts21.zip