wonky <authorization> (order matters?)

Discussion in 'ASP .Net Security' started by SpaceMarine, May 21, 2008.

  1. SpaceMarine

    SpaceMarine Guest

    hello,

    i am using Windows authentication w/ my web app and lock it down via
    roles. in my testing it seems like the *order* of the <authorization>
    elements matters.

    eg, this works:

    <authorization>
    <allow roles="Foo" />
    <deny users="?" />
    <deny users="*" />
    </authorization>

    but this doesnt:

    <authorization>
    <deny users="?" />
    <deny users="*" />
    <allow roles="Foo" />
    </authorization>

    ....for the latter my browser keeps popping a credentials dialog, even
    tho im in the Foo role.


    is this expected behavior? ASP.NET v2.


    thanks!
    sm
     
    SpaceMarine, May 21, 2008
    #1
    1. Advertisements

  2. SpaceMarine

    Joe Kaplan Guest

    Yes, it does matter. It evaluates each rule in order until it matches and
    then it applies the allow or deny based on the match.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "SpaceMarine" <> wrote in message
    news:...
    > hello,
    >
    > i am using Windows authentication w/ my web app and lock it down via
    > roles. in my testing it seems like the *order* of the <authorization>
    > elements matters.
    >
    > eg, this works:
    >
    > <authorization>
    > <allow roles="Foo" />
    > <deny users="?" />
    > <deny users="*" />
    > </authorization>
    >
    > but this doesnt:
    >
    > <authorization>
    > <deny users="?" />
    > <deny users="*" />
    > <allow roles="Foo" />
    > </authorization>
    >
    > ...for the latter my browser keeps popping a credentials dialog, even
    > tho im in the Foo role.
    >
    >
    > is this expected behavior? ASP.NET v2.
    >
    >
    > thanks!
    > sm
     
    Joe Kaplan, May 21, 2008
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jason Ferguson

    Introducing Dot Net Matters

    Jason Ferguson, Nov 20, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    436
    Jason Ferguson
    Nov 20, 2005
  2. Leonard Slatkin
    Replies:
    1
    Views:
    4,670
    Ray Tayek
    Nov 30, 2003
  3. Justine
    Replies:
    0
    Views:
    479
    Justine
    Mar 21, 2006
  4. pooh
    Replies:
    5
    Views:
    625
    Karl Heinz Buchegger
    Jan 25, 2005
  5. vegetax
    Replies:
    4
    Views:
    419
    Michael Hoffman
    Apr 20, 2005
  6. Twisted

    Wonky HTTP behavior?

    Twisted, Nov 13, 2006, in forum: Java
    Replies:
    7
    Views:
    643
    Twisted
    Nov 14, 2006
  7. SeanRW
    Replies:
    1
    Views:
    601
    Dominick Baier [DevelopMentor]
    May 25, 2006
  8. mindseeker

    javascript resize in IE/XP wonky

    mindseeker, Jan 24, 2006, in forum: Javascript
    Replies:
    3
    Views:
    210
    Randy Webb
    Jan 27, 2006
Loading...