Menu disappears on <authorization> change

[David Thielen]

Hi;

If I have:
<authorization>
<deny users="?"/>
<allow roles="Windward Users"/>
</authorization>
Then my page shows up fine and it allows any authenticated user (even those
not in the Users role) in.

If I do:
<authorization>
<deny users="*"/>
<allow roles="Windward Users"/>
</authorization>
Then it only allows people in the Users role in - but my menu is gone. My
menu is a <asp:Menu .../> control using a Web.sitemap file for the menu. The
rest of the page is there - it's just the menu I lose.

Any idea why changing the permission like this does this?

 

[Dominick Baier [DevelopMentor]]

do this:

<allow roles="Windward Users"/>
<deny users="*" />

 

[David Thielen]

That fixed it - thank you.

Can you tell me why please?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

 

[Dominick Baier [DevelopMentor]]

because that expresses exactly what you want -

only allow access to this role - the rest is denied - read more here:

http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx

 

[Luke Zhang [MSFT]]

I think this may be related to how ASP.NET authorization module iterates
through the allow and deny elements. from the document, the order of allow
and deny elements should be:

<authorization>
<allow .../>
<deny .../>
</authorization>

So, keep them in right order may help protecting from unexpected results.

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)