3 February 2014

Authorization

       Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET, there are two ways to authorize access to a given resource:

·         File authorization   File authorization is performed by the FileAuthorizationModule. It checks the access control list (ACL) of the .aspx or .asmx handler file to determine whether a user should have access to the file. ACL permissions are verified for the user's Windows identity (if Windows authentication is enabled) or for the Windows identity of the ASP.NET process. For more information, see ASP.NET Impersonation.

·         URL authorization   URL authorization is performed by the UrlAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application (typically directories) for specific users or roles.

Syntax to Authorization:

<authorization>
   <[allow|deny] users roles verbs />
</authorization>

             The allow or deny element is required. You must specify either the users or the roles attribute. Both can be included, but both are not required. The verbs attribute is optional

             The following authorization section shows how to allow access to the John identity and deny access to all other users:

                     <authorization>
    <allow users="John"/>
    <deny users="*"/>
</authorization>

              The following example allows all users to perform an HTTP GET for a resource, but allows only the Kim identity to perform a POST operation:

                        <authorization>
                           <allow verbs="GET" users="*"/>
                           <allow verbs="POST" users="Kim"/>
                          <deny verbs="POST" users="*"/>
                        </authorization>

Rules for authorization

·         Rules contained in application-level configuration files take precedence over inherited rules. The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list.

·         Given a set of merged rules for an application, ASP.NET starts at the head of the list and checks rules until the first match is found. The default configuration for ASP.NET contains an <allow users="*"> element, which authorizes all users. (By default, this rule is applied last.) If no other authorization rules match, the request is allowed. If a match is found and the match is a deny element, the request is returned with the 401 HTTP status code. If an allow element matches, the module allows the request to be processed further


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)