Authorization in ASP.NET (IIS 6.0)
Insert introduction here. The purpose of authorization is to determine whether an identity should be granted the requested type of access to a given resource. There are two fundamental ways to authorize access to a given resource:
The URLAuthorizationModule is available for use at any time. You only need to place a list of users and/or roles in the <allow> or <deny> elements of the <authorization> section of a configuration file.
To establish the conditions for access to a particular directory, you must place a configuration file that contains an <authorization> section in that directory. The conditions set for that directory also apply to its subdirectories, unless configuration files in a subdirectory override them. The general syntax for this section is as follows.
<[element] [users] [roles] [verbs]/>
An element is required. Either the users or the roles attribute must be included. Both can be included, but both are not required. The verbs attribute is optional.
The permissible elements are <allow> and <deny>, which grant and revoke access, respectively. Each element supports three attributes, which are defined in the following table.
Anonymous users are also denied.
The following example grants access to Kim and members of the Admins role, while denying it to John and all anonymous users:
Both users and roles can refer to multiple entities by using a comma-separated list, as shown in the following example.
<allow users="John, Kim, contoso\Jane"/>
Notice that the domain account, contoso\Jane, must include both the domain and user name combination.
In addition to identity names, there are two special identities, as shown in the following table.
To allow John and deny everyone else, one might construct the following configuration section.
The following example lets everyone do a GET, but only Kim can use POST.
<allow verb="GET" users="*"/>
<allow verb="POST" users="Kim"/>
<deny verb="POST" users="*"/>
Rules are applied using the following heuristics:
There is also a <location> tag that you can use to specify a particular file or directory to which settings wrapped by that tag (between <location> and </location> tags) should apply.