There are two main authorization types: File Authorization and URL Authorization. Let’s start with the latter:
Specified in web.config files, with a declarative syntax. URL Authorization only interested in the security status of the user, and the URL resource being requested, hence the name. If the page is forbidden for the requesting user, and forms authentication is used, then the user will be prompted to log in, thus redirected to the login page. If windows authentication is active, the user will receive a 401 – access denied page. It can be customized in web.config customErrors tag, if needed.
An authorization section looks the following:
<allow users=”X, Y, Z” roles =”A, B, C” verbs=”M, N, O”/>
<deny users=”0, 1, 2” roles=”D, E, F” verbs=”J, K, L” />
In this context, verbs mean HTTP verbs, such as POST, GET, PUT, etc. Wildcards can be used to replace strings, “?” means unauthenticated users, while “*” means all users. ASP.NET will process the rules from top to bottom, looking for the first matching rule. So the following code is undesired:
<deny users=”Pat, Josh”/>
Pat and Josh will both gain access to the protected resource, because the first line allows anybody to enter, and the second line doesn’t even get evaluated.
Location tag can be used to specify authorization rules. It must be outside the default system.web section, and it should be nested directly in the base configuration tag, similar like this:
File Authorization is only enabled with Windows Authentication. Granting rights for specified folders and files for the default, or the impersonated ASP.NET user via the windows file system is what file authorization is about.