ASP.NET Authorization

ASP.NET Authentication/Authorization

ASP.NET Authorization:

There are two main authorization types: File Authorization and URL Authorization. Let’s start with the latter:

URL Authorization:

Specified in web.config files, with a declarative syntax. URL Authorization only interested in the security status of the user, and the URL resource being requested, hence the name. If the page is forbidden for the requesting user, and forms authentication is used, then the user will be prompted to log in, thus redirected to the login page. If windows authentication is active, the user will receive a 401 – access denied page. It can be customized in web.config customErrors tag, if needed.

Authorization rules:

An authorization section looks the following:


                <allow users=”X, Y, Z” roles =”A, B, C” verbs=”M, N, O”/>

                <deny users=”0, 1, 2” roles=”D, E, F” verbs=”J, K, L” />


In this context, verbs mean HTTP verbs, such as POST, GET, PUT, etc. Wildcards can be used to replace strings, “?” means unauthenticated users, while “*” means all users. ASP.NET will process the rules from top to bottom, looking for the first matching rule. So the following code is undesired:

<allow users=”*”/>

<deny users=”Pat, Josh”/>

Pat and Josh will both gain access to the protected resource, because the first line allows anybody to enter, and the second line doesn’t even get evaluated.

Location tag can be used to specify authorization rules. It must be outside the default system.web section, and it should be nested directly in the base configuration tag, similar like this:


<location path=”SomeSite.aspx>


                               <authorization />




File Authorization:

File Authorization is only enabled with Windows Authentication. Granting rights for specified folders and files for the default, or the impersonated ASP.NET user via the windows file system is what file authorization is about.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s