authorization Element (ASP.NET Settings Schema)

Configures the authorization for a Web application, controlling client access to URL resources.

configuration Element (General Settings Schema)
  system.web Element (ASP.NET Settings Schema)
    authorization Element (ASP.NET Settings Schema)

<authorization> 
   <allow .../>
   <deny .../>
</authorization>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

None.

Child Elements

Subtag	Description
allow	Adds to the mapping of authorization rules an authorization rule that allows access to a resource.
deny	Adds to the mapping of authorization rules an authorization rule that denies access to a resource.

Parent Elements

Element	Description
configuration	Specifies the required root element in every configuration file that is used by the common language runtime and the .NET Framework applications.
system.web	Specifies the root element for the ASP.NET configuration settings in a configuration file and contains configuration elements that configure ASP.NET Web applications and control how the applications behave.

Remarks

The authorization element configures the authorization for a Web application, controlling client access to URL resources.

At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule. The default authorization rule is <allow users="*"/>. Thus, by default, access is allowed unless configured otherwise.

In order to facilitate deployment, the period (.) shortcut notation for the current computer is supported. This allows you to prefix each user or role with a period-backslash sequence (.\), as follows:

<allow roles=".\roleName"/>
<allow users=".\userName"/>

At run time, the period-backslash sequences are substituted with "localmachinename\" sequences. The substitution is done only if a Microsoft Windows identity is used with the request. This is to avoid conflicts in case the period-backslash sequence sequences are used in arbitrary roles with custom principals.

Because the authorization element does not represent a collection, there are no clear or remove child elements. To programmatically clear the mappings of authorization rules, use the Clear() or Remove(AuthorizationRule) method.

Default Configuration

The following default authorization element is configured in the root Web.config file in the .NET Framework version 2.0, and configured in the Machine.config file in the .NET Framework versions 1.1 and 1.0.

<authorization>
   <allow users="*" />
</authorization>

Example

The following code example demonstrates how to allow access to all Admins role members and deny access to all users role members.

<configuration>
   <system.web>
      <authorization>
         <allow roles="Admins"/>
         <deny users="*"/>
      </authorization>
   </system.web>
</configuration>

Element Information

Configuration section handler	AuthorizationSection
Configuration member	Authorization AuthorizationRuleCollection
Configurable locations	Machine.config Root-level Web.config Application-level Web.config Virtual or physical directory–level Web.config
Requirements	Microsoft Internet Information Services (IIS) version 5.0, 5.1, or 6.0 The .NET Framework version 1.0, 1.1, or 2.0 Microsoft Visual Studio 2003 or Visual Studio 2005

See Also

Tasks

How to: Configure Specific Directories Using Location Settings

How to: Lock ASP.NET Configuration Settings

Reference

system.web Element (ASP.NET Settings Schema)

allow Element for authorization (ASP.NET Settings Schema)

deny Element for authorization (ASP.NET Settings Schema)

configuration Element (General Settings Schema)

Concepts

ASP.NET Authorization

ASP.NET Configuration File Hierarchy and Inheritance

Securing ASP.NET Configuration

ASP.NET Configuration Scenarios

Other Resources

Managing Authorization Using Roles

General Configuration Settings (ASP.NET)

ASP.NET Configuration Settings

ASP.NET Web Site Administration

ASP.NET Configuration API

roles, not role

$0@Budsy Just use one allow node: <allow roles="Admin, SuperAdmin, Merchant" /> By explicitly allowing those roles, you're implicitly denying all other roles, so <deny roles="Friend, DVDuser" /> would be pointless.$0

Confusing discussion

The example shows the <deny users="*" /> after the allow for a particular role in order to negate any higher level  setting that allows all users access by default. There are more ways of specifying the roles too, such as comma separated lists in one allow or deny element. But why does this schema crash?:

<authorization>
      <deny roles="Friend" users="" />
      <deny roles="DVDUser" users="" />
      <allow roles="Admin"  users="" />
      <allow roles="SuperAdmin"  users="" />
      <allow roles="Merchant"  users="" />
      <deny users="?" />
    </authorization>

It is hard to understand the logics behind these rules.

The following excerpts from the text more adds to the confusion than clarifies:

'The following code example demonstrates how to allow access to all Admins role members and deny access to all users role members.

<configuration>
   <system.web>
      <authorization>
         <allow roles="Admins"/>
         <deny users="*"/>
      </authorization>
   </system.web>
</configuration>'

Now, if only Admins are allowed in, why is it necessary to deny users? They are no allowed in anyway. And, besides, the text states that the example demonstrates how the members of the users role are denied access, but the code does not deny any role at all. It denies all users. Denying all roles is not even allowed py the parser.