<authorization> Element

Switch View

<authorization> Element

Collapse All

Language Filter

Web Services Enhancements 3.0

<authorization> Element

Specifies the users or roles that are authorized and denied access to a Web service.

<policies> Element
<policy> Element (Policy)

<authorization roleProviderName>
  <allow user role />
  <deny user role />
</authorization>

Microsoft.Web.Services3.Design.AuthorizationAssertion

Attributes and Elements

Attributes

Attribute	Description
roleProviderName	Optional attribute. Specifies a role provider. The role provider can be one that is included with ASP.NET or a custom provider registered in the Web.config file.

Child Elements

Element	Description
<allow> Element (Policy)	Allows access to a Web service.
<deny> Element (Policy)	Denies access to a Web service.

Parent Elements

Element	Description
<policy> Element	Specifies a SOAP message requirement.

Remarks

An <authorization> element can have zero or more <allow> Element (Policy) and <deny> Element (Policy) child elements. Each of these child elements is an ordered list of authorization rules from top to bottom. The sender is authorized based on the first rule that applies to the sender. If an <authorization> element exists and no rules apply to a sender, access is denied.

The SOAP message sender is authorized based on the security token's Principal property. When the security token does not have a Principal property, such as the X509SecurityToken, the Identity property is used to authorize the sender. The Identity property is set by the role provider specified in the roleProviderName attribute.

Example

The following code example defines a policy assertion named kerberosAuthenticationKerberosProtection that specifies that the user COHOWINERY\Enologist and the users in the WineMaker role are authorized access to the Web services to which this policy is applied. All other users are denied access to the Web service.

<policies>
  <extensions>
    <extension name="kerberosSecurity"
               type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="kerberos"
               type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="authorization"
               type="Microsoft.Web.Services3.Design.AuthorizationAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="kerberosAuthenticationKerberosProtection">
    <authorization>
      <allow user="COHOWINERY\Enologist" />
      <allow role="WineMaker" />
      <deny user="*" />
    </authorization>
    <kerberosSecurity establishSecurityContext="false" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="true">
      <token>
        <kerberos targetPrincipal="host/grapes@cohowinery.com" impersonationLevel="Identification" />
      </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>
    <requireActionHeader />
  </policy>
</policies>

Reference

<allow> Element (Policy)
<deny> Element (Policy)