UrlAuthorizationModule Class (System.Web.Security)

Switch on low bandwidth view

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:

.NET Framework Class Library

UrlAuthorizationModule Class

Verifies that the user has permission to access the URL requested. This class cannot be inherited.

Namespace: System.Web.Security
Assembly: System.Web (in System.Web.dll)

Syntax

Visual Basic (Declaration)

<AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level := AspNetHostingPermissionLevel.Minimal)> _
Public NotInheritable Class UrlAuthorizationModule _
    Implements IHttpModule

Visual Basic (Usage)

Dim instance As UrlAuthorizationModule

[AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public sealed class UrlAuthorizationModule : IHttpModule

Visual C++

[AspNetHostingPermissionAttribute(SecurityAction::LinkDemand, Level = AspNetHostingPermissionLevel::Minimal)]
public ref class UrlAuthorizationModule sealed : IHttpModule

JScript

public final class UrlAuthorizationModule implements IHttpModule

Remarks

The UrlAuthorizationModule determines whether the current user is permitted access to the requested URL, based on the user Name or the list of roles that a user is a member of. For information about how the user name is determined, see ASP.NET Authentication. For information about how to manage user roles, see Managing Authorization Using Roles.

Authorization for a user or a role is managed using the authorization configuration element. You can allow or deny a user or a role using the allow or deny subelements, respectively. The allow and deny subelements are interpreted in the order they appear in the configuration. Once an element specifies that access is allowed or denied, the UrlAuthorizationModule completes its authorization check. For example, the following authorization section from a Web.config file requires users to log on (by denying anonymous users), and then allows only users in the Administrators role to have access. Users not in the Administrators role are denied.

<authorization>
  <deny users="?" />
  <allow roles="Administrators" />
  <deny users="*" />
</authorization>

A user or role must be specifically denied to refuse the user or role permission to a URL. That is, if the previous example had not specified the <deny users="*" /> element, then all authenticated users would have been allowed access to the requested URL, regardless of what role they were a member of.

Examples

The following code example grants access to Kim and members of the Admins role, while denying it to John and all anonymous users.

<authorization>
  <allow users="Kim"/>
  <allow roles="Admins"/>
  <deny users="John"/>
  <deny users="?"/>
</authorization>

.NET Framework Security

AspNetHostingPermission
for operating in a hosted environment. Demand value: LinkDemand; Permission value: Minimal.

Inheritance Hierarchy

System..::.Object
System.Web.Security..::.UrlAuthorizationModule

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Platforms

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Version Information

.NET Framework

Supported in: 3.5, 3.0, 2.0, 1.1, 1.0

Reference

UrlAuthorizationModule Members

System.Web.Security Namespace

Other Resources

ASP.NET Authorization