.netCoders Contact Us
Search:
70-3X5 : Web Apps
Certification Home
Exam Overview
Exam Resources

User Services
ASP.NET pages
Adding Controls
Navigation
Validation
Error Handling
Displaying Data
Invoking services
Accessibility
Intrinsic Objects

Components & Assemblies
Assemblies
Web Controls

Consuming Data
Queries
Data Error Handling

Testing & Debugging
Unit Test Plans
Tracing
Debugging

Deployment
Planning
Setup Programs
Deploying
The GAC

Maintainance
Optimization
Diagnostics

Configuration & Security
Configuration
Security
Authorization
Caching
Session State
Server Services

Authorization

Authorization is the next stage after Authentication. Once you have confirmed the identify of the user, you need to find out what they are permitted to see. Like authentication, there are web.config sections dealing with authorization, or you could use custom code to authorize users.

Authorization in Web.Config

Authorization is controlled in an <%authorization%> tag, via <allow> and <deny> elements. For example, the following authorization configuration allows Steve and Administrators to access the web application, but denies everyone else.
<authorization>
  <allow users="Steve" />
  <allow roles="Administrators" />
  <deny users="*" />
</authorization>
The asterisk (*) wildcard is used to denote all users. The question mark (?) is used to denote all non-authenticated users. The users attribute allows you to list users who should be allowed or denied access. Likewise, the roles attribute is used for role-based authorization and can be used to allow or deny users in those roles.

Location tag

Using a <location> tag, you can specify authorization settings for subdirectories in your web application. For example, your site may be public, but you use forms authentication to authenticate members and allow them access to a MembersOnly directory. The following web.config file (note that location is not inside the system.web tag) shows how to specify authentication settings for the MembersOnly directory.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
    <authentication mode="Forms">
        <forms loginUrl="Registration/login.aspx" name="SomwbaInternet" timeout="30" path="/"></forms>
    </authentication>
    <authorization>
        <allow users="?" />
    </authorization>
</system.web>
<location path="MembersOnly">
    <system.web>
        <authorization>
            <deny users="?"></deny>
        </authorization>
    </system.web>
</location>
</configuration>

Impersonation

Impersonation allows you to run an ASP.NET application as a specified user. Normally, the ASP.NET worker process runs as IUSR_[MACHINENAME]. Using an <impersonate> tag in the web.config file, you can configure impersonation as follows:
<identity impersonate="true" userName="CompanyDomain\Steve" password="password" />


Questions, comments, or suggestions? Contact us at info@dotnetcoders.com
© 2000-2003 .netCoders. All rights reserved. Terms of Use