tags:

views:

25

answers:

1
+1  Q: 

Controlling access with web.config

Hello,

I am trying to control access to my website with windows integrated.

<?xml version="1.0"?>
<configuration>
 <system.web>
  <authentication mode="Windows"/>
   <authorization>
     <deny users="?"/>
     <allow roles="DOMAIN\The_group_that_can_access_it"/>
   </authorization>
   ...
 </system.web>
</configuration>

Except that, this code isn't working. I can access it if im a member of that group or not. What is wrong?

I looked through some code, and thought maybe I needed to switch the ? for a *, but then that seems to just deny everything.

Thanks,

+3  A: 

You do not have an explicit deny statement, you should add the following entry to the end of the declarations:

<deny users="*" />

And you can remove the <deny users="?"/> which is denying unauthenticated users. The final <deny users="*" /> will deny them anyway. Then only your group should have access. The final outcome should be:

<authorization>
    <allow roles="DOMAIN\The_group_that_can_access_it"/>
    <deny users="*"/>
</authorization>

As a rule of thumb, always close out your access control lists with an explicit deny all, or deny any any.

Dustin Laine  2010-07-26 07:07:23
well, I did try (as mentioned) using the `*` instead, but this still did not work... does the actual order of the statements matter? (allow roles first, deny second?)
baron  2010-07-26 07:10:48
Yes, allow the roles first then deny everyone else.
Dustin Laine  2010-07-26 07:15:18
Random, your exactly right. I would not have thought it mattered. Thanks
baron  2010-07-26 07:29:05

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?