Sign In | Join

Home / ASP.NET Wiki / Security / Authentication and Authorization / Forms Authentication / ASP.NET WebConfig : Location and Authroization Tags

ASP.NET WebConfig : Location and Authroization Tags

 Rate It (2)

Here’s is an article saying, how to use the Authorization Tag in Web.Config

 

As per the MSDN Articles, the Location>Authorization Mechanism works on a TOP to DOWN Approach. As if we consider the case, where we need to Define Separate Roles for Folders in the Root Directory.

 

Application Root >> Members (Premium Paid)     --- this folder is for the users, who are registered with site and have paid some amount for some services, and contains the relevant files or pages.

Application Root >> Admin --- this folder is for the Site Admin

Application Root >> Members (Non-paid Members) --- this folder is for the users, who have not paid for any special or paid service but still they are registered with the site for services like Newsletter or Blogging etc.

 

For this case we need to do the following :

 

1.       Implement the Same Forms Authentication for ASP.NET Login Control

2.       Add Location tag for Members(Premium Paid) as :

 

<location path=”Members(Premium Paid)”>

<authorization>

<allow roles=”Premium_Paid_Members” />  ---- Allow the desired role first

                <deny users=”*” /> --- now Deny all roles and users, this follows the TOP to DOWN approach

                <deny roles=”*” /> --- now Deny all roles and users, this follows the TOP to DOWN approach

</authorization>

</location>

 

3.       Add Location tag for Admin as :

<location path=”Admin”>

                <authorization>

                                <allow roles=”Admin” />       ---- You may add verbs as per the requirement like for Only Post Data (verbs=”post”)

                                <deny users=”*” />

                <deny roles=”*” /> --- now Deny all roles and users, this follows the TOP to DOWN approach

                </authorization>

</location>

 

4.       Add Location tag for Admin as :

<location path=” Members (Non-paid Members)”>

                <authorization>

                                <allow roles=”Members” />

                                <deny users=”*” />

                <deny roles=”*” /> --- now Deny all roles and users, this follows the TOP to DOWN approach

                </authorization>

</location>

 

Conclusion : we must allow the desired Roles or the Users before denying all users and roles on the folder, so that proper access for all the folders can be maintained at same time.

Revision number 1, Thursday, February 05, 2009 2:09:21 PM by alok.arora

Comments

Thu, May 14, 2009 3:18 PM by Cynthia Jordan

why must the web.config be in the root directory and not the application directory when using reportviewer?
Sun, Feb 27, 2011 9:13 PM by ricka6

You'll get more hits if you spell Authroization correctly.

Shortcuts

Table of Contents

Top Wiki Contributors

(last 30 days)

  1. abiruban (1)