6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$10"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","asp.net",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L11",null,{"href":"/discussion/tag/asp.net/1","children":"asp.net"}]}],["$","span","web-config",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L11",null,{"href":"/discussion/tag/web-config/1","children":"web-config"}]}],["$","span","security",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L11",null,{"href":"/discussion/tag/security/1","children":"security"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/e8cd95a6cc3ca9ab067c0d9912a515ae?s=256&d=identicon&r=PG","alt":"Markweb","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/1675801/markweb","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Markweb"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",303]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"Aspx authorization in Web.Config"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

I need to modify the web.config file to ensure that First.aspx can be accessed by only members of \nthe Subscribers group.

\n\n

What is correct:

\n\n

<location path=\"First.aspx\"> \n<system.web> \n<authorization> \n<allow roles=\"Subscribers\"/> \n<deny users=\"*\"/> \n</authorization> \n</system.web> \n</location> \n

\n\n

<location path=\"First.aspx\"> \n<system.web> \n<authorization> \n<deny users=\"*\"/> \n<allow roles=\"Subscribers\"/> \n</authorization> \n</system.web> \n</location> \n

\n\n

and why?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",0]}],["$","p",null,{"children":["Views: ",273]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",2,")"]}],[["$","div","13138226",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/e8cd95a6cc3ca9ab067c0d9912a515ae?s=256&d=identicon&r=PG","alt":"Markweb","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/1675801/markweb","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Markweb"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",303]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

Here I found this ( http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx ) so A is correct:

\n\n

Since the authorization is done from top to bottom, rules are checked until a match is found. Here we have first and so it will not check for allow any more and deny access even if in Admin role.

\n\n

So PUT all allows BEFORE ANY deny.

\n\n

NOTE: deny works the same way as allow. You can deny particular roles or users as per your requirement.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",0]}]}]]}],["$","div","13137846",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/42923efa8294fa67466d94418b6c3f12?s=256&d=identicon&r=PG&f=y&so-version=2","alt":"Andrew Barber","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/237838/andrew-barber","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Andrew Barber"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",40160]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

The first is correct, because the second will deny everyone before it even tries to check their roles. deny and allow entries are tested in the order they are entered.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",3]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","5398630",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/5398630","className":"text-blue-600 hover:underline","children":"ASP.Net Authentication using <credentials> in web.config"}]}],["$","li","642515",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/642515","className":"text-blue-600 hover:underline","children":"Authorization Asp.net web.config"}]}],["$","li","55260560",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/55260560","className":"text-blue-600 hover:underline","children":"Aspnet Core - web.config Authorization"}]}],["$","li","30614790",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/30614790","className":"text-blue-600 hover:underline","children":"asp.net web config security"}]}],["$","li","1989136",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/1989136","className":"text-blue-600 hover:underline","children":"authorization web.config"}]}],["$","li","19379924",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/19379924","className":"text-blue-600 hover:underline","children":"Asp.net and security"}]}],["$","li","8638414",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/8638414","className":"text-blue-600 hover:underline","children":"authentication in web.config"}]}],["$","li","8324675",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/8324675","className":"text-blue-600 hover:underline","children":"Impersonation in web.config"}]}],["$","li","3332820",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/3332820","className":"text-blue-600 hover:underline","children":"Controlling access with web.config"}]}],["$","li","2074207",{"className":"mb-2","children":["$","$L11",null,{"href":"/discussion/solution/2074207","className":"text-blue-600 hover:underline","children":"web.config authorization and direct method calling"}]}]]}]]}]]}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}],["$","$L16",null,{}]]

Aspx authorization in Web.Config

Answers (2)

Related Questions