6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"ASP.NET authorisation allow "*" vs "?"\",\"text\":\"

If I set an all-users authorization rule e.g. <allow users=\\\"*\\\"/> does this also allow anonymous users (ie. ones that haven't logged in) to see the resource?

\\n\\n

How about vice-versa - if I allow anonymous users with \\\"?\\\" can all logged in users also see it?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"steve cook\"},\"upvoteCount\":1,\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

Yes - * means absolutely anybody.
Yes - ? means anonymous users from which all users "inherit".

\\n

Difference is mentioned in ASP.NET Authorization article.

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"juhan_h\"},\"upvoteCount\":2}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","asp.net",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/asp.net/1","children":"asp.net"}]}],["$","span","authorization",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/authorization/1","children":"authorization"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/b6562c20a9a7e9140a6064c5fbc2fdeb?s=256&d=identicon&r=PG","alt":"steve cook","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/1890833/steve-cook","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"steve cook"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",3224]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"ASP.NET authorisation allow "*" vs "?""}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

If I set an all-users authorization rule e.g. <allow users=\"*\"/> does this also allow anonymous users (ie. ones that haven't logged in) to see the resource?

\n\n

How about vice-versa - if I allow anonymous users with \"?\" can all logged in users also see it?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",1]}],["$","p",null,{"children":["Views: ",212]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","17906797",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/62cc44f1f1c0bdcb82cf69c22be21671?s=256&d=identicon&r=PG","alt":"juhan_h","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/98497/juhan-h","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"juhan_h"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",4021]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

Yes - * means absolutely anybody.
Yes - ? means anonymous users from which all users "inherit".

Difference is mentioned in ASP.NET Authorization article.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",2]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","68266411",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/68266411","className":"text-blue-600 hover:underline","children":"How to use authorization by default without [Authorize] in ASP.NET Core 5"}]}],["$","li","61598652",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/61598652","className":"text-blue-600 hover:underline","children":"What is the default policy for AuthorizeFilter?"}]}],["$","li","831994",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/831994","className":"text-blue-600 hover:underline","children":"Why is <deny users="?" /> included in the following example?"}]}],["$","li","39264993",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/39264993","className":"text-blue-600 hover:underline","children":"Difference between authentication and authorization filters in aspnet-mvc5"}]}],["$","li","10836444",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/10836444","className":"text-blue-600 hover:underline","children":".NET Authorization. Does the order or allow and deny elements matter?"}]}],["$","li","7114356",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/7114356","className":"text-blue-600 hover:underline","children":"What does Authorize(Users="*") mean?"}]}],["$","li","11298179",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/11298179","className":"text-blue-600 hover:underline","children":"<authorization> tag in ASP.net"}]}],["$","li","8082754",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/8082754","className":"text-blue-600 hover:underline","children":"What does [Authorize(Users = "*")] mean in asp.net mvc"}]}],["$","li","1219214",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1219214","className":"text-blue-600 hover:underline","children":"ASP.NET Authorization what does the * and ? mean?"}]}],["$","li","1035225",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1035225","className":"text-blue-600 hover:underline","children":"Using ASP.NET login controls wih deny="?""}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

ASP.NET authorisation allow &quot;*&quot; vs &quot;?&quot;

Answers (1)

Related Questions

ASP.NET authorisation allow "*" vs "?"