Reputation: 148694
web.config's authorization list order?
I'm trying to understand the difference between :
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
vs ( changed order)
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
When evaluating rules, ASP.NET scans through the list from top to bottom. As soon as it finds an applicable rule, it stops its search.
So , in the first example : it will determine that the rule <allow users="*"> applies to the current request and will not evaluate the second line.
But I've also read that :
Reversing the order of these two lines, however, will deny anonymous users (by matching the first rule) and allow all other users (by matching the second rule).
Question :
Why does the rule of "As soon as it finds an applicable rule, it stops its search" is not apply in the second example ?
I was expecting that it will deny all anonymous users and stop ( without getting into <allow users="*" />).
Upvotes: 2
Views: 553
Answers (1)
Reputation: 139788
There is no real contradiction here so this statement is still true
When evaluating rules, ASP.NET scans through the list from top to bottom. As soon as it finds an applicable rule, it stops its search.
However you need to understand what are the * and ? means.
From MSDN
Identity Description * Refers to all identities ? Refers to the anonymous identity
So this means that * matches all users both: anonymous and authenticated users, however ? only matches the anonymous users.
So lets walk trough the two configuration:
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
A "regular" user comes in ->
users="*"matches -> the access is allowed and the second rule is not checked.An anonymous user comes in ->
users="*"matches because it also matches anonymous users -> the access is allowed and the second rule is not checked.
But in the second case:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
An "regular" user comes in -> the
users="?"does not match because it only matches anonymous users -> checking the second role:users="*"which matches -> the access is allowed.An anonymous user comes in ->
users="?"matches -> the access is denied and the second rule is not checked.
Upvotes: 1
Related Questions
- Authorization Asp.net web.config
- .NET Authorization. Does the order or allow and deny elements matter?
- authorization web.config
- Asp.net and security
- Aspx authorization in Web.Config
- Does order of <location> in web.config matters?
- Does the order of elements in app.config matter?
- using multiple authorization elements in web.config
- ASP.MVC :Web.Config and Authorize attribute
- Multiple/Different authentication settings in web.config