Reputation: 10113
Web.Config Authorization for folder access
When managing access rules in the login module. Is there an explicit deny all at the end?
Let's say I have two roles: Administrator and Member
Administrators are allowed into the folder iPhone and Members are allowed in the folder Blackberry
I manage my rules and get the following code in each web.config:
"iPhone"
<system.web>
<authorization>
<allow roles="Administrator" />
</authorization>
</system.web>
"Blackberry"
<system.web>
<authorization>
<allow roles="Member" />
</authorization>
</system.web>
But can Administrators access the Blackberry folder and Members the iPhone folder? Or do I need to add a rule saying deny roles="Administrator"in the Blackberry folder and deny roles="Member" in the iPhone folder?
Thanks!!
Upvotes: 0
Views: 1281
Answers (1)
Reputation: 11418
I take it you mean using an ASP.net application...
Add in a:
<deny users="*">
after your authorized users.
I think you should also be using user rather than role
http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
When you create a new web application, all web.config settings (global, site and local) are merged together to form the configuration that's really in effect for this application. By default a local web.config does not contain an authorization section but inherits the one defined globally. So you alway end up with a entry.
http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
Upvotes: 1
Related Questions
- Allow anonymous authentication for a single folder in web.config?
- authorization web.config
- ASP.NET folder access only to logged in user.
- Visual Studio 2010 + ASP.Net Web Project: Looking in current folder for web.config (instead of root)
- Aspx authorization in Web.Config
- authentication in web.config
- Password-protect folder with web.config
- Authorization settings for a folder in ASP.NET
- Authorization in ASP.NET MVC 2 using web.config file
- Web.config for authorization of a private user folder