ASP.NET Syntax ASP.NET Configuration Sections
Configures the authorization for a Web application, controlling client access to URL resources.
<authorization>
<allow users = "comma-separated list of users"
roles = "comma-separated list of roles"
verbs = "comma-separated list of verbs" />
<deny users = "comma-separated list of users"
roles = "comma-separated list of roles"
verbs = "comma-separated list of verbs" />
</authorization>
The following sections describe attributes, child elements, and parent elements.
None.
| Subtag |
Description |
| allow |
Adds to the mapping of authorization rules an authorization rule that allows access to a resource. |
| deny |
Adds to the mapping of authorization rules an authorization rule that denies access to a resource. |
| Element |
Description |
| configuration |
Specifies the required root element in every configuration file that is used by the common language runtime and the .NET Framework applications. |
| system.web |
Specifies the root element for the ASP.NET configuration settings in a configuration file and contains configuration elements that configure ASP.NET Web applications and control how the applications behave. |
The authorization element configures the authorization for a Web application, controlling client access to URL resources.
At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule. The default authorization rule is <allow users = "*" />. Thus, by default, access is allowed unless configured otherwise.
In order to facilitate deployment, the period ( . ) shortcut notation for the current computer is supported. This allows you to prefix each user or role with a period-backslash sequence ( .\ ), as follows:
<allow roles = ".\roleName" />
<allow users = ".\userName" />
At run time, the period-backslash sequences are substituted with "localmachinename\" sequences. The substitution is done only if a Microsoft Windows identity is used with the request. This is to avoid conflicts in case the period-backslash sequence sequences are used in arbitrary roles with custom principals.
Because the authorization element does not represent a collection, there are no clear or remove child elements. To programmatically clear the mappings of authorization rules, use the Clear or Remove method that is defined by the AuthorizationRuleCollection Class.
The following default authorization element is configured in the root Web.config file in the .NET Framework version 2.0, and configured in the Machine.config file in the .NET Framework versions 1.1 and 1.0.
<authorization>
<allow users = "*" />
</authorization>
The following code example demonstrates how to allow access to all Admins role members and deny access to all users role members.
<configuration>
<system.web>
<authorization>
<allow roles = "Admins" />
<deny users = "*" />
</authorization>
</system.web>
</configuration>
AuthorizationSection Class AuthorizationRuleAction Enumeration ASP.NET Authorization