I saw a question today on the ASP.Net forum about the <authentication> element and decided to write something about it. Most of you already know this but I still think there are some that don’t know about what I’m going to write about.
If you are not familiar with the <authorization> element, read the following section:
The <authorization> element is located within the web.config file and can be used to give users or roles authorization to enter the site. With the authorization section you can both deny and allow users or roles to visit your site. By default all users have authorization to visit the site.
Take a look at the following two examples:
Example 1:
<authorization>
<allow user="xxx,yyy"/>
<deny users = "*"/>
</authorization>
Example 2:
<authorization>
<deny users = "*"/>
<allow user="xxx,yyy"/>
</authorization>
As you can see the two examples above do the same thing, they allow user xxx and yyy to enter the site and deny all users to enter the site. But is there any different between the two examples? Yes it is. The important thing to know here is that ASP.NET will start at the head of the list and checks the rules until the first match is found, so if the first element is deny all users, all users will be denied access even if some users is allowed to enter the site by adding the allow as the second rule (see example 2). But if the allow is added first and the authenticated user is one of the specified, they will be granted access even if you have denied all users as the second rule in the list (se example 1). So have this in mind when you use the <authorization> element.
http://fredrik.nsquared2.com/viewpost.aspx?PostID=352
浙公网安备 33010602011771号