Configure role-based access to the Web. config page in Asp.net

 

There is a user directory with a set of. aspx files, except for a. aspx and B. aspx, which can be accessed only by VIP users.

The Web. config file in the user directory is configured as follows:

Note that the allow element should be written before the deny element.

Deny user = "? "Medium "? "Indicates rejecting anonymous users.

Deny user = "*" indicates that all users are rejected.

 

Comparison

<Location Path = "A. aspx">

<System. Web>
<Authorization>

<Allow roles = "VIP, system"/>
<Deny roles = "system"/>
</Authorization>
</System. Web>

</Location>

And

<Location Path = "A. aspx">

<System. Web>
<Authorization>
<Deny roles = "system"/>
<Allow roles = "VIP, system"/>
</Authorization>
</System. Web>

</Location>

When logging on as a system role, the previous configuration will allow access to. aspx and the other one are rejected. When a role is rejected and allowed at the same time, it is generally determined whether to accept the deny first or not.

Finally, <allow roles = "XXX, yyy"/>

<Deny users = "*"/>

Usually used in combination to achieve the purpose of diagonal Access Control (put deny behind)

-----------------------------------

The following content is excerpted from <asp. net2.0 decryption>

 

2.2 configure Security Authorization

Authorization refers to the process of identifying whether a user can access a specific resource. You can control authorization by adding an authorization node to the Web configuration file.

Regardless of the applicationProgramWhen any type of authentication is enabled, the same method is used for authorization. In other words, the same method is used to authorize forms, windows, and. NET Passport authentication.

In general, we will put all the pages requiring password protection in a separate folder. If you add a web configuration file to the folder, the settings of the Web configuration file will be applied to this folder and all the pages in its subfolders.

For exampleCodeIf the Web configuration file in Listing 2-10 is added to this folder, any unauthorized user will be denied access to any page in the folder.

Code List 2-10 web. config

<? XML version = "1.0"?>

<Configuration>

<System. Web>

<Authorization>

<Deny users = "? "/>

</Authorization>

</System. Web>

</Configuration>

If you add files from code list 2-10 to this folder, unauthorized users cannot access any pages in this folder. When Forms authentication is enabled, unauthorized user access is automatically redirected to the login page.

The Web configuration file in code list 2-11 contains an authorization node, which defines a simple authorization rule. Anonymous Users cannot access the configuration file. Symbol? Indicates an anonymous (unauthenticated) user.

The following two special symbols can be used for the users attribute:

Q? -- Indicates that the user is not authenticated;

Q * -- indicates all users (unauthenticated and authenticated ).

The deny attribute can be set to the specified user name or a list of user names separated by commas. For example, the authorization node in code list 2-11 allows access by a user named Jane, and prohibits access by others (or even authenticated users ).

Code List 2-11 secretfile \ WEB. config

<? XML version = "1.0"?>

<Configuration>

<System. Web>

<Authorization>

<Allow users = "Jane"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Configuration>

The order of authorization rules is very important. ASP. NET Framework short-circuit matchingAlgorithm. If the order of allow and deny attribute rules in the Exchange Code List 2-11 is defined, no one is allowed, and Jane is no exception. You can access the page in the folder where the configuration file is located.

Annotations to prevent anonymous users from accessing any page in the application, you can add authorization nodes to the Web configuration of the application root directory. However, in this case, anonymous users must be allowed to access the login page (otherwise, no user can log on to the application when using Forms authentication ).

Developer Annotation

If you like visual web, you can also use site management tools to configure authorization rules. You can use this tool to authorize different folders on the form interface. To enable the site configuration tool, you must select the menu options website → ASP. NET configuration (ASP. NET configuration ).

2.2.1 Role authorization

You can also use user roles to create authentication rules. For example, the Web configuration file in code list 2-12 will prevent any user except the Administrator group from accessing any page in the folder.

Code List 2-12 web. config

<? XML version = "1.0"?>

<Configuration>

<System. Web>

<Authorization>

<Allow roles = "Administrator"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Configuration>

When Forms authentication is enabled for an application, the role attribute indicates a custom role. In Section 2.4, we will introduce how to configure and create custom roles. If Windows authentication is enabled for the application, the role attribute indicates the Microsoft Windows Group.

2.2.2 access files by location authorization

By default, authorization rules are applied to this folder and all the pages in its subfolders. However, you can also use the location node option in the authorization node. You can use the location node to apply authorization rules to folders or pages with specific paths.

For example, if you only need to use a password to protect one, it is just a page in a folder. In that case, you can use the location node to specify the path of a single file. The Web configuration file in code list 2-13 uses a password to protect a page named secret. aspx.

Code List 2-13 web. config

<? XML version = "1.0"?>

<Configuration>

<System. Web>

<Authentication mode = "forms"/>

</System. Web>

<Location Path = "secret. aspx">

<System. Web>

<Authorization>

<Deny users = "? "/>

</Authorization>

</System. Web>

</Location>

</Configuration>

The location node can also apply the configuration information to a specific sub-folder. For example, the web configuration file in code list 2-14 uses a password to protect the folder named secretfiles.

Code List 2-14 web. config

<? XML version = "1.0"?>

<Configuration>

<System. Web>

<Authentication mode = "forms"/>

</System. Web>

<Location Path = "secretfiles">

<System. Web>

<Authorization>

<Deny users = "? "/>

</Authorization>

</System. Web>

</Location>

</Configuration>

2.2.3 Access Authorization for images and other file types

The authorization rules we discussed earlier can only be applied to file types that have been associated with ASP. NET Framework. The Visual Web Developer Web Server associates all file types with ASP. NET Framework. On the other hand, IIS only associates a specific file type with ASP. NET Framework.

If the application uses IIS and adds an image file to the folder affected by the password, the user's access requests to the image file will not be blocked. By default, the authentication rules are only applied to file types such as ASP. NET pages. Files such as images, Microsoft Word documents, and traditional ASP pages are ignored by ASP. NET Framework.

If you need a password to protect static files of a specific type, such as sample files or Microsoft Word documents, you need to associate the extensions of these types of files with ASP. net isapi extensions.

For example, follow these steps to authorize the management of. GIF image files:

(1) Click Start> Control Panel> administrator tools> IIS to open the IIS manager.

(2) Open the attribute setting window for a specific web site or virtual directory.

(3) Select the Directory tab and click the configuration button to open the application configuration dialog box.

Figure 2-3 ing tab in IIS (Windows XP operating system)

"Hspace =" 12 "src =" http://book.csdn.net/BookFiles/488/img/image023.gif "width =" 218 "align =" Left "> (4) Select and click the mapping tab (see Figure 2-3 ).

(5) Click Add to open the Add/edit application extension ing dialog box.

(6) In the executable (executable) form item, enter ASP. the path of the net ISAPI Dynamic Link Library (you can also edit it. aspx extension ing to copy and paste the path ).

(7) Enter .gif in the extension())).

After completing the preceding steps, the request for the. GIF image file will be sent to ASP. NET Framework. At the same time, you can also perform unified authentication and authorization for. GIF files.

In accordance with the preceding steps and operation sequence, you can set password protection for other types of static files, such as Microsoft Word documents, Excel workbooks, and video files.

2.2.4 Access Authorization for traditional ASP pages

Although ASP. NET pages and traditional ASP pages can be used together in the same application. However, common ASP. NET pages and traditional ASP pages run in independent application domains. Note that ASP. NET authentication and authorization cannot be applied to traditional ASP pages.

If you use IIS6 (IIS of this version is located in Windows Server 2003), you can map a traditional ASP page to ASP. NET Framework. Under such settings, ASP. NET authorization rules will be applied to traditional ASP pages.

IIS6 supports a function called wildcard application mapping. Therefore, you can use wildcards to intercept requests to traditional ASP pages and submit the requests to ASP. NET Framework for processing. After authentication and authorization, ASP. NET Framework forwards the request to the traditional ASP module for processing.

Figure 2-4 enable wildcard ing in IIS (Windows Server 2003 operating system)

"Hspace =" 12 "src =" http://book.csdn.net/BookFiles/488/img/image024.gif "width =" 232 "align =" Left "> to enable wildcard ing for ASP. NET, follow these steps:

(1) Click Start → Control Panel → administrator tools → IIS (Internet Information Service) to open the IIS manager.

(2) Open the Properties window for the specified directory or virtual directory.

(3) Select the Directory tab and click the configuration button to open the application configuration dialog box.

(4) Select the mapping tab.

(5) Click the insert button at the bottom of the ing tab to open the Add/edit (Add/delete) application extension ing dialog box (see Figure 2-4 ).

(6) Enter ASP. net ISAPI Dynamic Link Library path (this path can also be from. copy the ing settings of the aspx extension and paste it to the input box ).

After completing the preceding steps, all access requests to all files (not just traditional ASP files) are mapped to ASP. NET Framework. In this way, you can use the same method as to protect ASP. NET pages to protect traditional ASP pages through ASP. NET authorization rules. The authorization rules in this application also apply to image files, Microsoft Word documents, and other types of files.