18.4 Authorization

Authorization controls whether an authenticated identity can access the resource it requested. There are two authorization mechanisms provided by ASP.NET: File authorization and URL authorization.

18.4.1 File Authorization

File authorization is enforced automatically when you enable ASP.NET Windows authentication, and cannot be disabled or configured. After IIS authenticates the user, but before ASP.NET hands the request to your application for processing, ASP.NET checks to see whether the authenticated user has the necessary NTFS permissions to access the requested resource. If she has permission, ASP.NET will hand the request to your application for processing; otherwise, it will refuse the request.

Understand that the NTFS checks performed during File authorization are in addition to the normal enforcement of NTFS file permissions performed during application execution. If your ASP.NET application accesses files during execution, they are accessed in the context of the ASP.NET worker process identity, or the identity of the authenticated Windows user if you have enabled impersonation. If the active identity does not have the necessary NTFS permissions to access the file, an error will occur, which your application must handle. See Section 18.5 later in this chapter for details of how to enable impersonation.

18.4.2 URL Authorization

URL authorization is a convenient mechanism for controlling access to resources when you are not using Windows authentication, although it can also be used to good effect at all times. While File authorization is based on the NTFS permissions of an authenticated Windows account, URL authorization is based on the principal (and identity) assigned to the application by the ASP.NET authentication process. See Chapter 10 for details about identities and principals.

The URL authorization settings are contained in the configuration files of your ASP.NET application. You can configure URL authorization at any level including individual files, by using the <location> configuration element. URL authorization allows you to grant or deny access to resources based on the identity and roles of the current principal. You can also restrict access based on the type of HTTP action attempted, such as Get or Post.

To configure URL authorization, include an <authorization> element in your configuration file. The <authorization> element can contain two types of child elements: <allow> grants access to resources and <deny> denies access. Both the <allow> and <deny> elements require you to specify one or both of the users and roles, and optionally the HTTP command (or verb) to which the element applies. The following excerpt from a Web.config file provides examples of the <authorization> element's use:

      <deny users="?"/>
      <allow users="Alice,Bob"/>
      <deny users="Eve"/>
      <allow roles="Administrators, Managers, Developers"/>
      <deny verbs="POST" roles="Users"/>
      <allow verbs="GET" roles="Users"/>
      <deny users="*"/>

When authorizing access to a resource, ASP.NET will only search until it finds the first <allow> or <deny> element that applies to the current identity, and so the order of the elements is important. In addition, authorization restrictions created lower down in the application hierarchy take precedence over those defined higher up.

In the example, we use two special characters. The "?" character represents all unauthenticated users, and so the first thing our example does is refuse access to anyone that has not been authenticated. The second special character is "*", which represents all users; the last thing we do is deny access to all users that have not been granted specific or denied permission by one of the other settings.

By default, the machine.config file contains the following configuration, meaning that all users have access to all files:

  <allow users="*"/>

    Part V: API Quick Reference