How do I use URL Authorization in ASP.NET 2.0?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman

Answer

To configure URL authorization, use an *<authorization>* element in Web.config and specify which user and/or role names are allowed access to the current directory or the nominated directory or file. URL authorization allows you to restrict access to specific files and folders within your application's Uniform Resource Identifier (URI) namespace using the authenticated user's name or user's role membership held in the HttpContext.User object. ASP.NET version 2.0 on Windows Server 2003 protects all files in a given directory, even those not mapped to ASP.NET, such as .html, .gif, and .jpg files. This can be done by configuring the <authorization> element in the Web.config file as follows. Note that authorization settings in Web.config refer to all of the files in the current directory and all subdirectories unless a subdirectory contains its own Web.config with an <authorization> element. In this case, the settings in the subdirectory override the parent directory settings

  <system.web>
   ...
      <authorization>
          <allow users="userName1, userName2" />
          <allow roles="roleName1, roleName2" />
          <deny users="*" />
      </authorization>
   ...
  </system.web>

Important. When using roles in URL authorization, the role manager should be enabled and configured for using correct role store.

Note. URL authorization can be used with both forms authentication and Windows authentication. In the case of Windows authentication, user names take the form "DomainName\WindowsUserName" and role names take the form "DomainName\WindowsGroupName". The local administrators group is referred to as "BUILTIN\Administrators". The local users group is referred to as "BUILTIN\Users".

Personal tools