Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET, there are two ways to authorize access to a given resource:
- File authorization File authorization is performed by the FileAuthorizationModule. It checks the access control list (ACL) of the .aspx or .asmx handler file to determine whether a user should have access to the file. ACL permissions are verified for the user's Windows identity (if Windows authentication is enabled) or for the Windows identity of the ASP.NET process. For more information, see ASP.NET Impersonation.
- URL authorization URL authorization is performed by the UrlAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application (typically directories) for specific users or roles.
The following example grants access to the Kim identity and members of the Admins role, and denies access to the John identity (unless the John identity is included in theAdmins role) and to all anonymous users:
< authorization > < allow users="Kim"/ > < allow roles="Admins"/ > < deny users="John"/ > < deny users="?"/ > < /authorization >The following authorization section shows how to allow access to the John identity and deny access to all other users:
< authorization > < allow users="John"/ > < deny users="*"/> < /authorization >The following example allows all users to perform an HTTP GET for a resource, but allows only the Kim identity to perform a POST operation:
< authorization > < allow verbs="GET" users="*"/ > < allow verbs="POST" users="Kim"/ > < deny verbs="POST" users="*"/ >