RE: Question regarding in Forms authentication

From: Joseph MCAD (JosephMCAD_at_discussions.microsoft.com)
Date: 04/06/05


Date: Wed, 6 Apr 2005 08:17:07 -0700


  April 6, 2005

    Hi! Denying users that you know cannot access something is always better
than specifying only which users are allowed. Don't get me wrong, you have to
specify all users that can access it, BUT if you have a widespread blanket
group or role such as ? then it is best to deny it. Take a look at this
web.config

'Windows Authentication

<authorization>
  <deny users="?"/>
  <allow roles="Domain\IT"/>
</a..>

   You might think that this will block everybody but the IT role, but it in
fact allows ALL authenticated users. This is because the Machine.config has
<allow users="*"/>. If you add this line to the web.config file:

<authorization>
  <deny users="?"/>
  <allow roles="Domain\IT"/>
  <allow users="*"/>
</a..>

  You see that this will allow all users that are authenticated. Therefore
you should always specify a <deny users="*"/> at the end if you want to allow
only certain roles. This "*" role also covers unauthenticated users, so you
can remove the <deny users="?"/>, as these people will be denied as well.
Hope this helps!

                                                                             
   Joseph MCAD

"Naveen" wrote:

> In Asp.net forms authentication. In order to restrict certain files from
> anonymous users we should set like
> <deny users="?"/> in web.config file
> Though .NET classes are able to detect the difference between the anonymous
> users and authenticated users then why
> it's not made like
> <allow users="<certain symbol>"/>
> Is there any particular reason by restricting with deny keyword
> ?
> I have already posted in many forums, but results in vain
> hope microsoft professionals may know it
> Thanks in advance



Relevant Pages

  • Re: Question regarding in Forms authentication
    ... In order to restrict certain files from ... > anonymous users we should set like ... > users and authenticated users then why ... > hope microsoft professionals may know it ...
    (microsoft.public.dotnet.security)
  • Re: FTP Server
    ... Are you sure you've set it up so it allows authenticated users? ... Changing Umask to 133:022 allows others to ... does allow anonymous users. ...
    (alt.os.linux.suse)
  • Re: Exchange 2007 Relay Configuration
    ... You can apply different permissions to authenticated users and Anonymous Users. ... - Although you can use the same IP address, you will need to create a separate Receive Connector. ...
    (microsoft.public.exchange.admin)
  • Re: Firewall Client - Automatically detect ISA server
    ... it's possible that the rules for authenticated users do not ... but that rules for anonymous users do. ... > Why do I have to uncheck the Automatically detect ISA server check box in ...
    (microsoft.public.isa.clients)
  • After Authenticated, How do I know if session has ended? How retrieve username?
    ... I have the following entry in the Web.Config file: ... I have a WebForm that displays different information ... to users that are not logged on from that shown to authenticated users. ...
    (microsoft.public.dotnet.framework.aspnet.security)