ASP.NET Membership Roles Web.config settings

2
votes

I want to understand how the system.web authorization tag on the web.config works, and what exactly each attribute and property does.

For instance, what does

  <system.web>
    <authorization>
      <deny users="?"/>
      <allow users="*"/>
    </authorization>
  </system.web>

Specifically what I want to do is to disallow access to most of the site for unauthenticated users, allow access to some of the site for authenticated users who belong to a certain role, and allow full access to users from a second role.

2
asp.netweb-config

2 Answers

6
votes
<system.web>
    <authorization>
      <deny users="?"/>
      <allow users="*"/>
    </authorization>
</system.web>`

This will allow access to anyone who is logged in.

<deny users="?"/> denies access to any anonymous users - users who have not logged in and then <allow users="*"/> will allow access to all other users, which in this case is all authenticated users.

If this is in your main web.config file this will apply site wide. If you want to have different levels of access you can use the <location> tag:

<location path="~/Admin">
 <system.web>
   <authorization>
     <allow roles="Admin"/>
     <deny users="*"/>
   </authorization>
 </system.web>

This will restrict access to any files/folders in the admin folder to users in the "Admin" role.