Name
<authorization>
Synopsis
Provides two
child elements, <allow>
and
<deny>
, that allow you to configure the
users, roles, or HTTP verbs that can be used to access application
resources.
Scope
Any
Attributes
None
Child Elements
<allow>
, <deny>
Example
The example allows users Mary and John to access application resources using any HTTP verb, while denying POST access to nonauthenticated users:
<configuration> <system.web> <authorization> <allow users="Mary, John" /> <deny users="?" verbs="POST" /> </authorization> </system.web> </configuration>
Notes
The type of authorization implemented by the
<authorization>
element is referred to as
URL authorization
. You can read more about URL
authorization in Chapter 9.
You can specify authorization settings for a specific file or
directory in your application that differs from the defaults
configured in the root web.config
file for the application in either of two ways:
By adding an
<authorization>
element to theweb.config
file of the desired child directory, as shown in the example.By using a
<location>
tag in the rootweb.config
file and setting itspath
attribute to the desired path, as follows:<configuration> <location path="files"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <system.web> <!--other configuration settings --> </system.web> </configuration>
Get ASP.NET in a Nutshell now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.