Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   wonky <authorization> (order matters?) (http://www.velocityreviews.com/forums/t769854-wonky-authorization-order-matters.html)

SpaceMarine 05-20-2008 11:37 PM

wonky <authorization> (order matters?)
 
hello,

i am using Windows authentication w/ my web app and lock it down via
roles. in my testing it seems like the *order* of the <authorization>
elements matters.

eg, this works:

<authorization>
<allow roles="Foo" />
<deny users="?" />
<deny users="*" />
</authorization>

but this doesnt:

<authorization>
<deny users="?" />
<deny users="*" />
<allow roles="Foo" />
</authorization>

....for the latter my browser keeps popping a credentials dialog, even
tho im in the Foo role.


is this expected behavior? ASP.NET v2.


thanks!
sm

Joe Kaplan 05-21-2008 05:15 AM

Re: wonky <authorization> (order matters?)
 
Yes, it does matter. It evaluates each rule in order until it matches and
then it applies the allow or deny based on the match.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"SpaceMarine" <spacemarine@mailinator.com> wrote in message
news:1a2a6639-2b07-44cd-9451-79f20a085cdf@8g2000hse.googlegroups.com...
> hello,
>
> i am using Windows authentication w/ my web app and lock it down via
> roles. in my testing it seems like the *order* of the <authorization>
> elements matters.
>
> eg, this works:
>
> <authorization>
> <allow roles="Foo" />
> <deny users="?" />
> <deny users="*" />
> </authorization>
>
> but this doesnt:
>
> <authorization>
> <deny users="?" />
> <deny users="*" />
> <allow roles="Foo" />
> </authorization>
>
> ...for the latter my browser keeps popping a credentials dialog, even
> tho im in the Foo role.
>
>
> is this expected behavior? ASP.NET v2.
>
>
> thanks!
> sm





All times are GMT. The time now is 01:11 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.