web forms authorization

vbboyd · May 7th, 2012, 02:31 PM

I am having trouble with the following xml code in the web.config file when I am doing some additional exercises contained in your book:

Code:

<authorization>
<deny users = "*" />
<allow users = "Supervisors">
</authorization>
<location path = "/accounting/payables">

For whatever strange reason this code is not acting like its intended design. I can't quite figure it out. I can't seem to weed out anybody but the supervisors to the accounting path file locations. Am I doing something wrong here? It has got me confused.

Imar · May 7th, 2012, 02:43 PM

Hi there,

Take a look at page 611, in the How It Works section to see why this doesn't work as expected....

Cheers,

Imar

vbboyd · May 7th, 2012, 03:51 PM

I just looked at page 611. Everything looks fine to me just as how you have it in the book. I know I did everything right on this as explained in your book of that I am certain. I just don't see any discrepancies whatsoever.

Imar · May 7th, 2012, 05:07 PM

Take another look at this quote from the book:

Quote:

It starts scanning the various rules (allow and deny elements with roles or users attributes to specify the users or roles that are affected by the rule) and as soon as it finds a rule, it stops the scanning process and applies that rule.

Then take a look at this:

Code:

 
<authorization>
  <deny users = "*" />
  <allow users = "Supervisors">
</authorization>

The first rule blocks access to *all* users, including those in the Supervisors role. That rule with match, and thus access is blocked for everyone. Swap these two rules and it should work.

Cheers,

Imar

vbboyd · May 7th, 2012, 05:16 PM

You know what? I just noticed this before I got your email for the response I am giving you here. You are right, the two lines of xml code were accidentally transposed when I typed them into the web.config file. The allow users line of XML code in the web.config file has to come first before the deny statement. Is that correct? I think I got it working just fine now. It was just such a simple, little accidental mistype that you wouldn't normally think to look that small. It was just a dumb typing mistake on my part. Oh geeze. I feel so stupid because I made such a small little mistake like that. This kind of simple mistake can be quite common I would wager. Has anything like that ever happened to you sometimes maybe in the past?

Imar · May 7th, 2012, 05:33 PM

Quote:

The allow users line of XML code in the web.config file has to come first before the deny statement. Is that correct?

Not necessarily. It depends on the rules you want to apply. You could block unauthenticated users first, for example. It's a matter of setting up the right flow.

Quote:

Has anything like that ever happened to you sometimes maybe in the past?

Millions of times..... :-)

Imar