ASP,NET Authorization Settings

by Dominick Baier

Related link: http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx



A lot of people have asked me in the past why they need an explicit <deny user="*" /> at the end of ASP.NET authorization control lists.


Let's demystify that.


ASP.NET has a hierarchical configuration system. The root web.config is stored in the .NET Framework directory. This web.config has the following global authorization settings:


<authorization>
  <allow users="*" />
</authorization>


When you create a new web application, all web.config settings (global, site and local) are merged together to form the configuration that's really in effect for this application. By default a local web.config does not contain an authorization section but inherits the one defined globally. So you alway end up with a <allow user="*" /> entry.


If you now configure the following authorization list in your local config:


<authorization>
  <allow roles="HR" />
</authorization>


You really get this at runtime:


<authorization>
  <allow roles="HR" />
  <allow users="*" />
</authorization>


And this means everybody is authorized. If you add an <deny users="*" /> at the end of your list you get:


<authorization>
  <allow roles="HR" />
  <deny users="*" />

  <allow users="*" />
</authorization>


Which does exactly what we want (ASP.NET parses the list top to bottom and the first match found is used).


You can have a look at the aggregated configuration that is currently in effect for your application whith this piece of code:


protected void _btnSaveConfig_Click(object sender, EventArgs e)


{


  Configuration config = WebConfigurationManager.OpenWebConfiguration("~");


  config.SaveAs(_txtConfig.Text, ConfigurationSaveMode.Full, true);


}