Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work on authenticated users, hence ensuring that no un-authenticated user can access the application. The syntax for specifying authorization in ASP.NET is as follows.

<authorization>
< [ allow | deny ] [ users ] [ roles ] [ verbs ] />
</authorization>

In ASP.NET, there are the following types of authorizations.

• URL Authorization
• File Authorization
• Authorization based on ACLs

File Authorization is performed by the FileAuthorizationModule, and is active when the application is configured to use Windows authentication. It checks the access control list ( ACL ) of the file to determine whether a user should have access to the file. ACL permissions are verified for the Windows identity or, if impersonation is enabled, for the Windows identity of the ASP.NET process.

URL authorization is performed by the URLAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application ( typically directories ) for specific users or roles.”
Authorization like authentication is specified in the web.config file of the application. The following is an example of how we can use authorization in ASP.NET using the application’s configuration file.

<authorization>
<allow users=”Joydip”/>
<deny users=”Jude”/>
<deny users=”?”/>
</authorization>

It is also possible to specify the location to which the authorization settings defined in that particular location is applicable. Refer to the following code snippet that illustrates this.

<configuration>
<location path = “Test.aspx”>
<system.web>
<authorization>
<allow users = “?” />
</authorization>
</system.web>
</location>
</configuration>

You can also restrict or grant a GET or POST to one or more users of the ASP.NET application. The following code snippet illustrates how we can allow the user “Jude” to do a POST while the other users can do only a GET.

<authorization>
<allow verb = “GET” users = “*” />
<allow verb = “POST” users = “Jude” />
<deny verb = “POST” users = “*” />
</authorization>

Tags: asp authorisation, asp.net, asp, authorisation

Tags: accessibility, ASP.NET security, ASP.NET-security, authenticated_user, authenticated_users, syntax