<
locationpath="Test.aspx"><
system.web><
authorization><
allowroles="Users"/><
denyusers="?"/></
authorization></
system.web></
location>What exactly does ASP.NET do when I define that the test.aspx page can only be accessed by the roles "Users"....where does it check whether this is the case?
Thanks!I believe IIS is doing the check.
The check actually occurs within ASP.NET, and happens before the page is ever executed. Note that your rules above allow any logged in user access to the page, since all you deny is anonymous users (that is what the <deny users="?"/> does). If you want to deny everyone but those within the "Users" role you should add a <deny users="*"/> immediate after the <allow roles="Users"/> statement.
Hope this helps,
Scott
Hi, thanks...
and what do you mean exactly by: occurs within asp.net? I mean....if I set the only the roles Users have access I assume that asp.net checks against some sort of principal object, or cookie or...
Thanks again
If you have a role check, then ASP.NET will use the principal object of the request to-do a "IsInRole" lookup to verify whether the user is in that role.
How the principal object is generated depends on whether you are using FormsAuthentication or WidowsAuthentication (and how you are populating the roles for the request). ASP.NET V2.0 has the built-in role-manager service, which by default populates the roles from a database and can optionally cache the encrypted set of roles in a cookie if you want.
Hope this helps,
Scott
0 comments:
Post a Comment