Doubt in Forms authentication configuration settings

[Naveen Kumar]

In Asp.net forms authentication. In order to restrict certain files from
anonymous users the settings in web.config should be
<deny users="?"/>
which will not allow anonymous users.
My doubt is, Though .NET classes are able to detect the difference between
the anonymous users and authenticated users then why it's not made like
<allow users="<certain symbol>"/>
which will allow the authenticated users only.
Is there any particular reason by restricting with deny keyword
?
Please make it clear
Thanks in advance

[Teemu Keiski]

Hi,

settings between <authorization> tag (<llow> or <deny>) are evaluated in the
order they are placed. This is described in docs:

"
At run time, the authorization module iterates through the <allow> and
<deny> tags until it finds the first access rule that fits a particular
user. It then grants or denies access to a URL resource depending on whether
the first access rule found is an <allow> or a <deny> rule. The default
authorization rule in the Machine.config file is <allow users="*"/> so, by
default, access is allowed unless configured otherwise.
"

And if you check this page where I took this text:
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfauthorizationsection.asp[/url]

There are told that ? (question mark) means anonymous users, * (asterisk)
means all users. Therefore to limit the access by default, you need to deny
the access from unauthenticated users, so that they get redirected to the
logon page and possibly get authenticated.

But why there isn't "allow all authenticated" users is probably due to that
it is easier to say who should be able access certain restricted page, like
that to allow admins only to certain section (and denies all other users,
despite being authenticated or not)

<authorization>
<allow roles="admins"/>
<deny users="*"/>
</authorization>

I cannot speak for the ASP.NET team, but IMO this way the settings are more
explicit, (semantically denying all unauthenticated users is the same as
allowing all authenticated however allowing users case-by-case is then more
explicit) , as it should be so that access is denied by default unless there
is a reason to access that page.

--
Teemu Keiski
ASP.NET MVP, AspInsider
Finland, EU






"Naveen Kumar" <Naveen [email]Kumar@discussions.microsoft.com[/email]> wrote in message
news:A4FBB9C0-B52A-405B-BC04-79BF05CFD45A@microsoft.com...

> In Asp.net forms authentication. In order to restrict certain files from
> anonymous users the settings in web.config should be
> <deny users="?"/>
> which will not allow anonymous users.
> My doubt is, Though .NET classes are able to detect the difference between
> the anonymous users and authenticated users then why it's not made like
> <allow users="<certain symbol>"/>
> which will allow the authenticated users only.
> Is there any particular reason by restricting with deny keyword
> ?
> Please make it clear
> Thanks in advance