Manage Authorization using config file


Here I will explain how to restrict users to access a particular page or directory.

In the real time, I want to restrict some pages and specific directory, now will see how we add location tag inside web.config file and restricting access.

<configuration>
<!-- inside the  Configuration tag you can add location Tag as shown below:w
Location tag have two attributes "path" and "allowOverride" -->

Path is used to give a path of the specific page or physical directory. Using the location element with an allowOverride = "false" attributes locks the entire configuration, similarly you can lock individual elements and attributes (refer to Image 2).
   
1.gif

In the allow tag having eight attributes is as shown below

2.gif

Image 2
 
But mainly three attributes are used often.

users: A comma-separated list of user names that are allowed access to the resource. A question mark (?) indicates that anonymous users are granted access to the resource. An asterisk (*) indicates that all users are granted access to the resource.

roles: A comma-separated list of roles that are granted access to the resource.

verbs:  A comma-separated list of HTTP transmission methods that are granted access to the resource. Verbs that are registered to ASP.NET are GET, HEAD, POST, and DEBUG.

Example 1:

I want to restrict particular page, it will be available only to specific users like user1 & user2

For the above scenario use the following snippet in the web.config

<configuration>
<!—In this path you can give either give Directory or specific page name -->
          <location path="_layouts/abc/testpage.aspx" >
                   <system.web>
                             <authorization >
                             <!-- Added the users which you want to give a access -->
                                      <allow  users="user1,user2"/>
                             <!-- denies access to all users except user1 and user 2 -->
                                      <deny users="?"/>
                             </authorization>
                   </system.web>
          </location>
</configuration>

Result: testpage.aspx is able to access only by user1 & user2

You can restrict access based on roles; now we will see how to allow access based on roles.

Example 2:

The following code example demonstrates how to deny access to all user accounts and allows access to all members of the role Administrator.

<configuration>
          <location path="_layouts/abc/testpage.aspx" >
                   <system.web>
                             <authorization >
                   <!—Add roles to give a access,you can add morethan one role with comma delimited -->
                                      <allow roles="admininstrator"/>
           <!-- denies to all users except those who role is "admininstrator"-->
                                      <deny users="?"/>
                             </authorization>
                   </system.web>
          </location>
</configuration>

Result: testpage.aspx is able to access only by those who role is "Administrator"

Need to know following things before we use in Authorization tag

allow users ="*means access to everyone by Default
allow users ="?means access only to unauthenticated (Anonymous) users

Similarly,

deny users ="*means access is restricted to everyone
deny users ="?means access is denied only for unauthenticated (Anonymous) users

Enjoy!!!


Similar Articles