Jun 30

Introduction
To secure your website you can set the security permissions on individual web pages, web services and sub directories. ASP.NET supports this requirement with declarative authorization rules. These rules are defined in the web.config file. The rules you define in the web.config file, are acted upon by the URL Authorization Module, a specific HTTP module. This module examines the defined rules and checks each request to make sure user can’t access resources which are restricted from the users.

Following diagram describe the workflow of the FormsAuthenticationModule, and the UrlAuthorizationModule when an unauthorized request arrives. In particular, diagram shows a request by an anonymous visitor for ProtectedPage.aspx, which is a page that denies access to anonymous users. Since the visitor is anonymous, the UrlAuthorizationModule aborts the request and returns an HTTP 401 Unauthorized status. The FormsAuthenticationModule then converts the 401 status into a 302 Redirect to login page. After the user is authenticated via the login page, he is redirected to ProtectedPage.aspx. This time the FormsAuthenticationModule identifies the user based on his authentication ticket. Now that the visitor is authenticated, the UrlAuthorizationModule permits access to the page.

Authorization Rules:
Authorization determines whether an identity should be granted access to a specific resource.Authorization rules are defined in the <authorization>element in the <system.web> section of the web.config file apply to all of the ASP.NET resources in that directory and its sub directories (until otherwise overridden by another Web.config file). There are two types of rules exists: allow and deny. You can allow or deny users, roles (group of users).You can add verbs attribute to create a rule that applies only to specific type of HTTP requests (GET, POST, HEAD and Debug).
The basic structure of the authorization is as follows:

You can add as many allow and deny rules as you want.
To deny access to all anonymous users, you can use a deny rules like this:

To allow access to all users you can use:

The question mark (?) is a wildcard that represents all users with unknown identities.  The asterisk(*) represents all users including authenticated and anonymous users.You can add more than one rule in authorization section.
Consider the following rule:

This rule will allow all users to access the resources. ASP.NET will evaluate first rule which allow access to all usres and it will not evaluate the second rule since we already have provided access to all users in the first line. However reversing the lines of rules the following authorization rule will deny all anonymous users and allow access to all other users.

Controlling access to specific users:
You can grant access on the base of user accounts.
Let us consider the following authorization rule.

This rule will allow access to only listed users i.e amit, amitkumar, sandeep
And restrict all other users, even if they are authenticated.
Here is an another example:

In this rule the listed users i.e amit,amitkumar,sandeep are strictly restricted to allow access.Let us take another example.

In the above example users amit,amitkumar are denied. But it does not affect the user sandeep, because asp.net matches the rule that allows all users and doesn’t read any further

Controlling access to specific sub directories:
You can set authorization rules to specific directories. You just need to add the web.config file in the sub directory with the authorization rules as per your requirement.
Remember that when you add the web.config file in the sub directories, it should not contain any of the application-specific settings. In fact it should contain only the authorization information as shown below:

When using authorization rules to specific directories, ASP.NET still reads the authorization rules from the parent directory, but it applies the subdirectory rules first.
Let us clear this point using an example.
You have define a rule in the root virtual directory as below:

And the sub directory contains the rule as:

In this case user amitkumar will be able to access any resource in the root directory but no resources in the sub directories.

If you reverse these rules then user amitkumar will be able to access the resources of sub directories but will not be able to access resources of the root directory.

ASP.NET allows unlimited hierarchy of sub directories and authorization rules to make the real life problems very easy.

Controlling access to specified files:
Setting file access permissions by directory is the cleanest and easiest approach. However, you can also restrict specific files by adding <location>tags in the web.config file.
Consider the following:


In the above setting all users are restricted to access the restrictedPage.aspx page.

Controlling access for specific roles:
To make the website security easier users are grouped into the categories called roles. Suppose you need to manage an enterprise applications that supports thousands of users, it will be difficult to apply restrictions on thousands of users individually. So users are grouped into roles. So the rules applied to the specific role will be applicable to all the users with in the role. You can create as many roles as you want.
When you use role based authorization,  you must enable roleManager in the web.config file in the <system.web> section.


For example the following authorization rules allows access to two users amit and amitkumar and two roles admin and management and all other users are denied.


ASP.NET makes it easy to define user-based authorization rules. With just a bit of markup in Web.config, specific web pages or entire directories can be locked down so that they are only accessible to a specified subset of users. Page-level functionality can be turned on or off based on the currently logged in user through programmatic and declarative means.

Create crowd-pleasing content video lectures are great, but consider using the video as a forum for solving a problem, writemypaper too
preload preload preload