Using URL Authorization to Allow or Limit Access

URL Authorization is a feature that is available through modifications to the config file of an application or site. Using URL Authorization is rather simple; it requires the addition of at least one of two elements ” allow and/or deny ”to the authorization section of the web.config file. This section is typically found right under the authentication mode element. Listing 15.1 shows the configuration entry necessary to allow the user "Administrator" access and deny access to everyone else.

Listing 15.1 Partial web.config File

 <authentication mode="Windows" />           <authorization>               <allow users="Administrator" />               <deny users="*" />           </authorization> 

Notice in Listing 15.1 that even though we are allowing a single user, the attribute is users . Within the elements of allow and deny , there are three optional attributes. Table 15.1 shows the possible values and how they will impact the application.

Table 15.1. Attributes and Values for allow/deny Elements

In addition to the information in Table 15.1, the users attribute has two wildcard values. The asterisk ( * ) represents all users who attempt to access the site. The question mark ( ? ) is the representative character for anonymous. In Listing 15.2, all users are allowed; but in Listing 15.3, all users except anonymous are allowed. By default, anonymous users are part of all users, but they can be blocked very easily.

Listing 15.2 All Users Allowed Configuration

 <authentication mode="Windows" />           <authorization>               <allow users="*" />           </authorization> 

Listing 15.3 All Users Except Anonymous Allowed Configuration

 <authentication mode="Windows" />           <authorization>               <allow users="*" />               <deny users="?" />           </authorization> 

It is worth noting that during this process, .NET creates an instance of the URLAuthorizationModule class. This class inherits most of its members from object, but, like several objects derived from System.Web.Security , it also exposes a dispose method that allows you to forcibly dump the object in the event of an error or perceived security breach. It does this by setting the response's StatusCode to 401 (Unauthorized) and calling HttpApplication.CompleteRequest .

Another element that is available to the authorization element is location . The location element allows you to specify a file or directory that, when wrapped by location tags, sets permissions on that file or directory.

Perhaps one of the more interesting attributes is that of verbs . For example, some attacks are made on Web servers by sending a GET request filled with bogus information and/or attempts to fill the memory of a machine with virus code. To prevent this, the web.config file can support denying GET requests to certain directories. Listing 15.4 illustrates denying GET and allowing POST . From there, it is not difficult to begin blending the users and the verbs . Then, Listing 15.5 shows how to add specific users to allow and deny everyone else. Keep in mind that when using config files, rules are executed in the order listed within the web.config file, meaning that the first rule matched that applies to the situation wins.

Listing 15.4 Deny GET and Allow POST to a Site

 <authentication mode="Windows" />           <authorization>               <allow verbs="POST" users="*" />               <deny verbs="GET" />           </authorization> 

Listing 15.5 Allowing Certain Users to GET , All Users to POST

 <authentication mode="Windows" />           <authorization>   <allow verbs="GET" users="Administrator"/>               <deny verbs="GET" users="*" />               <allow verbs="POST" users="*" />           </authorization> 

In Listings 15.4 and 15.5, it is important to notice that once an allow condition is met, no further checking is done.