Authorization refers to the process of identifying the resources that you are allowed to access. You control authorization by adding an authorization element to a web configuration file. Authorization works the same way regardless of the type of authentication that is enabled. In other words, you configure authorization in the same way when using Forms, Windows, and .NET Passport authentication. Typically, you place all the pages that you want to password-protect in a separate folder. If you add a web configuration file to the folder, then the settings in the web configuration file apply to all pages in the folder and all subfolders. For example, if you add the web configuration file in Listing 21.10 to a folder, then unauthenticated users are blocked from accessing pages in the folder. Listing 21.10. SecretFiles\Web.Config
If you add the file in Listing 21.10 to a folder, then unauthenticated users cannot access any pages in the folder. When Forms authentication is enabled, unauthenticated users are automatically redirected to the Login page. The web configuration file in Listing 21.9 contains an authorization element that contains a single authorization rule. The configuration file denies access to anonymous users. The ? symbol represents anonymous (unauthenticated) users. You can use the following two special symbols with the users attribute:
You also can assign a particular username, or comma-delimited list of usernames, to the deny element. For example, the authorization element in Listing 21.11 allows access for a user named Jane, but denies access to anyone else (even authenticated users). Listing 21.11. SecretFiles\Web.Config
The order of the authorization rules is important. The ASP.NET Framework uses a first-match algorithm. If you switched the allow and deny rules in Listing 21.11, then no one, not event Jane, would be allowed to access the pages in the folder. Note You can prevent anonymous users from accessing any page in an application by adding an authorization element to the application root web configuration file. In that case, anonymous users are still allowed to access the Login page. (Otherwise, no one would ever be able to log in when using Forms authentication.) Visual Web Developer Note If you prefer, you can configure authorization rules by using the Web Site Administration Tool. This tool provides you with a form interface for configuring authorization rules for different folders. You can open the Web Site Administration Tool by selecting the menu option Website, ASP.NET Configuration. Authorizing by RoleWhen creating authorization rules, you can authorize by user role. For example, the web configuration file in Listing 21.12 prevents access to any pages in a folder by anyone except members of the Administrators role. Listing 21.12. SecretFiles\Web.Config
When Forms authentication is enabled, the role refers to a custom role. In the final section of this chapter, "Using the Role Manager," you learn how to configure and create custom roles. When Windows authentication is enabled, the role refers to a Microsoft Windows group. Authorizing Files by LocationBy default, authorization rules are applied to all pages in a folder and all subfolders. However, you also have the option of using the location element with the authorization element. The location element enables you to apply a set of authorization rules to a folder or page at a particular path. For example, imagine that you want to password-protect one, and only one, page in a folder. In that case, you can use the location element to specify the path of the single page. The web configuration file in Listing 21.13 password-protects a page named Secret.aspx. Listing 21.13. Web.Config
You also can use the location element to apply configuration settings to a particular subfolder. For example, the web configuration file in Listing 21.14 password-protects a folder named SecretFiles. Listing 21.14. WEB.CONFIG
Using Authorization with Images and Other File TypesAuthorization rules are applied only to files mapped into the ASP.NET Framework. The Visual Web Developer web server maps all file types to the ASP.NET Framework. Internet Information Server, on the other hand, maps only particular file types to the ASP.NET Framework. If you are using Internet Information Server, and you add an image to a password-protected folder, then users aren't blocked from requesting the image. By default, authorization rules apply only to ASP.NET file types such as ASP.NET pages. Files such as images, Microsoft Word documents, and classic ASP pages are ignored by the ASP.NET Framework. If you need to password-protect a particular type of static file, such as an image or Microsoft Word document, then you need to map the file's extension to the ASP.NET ISAPI extension. For example, follow these steps to enable authorization for .gif image files:
Figure 21.3. The Mappings tab in Internet Information Services (Windows XP).After you complete these steps, requests for .gif images are passed to the ASP.NET Framework. You can then use authentication and authorization rules with .gif images. You can complete the same sequence of steps to password-protect other static file types, such as Microsoft Word documents, Excel spreadsheets, or video files. Using Authorization with ASP Classic PagesYou can mix ASP.NET pages and ASP classic pages in the same application. However, normally ASP.NET pages and ASP classic pages live in parallel but separate universes. In particular, ASP.NET authentication and authorization is not applied to ASP classic pages. If you are using Internet Information Server 6 (available with Windows Server 2003), then you can map ASP classic pages into the ASP.NET Framework. In that case, you can apply ASP.NET authorization rules to ASP classic pages. Internet Information Server 6 supports a feature named wildcard application mappings. You can use a wildcard mapping to intercept requests for ASP classic pages and process the requests with the ASP.NET Framework. The ASP.NET Framework can then pass the request back to be executed by ASP classic. To enable wildcard mapping for ASP.NET, follow these steps:
Figure 21.4. Enabling wildcard mappings in Internet Information Services (Windows Server 2003).After you complete these steps, then all files, not only ASP classic files, are mapped to the ASP.NET Framework. You can use ASP.NET authorization rules to password-protect ASP classic pages in the same way that you can use these rules to password-protect ASP.NET pages. The authorization rules also work with image files, Microsoft Word documents, and any other type of file. |