Web.Config Authorization for folder access

When managing access rules in the login module. Is there an explicit deny all at the end?

Let's say I have two roles: Administrator and Member

Administrators are allowed into the folder iPhone and Members are allowed in the folder Blackberry

I manage my rules and get the following code in each web.config:

"iPhone"
<system.web>
  <authorization>
    <allow roles="Administrator" />
  </authorization>
</system.web>

"Blackberry"
<system.web>
  <authorization>
    &开发者_如何学JAVAlt;allow roles="Member" />
  </authorization>
</system.web>

But can Administrators access the Blackberry folder and Members the iPhone folder? Or do I need to add a rule saying deny roles="Administrator"in the Blackberry folder and deny roles="Member" in the iPhone folder?

Thanks!!

I take it you mean using an ASP.net application...

Add in a:

<deny users="*">

after your authorized users.

I think you should also be using user rather than role

http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

When you create a new web application, all web.config settings (global, site and local) are merged together to form the configuration that's really in effect for this application. By default a local web.config does not contain an authorization section but inherits the one defined globally. So you alway end up with a entry.

http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx