开发者

Controlling access with web.config

I am trying to control access to my website with windows integrated.

<?xml version="1.0"?>
<configuration>
 <system.web>
  <authentication mode="Windows"/>
   <authorization>
     <deny users="?"/>
     <allow roles="DOMAIN\The_group_that_can_access_it"/>
   </authorization>
   ...
 </system.web>
</configuration>

Except that, this code isn't working. I can access it if im a member of that group or not. What is wrong?

I looked th开发者_如何学运维rough some code, and thought maybe I needed to switch the ? for a *, but then that seems to just deny everything.

Thanks,


You do not have an explicit deny statement, you should add the following entry to the end of the declarations:

<deny users="*" />

And you can remove the <deny users="?"/> which is denying unauthenticated users. The final <deny users="*" /> will deny them anyway. Then only your group should have access. The final outcome should be:

<authorization>
    <allow roles="DOMAIN\The_group_that_can_access_it"/>
    <deny users="*"/>
</authorization>

As a rule of thumb, always close out your access control lists with an explicit deny all, or deny any any.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜