Controlling access with web.config

I am trying to control access to my website with windows integrated.

<?xml version="1.0"?>
<configuration>
 <system.web>
  <authentication mode="Windows"/>
   <authorization>
     <deny users="?"/>
     <allow roles="DOMAIN\The_group_that_can_access_it"/>
   </authorization>
   ...
 </system.web>
</configuration>

Except that, this code isn't working. I can access it if im a member of that group or not. What is wrong?

I looked th开发者_如何学运维rough some code, and thought maybe I needed to switch the ? for a *, but then that seems to just deny everything.

Thanks,

You do not have an explicit deny statement, you should add the following entry to the end of the declarations:

<deny users="*" />

And you can remove the <deny users="?"/> which is denying unauthenticated users. The final <deny users="*" /> will deny them anyway. Then only your group should have access. The final outcome should be:

<authorization>
    <allow roles="DOMAIN\The_group_that_can_access_it"/>
    <deny users="*"/>
</authorization>

As a rule of thumb, always close out your access control lists with an explicit deny all, or deny any any.