Controlling access with web.config
I am trying to control access to my website with windows integrated.
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
</authorization>
...
</system.web>
</configuration>
Except that, this code isn't working. I can access it if im a member of that group or not. What is wrong?
I looked th开发者_如何学运维rough some code, and thought maybe I needed to switch the ?
for a *
, but then that seems to just deny everything.
Thanks,
You do not have an explicit deny statement, you should add the following entry to the end of the declarations:
<deny users="*" />
And you can remove the <deny users="?"/>
which is denying unauthenticated users. The final <deny users="*" />
will deny them anyway. Then only your group should have access. The final outcome should be:
<authorization>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
<deny users="*"/>
</authorization>
As a rule of thumb, always close out your access control lists with an explicit deny all, or deny any any.
精彩评论