SyntaxFix

[asp.net] Why is <deny users="?" /> included in the following example?

The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:

<authorization>
  <deny users="?" />
  <allow users="dan,matthew" />
  <deny users="*" />
</authorization>


But doesn’t the above code have the same effect as :

<authorization>
  <allow users="dan,matthew" />
  <deny users="*" />
</authorization>

or did the author also include <deny users="?" /> rule for a reason?

This question is related to asp.net authentication asp.net-membership forms-authentication authorization

The answer is

ASP.NET grants access from the configuration file as a matter of precedence. In case of a potential conflict, the first occurring grant takes precedence. So, 

deny user="?"

denies access to the anonymous user. Then 

allow users="dan,matthew"

grants access to that user. Finally, it denies access to everyone. This shakes out as everyone except dan,matthew is denied access.

Edited to add: and as @Deviant points out, denying access to unauthenticated is pointless, since the last entry includes unauthenticated as well. A good blog entry discussing this topic can be found at: Guru Sarkar's Blog

"At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule. The default authorization rule is . Thus, by default, access is allowed unless configured otherwise."

Article at MSDN

deny = * means deny everyone
deny = ? means deny unauthenticated users

In your 1st example deny * will not affect dan, matthew since they were already allowed by the preceding rule.

According to the docs, here is no difference in your 2 rule sets.

Example 1 is for asp.net applications using forms authenication. This is common practice for internet applications because user is unauthenticated until it is authentcation against some security module.

Example 2 is for asp.net application using windows authenication. Windows Authentication uses Active Directory to authenticate users. The will prevent access to your application. I use this feature on intranet applications.

See this two links:

deny Element for authorization (ASP.NET Settings Schema) http://msdn.microsoft.com/en-us/library/vstudio/8aeskccd%28v=vs.100%29.aspx

allow Element for authorization (ASP.NET Settings Schema): http://msdn.microsoft.com/en-us/library/vstudio/acsd09b0%28v=vs.100%29.aspx

Source: Stackoverflow.com

Examples related to asp.net

RegisterStartupScript from code behind not working when Update Panel is used You must add a reference to assembly 'netstandard, Version=2.0.0.0 No authenticationScheme was specified, and there was no DefaultChallengeScheme found with default authentification and custom authorization How to use log4net in Asp.net core 2.0 Visual Studio 2017 error: Unable to start program, An operation is not legal in the current state How to create roles in ASP.NET Core and assign them to users? How to handle Uncaught (in promise) DOMException: The play() request was interrupted by a call to pause() ASP.NET Core Web API Authentication Could not load file or assembly 'CrystalDecisions.ReportAppServer.CommLayer, Version=13.0.2000.0 WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping for jquery

Examples related to authentication

Set cookies for cross origin requests How Spring Security Filter Chain works What are the main differences between JWT and OAuth authentication? http post - how to send Authorization header? ASP.NET Core Web API Authentication Token based authentication in Web API without any user interface Custom Authentication in ASP.Net-Core Basic Authentication Using JavaScript Adding ASP.NET MVC5 Identity Authentication to an existing project LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

Examples related to asp.net-membership

The required anti-forgery form field "__RequestVerificationToken" is not present Error in user Registration SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified Operand type clash: uniqueidentifier is incompatible with int Why is <deny users="?" /> included in the following example?

Examples related to forms-authentication

How to get the cookie value in asp.net website How to check user is "logged in"? ASP.NET Forms Authentication failed for the request. Reason: The ticket supplied has expired ASP.NET MVC - Set custom IIdentity or IPrincipal Why is <deny users="?" /> included in the following example? FormsAuthentication.SignOut() does not log the user out How to get the current user in ASP.NET MVC

Examples related to authorization

How to send custom headers with requests in Swagger UI? How do you create a custom AuthorizeAttribute in ASP.NET Core? ASP.NET Web API : Correct way to return a 401/unauthorised response How to get http headers in flask? How to define the basic HTTP authentication using cURL correctly? basic authorization command for curl MongoDB "root" user How to use basic authorization in PHP curl How to get user name using Windows authentication in asp.net? Python requests library how to pass Authorization header with single token

Tags

Line-by-line Busybox Variance Client-applications Struts1 Zsi Active-window Vertical-alignment Win32exception Tmail Inspections Cassini Integrated-pipeline-mode Edges Windows-scripting Capitalize Tcmalloc Invalid-url Axiom Allegro Storable Binding-expressions Lua-lanes Openxml Logout Boo Subsonic Transcoding Bcompiler Connection-timeout Mouse-coordinates Webhttp Entityset Autoboxing Cs4 Wysiwym Flartoolkit Radial Plesk Out-of-source Checkboxpreference Rowcommand Dllregistration Non-greedy Spell-checking Bwidget Raytracing Alternate-access-mappings Getdrivetype Qtip Boost-foreach Usenet Progress-db Gambit Parser-generator Request.servervariables Dropdownbox Open-atrium Jquery-blockui Mergefield Deserialization Elapsed Javascript-engine Npruntime Heredoc Text-align Entity-groups Generator Uinavigationcontroller Ssmtp Apple-push-notifications Junction-table Visual-assist Hosting Cobra Visual-sourcesafe-2005 Sgen Xmlcatalog Gnu-screen Contextmanager Factor-analysis Fuser Rd Cydia Typo3-tca Jlink Git-cvs Differential-equations Websphere-7 Gio Coclass Dynamic-resizing Marray Highcharts Nswindowcontroller Fieldmanager Transactional Jet-sql Bootp Galleria