为什么是“拒绝用户=”? >> 包含在下面的例子中吗?
? 通配符表示未经身份验证的用户,而 * 表示所有用户(经过身份验证和未经身份验证)。 我的书中展示了以下 URL 授权示例:
<authorization>
<deny users="?" />
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
但是上面的代码不具有与 : 相同的效果吗?
<authorization>
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
还是作者还包含了
The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:
<authorization>
<deny users="?" />
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
But doesn’t the above code have the same effect as :
<authorization>
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
or did the author also include <deny users="?" /> rule for a reason?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
ASP.NET 优先授予来自配置文件的访问权限。 如果发生潜在冲突,则以最先发生的授予为准。 因此,
拒绝匿名用户的访问。 然后
授予该用户访问权限。 最后,它拒绝所有人的访问。 这让除了丹·马修之外的所有人都被拒绝进入。
编辑添加:正如@Deviant指出的那样,拒绝对未经身份验证的访问是毫无意义的,因为最后一个条目也包括未经身份验证的。 可以在以下位置找到讨论此主题的优秀博客文章: Guru Sarkar 的博客
ASP.NET grants access from the configuration file as a matter of precedence. In case of a potential conflict, the first occurring grant takes precedence. So,
denies access to the anonymous user. Then
grants access to that user. Finally, it denies access to everyone. This shakes out as everyone except dan,matthew is denied access.
Edited to add: and as @Deviant points out, denying access to unauthenticated is pointless, since the last entry includes unauthenticated as well. A good blog entry discussing this topic can be found at: Guru Sarkar's Blog
“在运行时,授权模块从最本地的配置文件开始迭代允许和拒绝元素,直到授权模块找到适合特定用户帐户的第一个访问规则。然后,授权模块授予或拒绝对URL 资源取决于找到的第一个访问规则是允许还是拒绝规则。因此,默认情况下,除非另有配置,否则允许访问。
文章位于 MSDN
在第一个示例中拒绝* 不会影响 dan、matthew,因为他们已经被前面的规则所允许。
根据文档,您的 2 个规则集没有区别。
"At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule. The default authorization rule is . Thus, by default, access is allowed unless configured otherwise."
Article at MSDN
In your 1st example deny * will not affect dan, matthew since they were already allowed by the preceding rule.
According to the docs, here is no difference in your 2 rule sets.
示例 1 适用于使用表单身份验证的 ASP.NET 应用程序。 这是互联网应用程序的常见做法,因为用户在针对某些安全模块进行身份验证之前未经身份验证。
示例 2 适用于使用 Windows 身份验证的 ASP.NET 应用程序。 Windows 身份验证使用 Active Directory 对用户进行身份验证。 这将阻止访问您的应用程序。 我在 Intranet 应用程序上使用此功能。
Example 1 is for asp.net applications using forms authenication. This is common practice for internet applications because user is unauthenticated until it is authentcation against some security module.
Example 2 is for asp.net application using windows authenication. Windows Authentication uses Active Directory to authenticate users. The will prevent access to your application. I use this feature on intranet applications.
请参阅这两个链接:
拒绝授权元素(ASP.NET 设置架构)
http://msdn.microsoft.com /en-us/library/vstudio/8askccd%28v=vs.100%29.aspx
允许授权元素(ASP.NET 设置架构):
http://msdn.microsoft.com /en-us/library/vstudio/acsd09b0%28v=vs.100%29.aspx
See this two links:
deny Element for authorization (ASP.NET Settings Schema)
http://msdn.microsoft.com/en-us/library/vstudio/8aeskccd%28v=vs.100%29.aspx
allow Element for authorization (ASP.NET Settings Schema):
http://msdn.microsoft.com/en-us/library/vstudio/acsd09b0%28v=vs.100%29.aspx