NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

ASP+ Authorization

The purpose of authorization is to determine whether an identity should be granted for the requested type of access to a given resource. Besides impersonation, there is one other authorization method offered by ASP+: URL authorization.

The URLAuthorizationModule maps users and roles to pieces of the URI namespace. This module implements both positive and negative authorization assertions. That is, the module can be used to selectively allow or deny certain sets, users, or roles access to arbitrary parts of the URI namespace.

The URLAuthorizationModule is available for use at any time. You only need to place a list of users and/or roles in the <allow> or <deny> elements of the <authorization> section of a configuration file.

To establish the conditions for access to a particular directory, a configuration file that contains an <authorization> section must be placed in that directory. The conditions set for that directory also apply to its descendants, unless they are overridden by configuration files in the descendant directories. The general syntax for this section is as follows:

<[element] [users] [roles] [verbs] />

The element is required. Either the users or the roles attribute must be included. Both can be included, but both are not required. The verbs attribute is optional.

The permissible elements are <allow> and <deny>, which grant and revoke access respectively. Each element supports three attributes, which are defined in the following table:

Attribute Description
users Identifies the targeted identities for this element.
roles Identifies a targeted role for this element. The associated IPrincipal object for the request determines the role membership. Arbitrary IPrincipal objects can be attached to the context for a given request and they can determine role membership in whatever fashion they like. For example, the default WindowsPrincipal class uses Windows NT groups to determine role membership.
verbs Defines the HTTP verbs to which the action applies (such as GET, HEAD, POST).

Anonymous users are also denied.

The following example grants access to Mary, while denying it to John:

<security>
     <authorization>
          <allow users=”Mary”/>
          <deny users=”John” />
          <deny users=”?” />
     </authorization>
<security>

Both users and roles may refer to multiple entities using a comma-separated list:

<allow users=”John, Mary, redmond\bar” />

In addition to identity names, there are two special identities: "*", which refers to all identities and "?", which refers to the anonymous identity. So, to allow John and deny everyone else, one might construct the following configuration section:

<security>
     <authorization>
          <allow users=”John” />
          <deny users=”*” />
     </authorization>
</security>

The following example lets everyone do a GET, but only Mary can use POST:

<security>
     <authorization>
          <allow verb=”GET” users=”*” />
          <allow verb=”POST” users=”Mary” />
          <deny verb=”POST” users=”*” /> 
     </authorization>
<security>

Rules are applied using the following heuristics: