问题
If I put something like this in my ASP.NET web application's web.config:
<authorization>
<allow roles="MyUsers" />
<deny users="*" />
</authorization>
and then have an ActiveDirectory group SpecialGroup that is inside MyUsers, will a member of SpecialGroup be allowed to access my application?
回答1:
Yes, it will. When you log on, a security token is constructed containing details of all¹ of the groups you're a member of, and that includes all nested groups. That token is what's used to determine access. This is why you have to log off and on when you're added to a group.
But just to be sure, I tested it on on of my sites and it worked as described.
¹ actually, it's possible to be in so many groups that they won't all fit in the token (which has a limited size) in which case, your token contains the first 'n' groups (which depends on the order returned by the domain controller, so you can see some odd behaviour).
来源:https://stackoverflow.com/questions/1129008/does-authorization-in-web-config-check-sub-groups-as-well