问题
The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:
<authorization>
<deny users="?" />
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
But doesn’t the above code have the same effect as :
<authorization>
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
or did the author also include <deny users="?" /> rule for a reason?
回答1:
ASP.NET grants access from the configuration file as a matter of precedence. In case of a potential conflict, the first occurring grant takes precedence. So,
deny user="?"
denies access to the anonymous user. Then
allow users="dan,matthew"
grants access to that user. Finally, it denies access to everyone. This shakes out as everyone except dan,matthew is denied access.
Edited to add: and as @Deviant points out, denying access to unauthenticated is pointless, since the last entry includes unauthenticated as well. A good blog entry discussing this topic can be found at: Guru Sarkar's Blog
回答2:
"At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule. The default authorization rule is . Thus, by default, access is allowed unless configured otherwise."
Article at MSDN
deny = * means deny everyone
deny = ? means deny unauthenticated users
In your 1st example deny * will not affect dan, matthew since they were already allowed by the preceding rule.
According to the docs, here is no difference in your 2 rule sets.
回答3:
Example 1 is for asp.net applications using forms authenication. This is common practice for internet applications because user is unauthenticated until it is authentcation against some security module.
Example 2 is for asp.net application using windows authenication. Windows Authentication uses Active Directory to authenticate users. The will prevent access to your application. I use this feature on intranet applications.
回答4:
See this two links:
deny Element for authorization (ASP.NET Settings Schema) http://msdn.microsoft.com/en-us/library/vstudio/8aeskccd%28v=vs.100%29.aspx
allow Element for authorization (ASP.NET Settings Schema): http://msdn.microsoft.com/en-us/library/vstudio/acsd09b0%28v=vs.100%29.aspx
来源:https://stackoverflow.com/questions/831994/why-is-deny-users-included-in-the-following-example