Authorisation rule precedence in web.config

What will happen if the <authorization /> elements in a web.config conflict?

<?xml version="1.0"?>
<configuration>
 <system.web>
  <authentication mode="Windows"/>
  <authorization>
      <allow users="*" />
      <deny users="*" />
    </authorization>
 </system.web>
</configuration>

Most people that know anything about ASP.NET will realise that the authorisation rules are evaluated in order (from MSDN: "the authorization module finds the first access rule that fits a particular user account"), so in this case the <allow /> will be evaluated first and all users will get access. Unfortunately, I am not one of these gifted people, and have been blissfully ignorant of this fact despite working with ASP.NET since its release in 2002*.

Feel free to express your ridicule in the comments :)

In other news related to both web.config and my ignorance, I discovered when reading up on this at MSDN that you can use <allow users="./SomeLocalAccount" /> to reference the current computer if you are using local machine accounts, which has come in handy for the stuff I am working on today.

* By way of excuse for the inexcusable, a lot of my ASP.NET work has relied on old-style NTFS permissions (long story), or very basic rules like deny ? and allow *, so I’ve never ended up thinking much about this. When pressed on the topic I thought the strongest condition might take precedence :-\

Comments