What will happen if the
<authorization /> elements in a
<?xml version="1.0"?> <configuration> <system.web> <authentication mode="Windows"/> <authorization> <allow users="*" /> <deny users="*" /> </authorization> </system.web> </configuration>
Most people that know anything about ASP.NET will realise that the authorisation rules are evaluated in order (from MSDN: "the authorization module finds the first access rule that fits a particular user account"), so in this case the
<allow /> will be evaluated first and all users will get access. Unfortunately, I am not one of these gifted people, and have been blissfully ignorant of this fact despite working with ASP.NET since its release in 2002*.
Feel free to express your ridicule in the comments :)
In other news related to both web.config and my ignorance, I discovered when reading up on this at MSDN that you can use
<allow users="./SomeLocalAccount" /> to reference the current computer if you are using local machine accounts, which has come in handy for the stuff I am working on today.
* By way of excuse for the inexcusable, a lot of my ASP.NET work has relied on old-style NTFS permissions (long story), or very basic rules like deny ? and allow *, so I’ve never ended up thinking much about this. When pressed on the topic I thought the strongest condition might take precedence :-\