What will happen if the <authorization />
elements in a web.config
conflict?
<?xml version="1.0"?> <configuration> <system.web> <authentication mode="Windows"/> <authorization> <allow users="*" /> <deny users="*" /> </authorization> </system.web> </configuration>
Most people that know anything about ASP.NET will realise that the authorisation rules are evaluated in order (from MSDN: "the authorization module finds the first access rule that fits a particular user account"), so in this case the <allow />
will be evaluated first and all users will get access. Unfortunately, I am not one of these gifted people, and have been blissfully ignorant of this fact despite working with ASP.NET since its release in 2002*.
Feel free to express your ridicule in the comments :)
In other news related to both web.config and my ignorance, I discovered when reading up on this at MSDN that you can use <allow users="./SomeLocalAccount" />
to reference the current computer if you are using local machine accounts, which has come in handy for the stuff I am working on today.
* By way of excuse for the inexcusable, a lot of my ASP.NET work has relied on old-style NTFS permissions (long story), or very basic rules like deny ? and allow *, so I’ve never ended up thinking much about this. When pressed on the topic I thought the strongest condition might take precedence :-\