A lot of people have asked me in the past why they need an explicit <deny user=”*” /> at the end of ASP.NET authorization control lists.

Let’s demystify that.

ASP.NET has a hierarchical configuration system. The root web.config is stored in the .NET Framework directory. This web.config has the following global authorization settings:

<authorization>
  <allow users=”*” />
</authorization>

When you create a new web application, all web.config settings (global, site and local) are merged together to form the configuration that’s really in effect for this application. By default a local web.config does not contain an authorization section but inherits the one defined globally. So you alway end up with a <allow user=”*” /> entry.

If you now configure the following authorization list in your local config:

<authorization>
  <allow roles=”HR” />
</authorization>

You really get this at runtime:

<authorization>
  <allow roles=”HR” />
  <allow users=”*” />
</authorization>

And this means everybody is authorized. If you add an <deny users=”*” /> at the end of your list you get:

<authorization>
  <allow roles=”HR” />
  <deny users=”*” />
  <allow users=”*” />
</authorization>

Which does exactly what we want (ASP.NET parses the list top to bottom and the first match found is used).

You can have a look at the aggregated configuration that is currently in effect for your application whith this piece of code:

protected void _btnSaveConfig_Click(object sender, EventArgs e)

{

  Configuration config = WebConfigurationManager.OpenWebConfiguration(“~”);

  config.SaveAs(_txtConfig.Text, ConfigurationSaveMode.Full, true);

}