为什么为＆lt;拒绝用户=＆QUOT;＆QUOT; /＆GT;包括在下面的例子中？ [英] Why is <deny users="?" /> included in the following example?

问题描述

的？通配符重新presents未经身份验证的用户，而 * 重新presents所有用户，认证未经验证的和。我的书显示URL授权的下面的例子：

The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:

<authorization>
  <deny users="?" />
  <allow users="dan,matthew" />
  <deny users="*" />
</authorization>

结果
但没有上述code具有同样的效果：

But doesn’t the above code have the same effect as :

<authorization>
  <allow users="dan,matthew" />
  <deny users="*" />
</authorization>

还是没笔者还包括＆LT;？拒绝用户= /＆GT;的一个原因规则

推荐答案

从配置文件为precedence的问题ASP.NET授予访问权限。在一个潜在的冲突的情况下，第一次出现的许可取precedence。因此，

ASP.NET grants access from the configuration file as a matter of precedence. In case of a potential conflict, the first occurring grant takes precedence. So,

deny user="?" 

拒绝访问匿名用户。然后

denies access to the anonymous user. Then

allow users="dan,matthew" 

允许访问该用户。最后，它拒绝访问给大家。这动摇了，每个人都只是丹，马修将被拒绝访问。

grants access to that user. Finally, it denies access to everyone. This shakes out as everyone except dan,matthew is denied access.

编辑补充：和@Deviant指出，拒绝对未经验证的访问是没有意义的，因为最后一项包括未经验证的为好。一个好的博客文章讨论这个话题可以发现：<一href=\"http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx\">Guru萨卡的博客

Edited to add: and as @Deviant points out, denying access to unauthenticated is pointless, since the last entry includes unauthenticated as well. A good blog entry discussing this topic can be found at: Guru Sarkar's Blog

这篇关于为什么为＆lt;拒绝用户=＆QUOT;＆QUOT; /＆GT;包括在下面的例子中？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！