为什么是<deny users="?"/>包含在以下示例中? [英] Why is <deny users="?" /> included in the following example?

问题描述

? 通配符代表未经身份验证的用户，而 * 代表所有用户，经过身份验证和未经身份验证.我的书展示了以下 URL 授权示例:

The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:

<authorization>
  <deny users="?" />
  <allow users="dan,matthew" />
  <deny users="*" />
</authorization>

但是上面的代码是不是和下面的效果一样:

But doesn’t the above code have the same effect as :

<authorization>
  <allow users="dan,matthew" />
  <deny users="*" />
</authorization>

或者作者是否还包含了<deny users="?"/> 规则是什么原因?

or did the author also include <deny users="?" /> rule for a reason?

推荐答案

ASP.NET 授予从配置文件访问的优先权.在潜在冲突的情况下，第一个发生的授予优先.所以，

ASP.NET grants access from the configuration file as a matter of precedence. In case of a potential conflict, the first occurring grant takes precedence. So,

deny user="?" 

拒绝匿名用户访问.然后

denies access to the anonymous user. Then

allow users="dan,matthew" 

授予该用户访问权限.最后，它拒绝所有人访问.这震惊了，因为除了 dan,matthew 之外的所有人都被拒绝访问.

grants access to that user. Finally, it denies access to everyone. This shakes out as everyone except dan,matthew is denied access.

编辑添加:正如@Deviant 指出的那样，拒绝未经身份验证的访问是没有意义的，因为最后一个条目也包括未经身份验证的.可以在以下位置找到讨论此主题的优秀博客条目:Guru Sarkar 的博客

Edited to add: and as @Deviant points out, denying access to unauthenticated is pointless, since the last entry includes unauthenticated as well. A good blog entry discussing this topic can be found at: Guru Sarkar's Blog

这篇关于为什么是<deny users="?"/>包含在以下示例中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！