为什么是<deny users="?"/>包含在以下示例中? [英] Why is <deny users="?" /> included in the following example?
问题描述
?
通配符代表未经身份验证的用户,而 *
代表所有用户,经过身份验证和未经身份验证.我的书展示了以下 URL 授权示例:
The ?
wildcard represents unauthenticated users while *
represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:
<authorization>
<deny users="?" />
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
但是上面的代码是不是和下面的效果一样:
But doesn’t the above code have the same effect as :
<authorization>
<allow users="dan,matthew" />
<deny users="*" />
</authorization>
或者作者是否还包含了<deny users="?"/>
规则是什么原因?
or did the author also include <deny users="?" />
rule for a reason?
推荐答案
ASP.NET 授予从配置文件访问的优先权.在潜在冲突的情况下,第一个发生的授予优先.所以,
ASP.NET grants access from the configuration file as a matter of precedence. In case of a potential conflict, the first occurring grant takes precedence. So,
deny user="?"
拒绝匿名用户访问.然后
denies access to the anonymous user. Then
allow users="dan,matthew"
授予该用户访问权限.最后,它拒绝所有人访问.这震惊了,因为除了 dan,matthew 之外的所有人都被拒绝访问.
grants access to that user. Finally, it denies access to everyone. This shakes out as everyone except dan,matthew is denied access.
编辑添加:正如@Deviant 指出的那样,拒绝未经身份验证的访问是没有意义的,因为最后一个条目也包括未经身份验证的.可以在以下位置找到讨论此主题的优秀博客条目:Guru Sarkar 的博客
Edited to add: and as @Deviant points out, denying access to unauthenticated is pointless, since the last entry includes unauthenticated as well. A good blog entry discussing this topic can be found at: Guru Sarkar's Blog
这篇关于为什么是<deny users="?"/>包含在以下示例中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!