Managing URL Authorization Rules
Authorization
is a method by which systems administrators can determine which
resources and content are available to specific users. Authorization
relies on authentication to validate the identity of a user. Once the
identity has been proven, authorization rules determine which actions a
user or computer can perform. IIS provides methods of securing
different types of content using URL-based authorization. Because Web
content is generally requested using a URL that includes a full path to
the content being requested, you can configure authorization settings
easily, using IIS Manager.
Creating URL Authorization Rules
To
enable URL authorization, the UrlAuthorizationModule must be enabled.
Authorization rules can be configured at the level of the Web server
for specific Web sites, for specific Web applications, and for specific
files (based on a complete URL path). URL authorization rules use
inheritance so that lower-level objects inherit authorization settings
from their parent objects (unless they are specifically overridden).
To
configure authorization settings, select the appropriate object in the
left pane of IIS Manager, and then select Authorization Rules in
Features View. Figure 6 shows an example of multiple rules configured for a Web site.
There are two types of rules: Allow and Deny. You can create new rules by using the Add Allow Rule and Add Deny Rule commands in the Actions pane. The available options for both types of rules are the same. (See Figure 7.) When creating a new rule, the main setting is to determine to which users the rule applies. The options are:
When
you choose to specify users or groups to which the rule applies, you
can type the appropriate names in a command-separated list. The
specific users and groups are defined using .NET role providers. This
is a standard feature that is available to ASP.NET Web developers.
Developers can create their own roles and user accounts and can define
permissions within their applications. Generally, information about
users and roles is stored in a relational database or relies on a
directory service such as Active Directory.
In
addition to user and role selections, you can further configure an
authorization rule based on specific HTTP verbs. For example, if you
want to apply a rule only for POST commands (which are typically used to send information from a Web browser to a Web server), add only the POST verb to the rule.
Managing Rule Inheritance
As
mentioned earlier in this section, authorization rules are inherited
automatically by lower-level objects. This is useful when your Web site
and Web content is organized hierarchically based on intended users or
groups. The Entry Type column shows whether a rule has been inherited
from a higher level or whether it has been defined locally. IIS Manager
automatically will prevent you from creating duplicate rules. You can
remove rules at any level, including both Inherited and Local entry
types.