Friday, February 22, 2013

Windows Server 2008 : Controlling Access to Web Services (p5) - Managing URL Authorization Rules

Managing URL Authorization Rules

Authorization is a method by which systems administrators can determine which resources and content are available to specific users. Authorization relies on authentication to validate the identity of a user. Once the identity has been proven, authorization rules determine which actions a user or computer can perform. IIS provides methods of securing different types of content using URL-based authorization. Because Web content is generally requested using a URL that includes a full path to the content being requested, you can configure authorization settings easily, using IIS Manager.

Creating URL Authorization Rules
To enable URL authorization, the UrlAuthorizationModule must be enabled. Authorization rules can be configured at the level of the Web server for specific Web sites, for specific Web applications, and for specific files (based on a complete URL path). URL authorization rules use inheritance so that lower-level objects inherit authorization settings from their parent objects (unless they are specifically overridden).
To configure authorization settings, select the appropriate object in the left pane of IIS Manager, and then select Authorization Rules in Features View. Figure 6 shows an example of multiple rules configured for a Web site.

Figure 6. Viewing authorization rules for a Web site

There are two types of rules: Allow and Deny. You can create new rules by using the Add Allow Rule and Add Deny Rule commands in the Actions pane. The available options for both types of rules are the same. (See Figure 7.) When creating a new rule, the main setting is to determine to which users the rule applies. The options are:
  • All Users
  • All Anonymous Users
  • Specific Roles Or User Groups
  • Specific Users

Figure 7. Creating a new Allow Rule for a Web application

When you choose to specify users or groups to which the rule applies, you can type the appropriate names in a command-separated list. The specific users and groups are defined using .NET role providers. This is a standard feature that is available to ASP.NET Web developers. Developers can create their own roles and user accounts and can define permissions within their applications. Generally, information about users and roles is stored in a relational database or relies on a directory service such as Active Directory.
In addition to user and role selections, you can further configure an authorization rule based on specific HTTP verbs. For example, if you want to apply a rule only for POST commands (which are typically used to send information from a Web browser to a Web server), add only the POST verb to the rule.

Managing Rule Inheritance
As mentioned earlier in this section, authorization rules are inherited automatically by lower-level objects. This is useful when your Web site and Web content is organized hierarchically based on intended users or groups. The Entry Type column shows whether a rule has been inherited from a higher level or whether it has been defined locally. IIS Manager automatically will prevent you from creating duplicate rules. You can remove rules at any level, including both Inherited and Local entry types.

No comments:

Post a Comment