Deny by default in AuthorizationConfigurationSection

Topics: Web Client Software Factory
Dec 29, 2008 at 4:37 PM

I've noticed that unless you specifically add a rule in web.config for a page, any authenticated user can view the page. For example, I have sensitivepage1.aspx and sensitivepage2.aspx. I add the following to web.config in the AuthorizationConfigurationSection:

            <rule Url="~/sensitivepage1.aspx" Rule="AllowMaintenanceAccess" />

But I forget to add the same for sensitivepage2.aspx. Best practice for security is to default to the most secure scenario as possible, so I would have thought there is a way to tell the composite web's security implementation to deny access to any page that is not specifically allowed. I'm sure I've probably missed something here but can't seem to find any info on how to do this.

Thanks in advance