<authorization> Element
Specifies the users or roles that are authorized and denied access to a Web service.
<policies> Element
<policy> Element (Policy)
<authorization roleProviderName>
<allow user role />
<deny user role />
</authorization>
Microsoft.Web.Services3.Design.AuthorizationAssertion
Attributes and Elements
Attributes
| Attribute | Description |
|---|---|
roleProviderName |
Optional attribute. Specifies a role provider. The role provider can be one that is included with ASP.NET or a custom provider registered in the Web.config file. |
Child Elements
| Element | Description |
|---|---|
Allows access to a Web service. |
|
Denies access to a Web service. |
Parent Elements
| Element | Description |
|---|---|
Specifies a SOAP message requirement. |
Remarks
An <authorization> element can have zero or more <allow> Element (Policy) and <deny> Element (Policy) child elements. Each of these child elements is an ordered list of authorization rules from top to bottom. The sender is authorized based on the first rule that applies to the sender. If an <authorization> element exists and no rules apply to a sender, access is denied.
The SOAP message sender is authorized based on the security token's Principal property. When the security token does not have a Principal property, such as the X509SecurityToken, the Identity property is used to authorize the sender. The Identity property is set by the role provider specified in the roleProviderName attribute.
Example
The following code example defines a policy assertion named kerberosAuthenticationKerberosProtection that specifies that the user COHOWINERY\Enologist and the users in the WineMaker role are authorized access to the Web services to which this policy is applied. All other users are denied access to the Web service.
<policies>
<extensions>
<extension name="kerberosSecurity"
type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="kerberos"
type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="authorization"
type="Microsoft.Web.Services3.Design.AuthorizationAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="kerberosAuthenticationKerberosProtection">
<authorization>
<allow user="COHOWINERY\Enologist" />
<allow role="WineMaker" />
<deny user="*" />
</authorization>
<kerberosSecurity establishSecurityContext="false" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="true">
<token>
<kerberos targetPrincipal="host/grapes@cohowinery.com" impersonationLevel="Identification" />
</token>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</kerberosSecurity>
<requireActionHeader />
</policy>
</policies>