How does File Authorization work in ASP.NET

ASP.NET uses type of authorization which is file-based authorization, and it’s implemented by the FileAuthorizationModule. This authorization takes effect only if you’re using Windows authentication.   If you’re using custom authentication or forms authentication, it’s not used.

You can understand file authorization if you know how he Windows operating system enforces file system security. When your file system uses the NTFS format, you can set ACLs that specifically identify users and roles that are allowed or denied access to individual files.  In this case the FileAuthorizationModule simply checks the Windows permissions for the file you’re requesting.  For example, if you request a web page, the FileAuthorizationModule checks that the currently authenticated IIS user has the permissions required to access the underlying .aspx file. If the user doesn’t, the page code is not executed, and the user receives an “access denied” message.

The FileAuthorizationModule is required, because ASP.NET executes code under a fixed user account, such as ASPNET. In this case Windows operating system checks if the ASPNET account has the permissions it needs to access the .aspx file, but it does not perform the same check for a user authenticated by IIS.  The FileAuthorizationModule fills the gap.  It performs authorization checks using the security context of the current user. As a result, the system administrator can set permissions to files or folders and control access to portions of an ASP.NET application.  Generally, it’s clearer and more clear to use authorization rules in the web.config file. However, if you want to take advantage of existing Windows permissions in a local network or an intranet scenario, you can.

You can find more information about this approach from the articles:

How to use IsInRole method to check authorization in ASP.NET in C#
How to use IsInRole method to check authorization in ASP.NET in VB.NET
How to use the PrincipalPermission Class to check authorization in ASP.NET in C#
How to use the PrincipalPermission Class to check authorization in ASP.NET in VB.NET
How to use PrincipalPermission objects to evaluate authorization roles in ASP.NET in C#
How to use PrincipalPermission objects to evaluate authorization roles in ASP.NET in VB.NET
How to use PrincipalPermission attribute to validate the credentials of the current user in ASP.NET in C#
How to use PrincipalPermission attribute to validate the credentials of the current user in ASP.NET in VB.NET