ASP.NET supports resource-specific authorization without requiring you to change code and recompile the application with declarative authorization rules, which you can define in the web.config file. These rules defined by you are acted by a specific HTTP module named UrlAuthorizationModule. This module examines these rules and checks each request to make sure users can’t access resources you’ve specifically restricted. This type of authorization is called URL authorization because it considers only two details:

C# 8.0 and .NET Core 3.0 – Modern Cross-Platform Development: Build applications with C#, .NET Core, Entity Framework Core, ASP.NET Core, and ML.NET using Visual Studio Code, 4th Edition
ASP.NET Core 3 and Angular 9: Full stack web development with .NET Core 3.1 and Angular 9, 3rd Edition
C# in Depth, 4th Edition

– the security context of the user

– the user and the URL of the resource that the user is attempting to access.

If the page is forbidden and you’re using forms authentication, the user will be redirected to the login page. If the page is forbidden and you’re using Windows authentication, the user will receive an “access denied” (HTTP 401) error page, or a more generic error message or custom error page, depending on the <customErrors> element.