URL Authorization

Applies To: Windows Server 2003, Windows Server 2003 with SP1

A new authorization framework is available with Windows Server 2003. Implemented through the Windows Server 2003 Authorization Manager, role-based access control is designed to make it easier to manage access control for Web-based or line-of-business applications in enterprise environments.

For example, for an expense-reporting or Web-based shopping application, the authorization decisions often do not involve determining access to persistent objects. Instead, the applications might need to verify a workflow, or they might involve multiple distinct operations, such as querying a database and sending mail. Access decisions often are made based not only on token group membership but also on business logic, such as the amount that is submitted in an expense application or verification of workflow completion. For applications such as these, which do not have well-defined persistent objects, object-oriented ACLs are not effective.

IIS extends the use of role-based authentication by providing gatekeeper authorization to specific URLs. IIS URL authorization allows you to authorize user access to the URLs that make up a Web application. When a user requests access to a URL, URL authorization validates the users access based on the roles of that user, which can be defined in Lightweight Directory Access Protocol (LDAP) queries, custom user roles, and the Authorization Manager rules (scripts that are written in VBScript or JScript, which you can include in role definitions and task definitions). This allows you to control all user access to URLs instead of controlling access per ACL, on each resource.

Additionally, Web applications can use URL authorization together with Authorization Manager to control — from within the same policy store — access to the URLs that make up a Web application and the application-specific tasks and operations. Maintaining the policy in the same policy store allows you to manage access to the URLs and application features from a single point of administration while leveraging the store-level application groups and user-programmable business rules.

URL authorization is task-based, allowing you to create flexible authorization schemes that selectively allow or deny access to parts of the URL namespace for certain sets, users, or roles. The URLAuthorizationModule class maps users and roles to pieces of the URL namespace. This module implements both positive and negative authorization assertions and is available for use anytime. You need only to list users or roles in the <allow> or <deny> elements of the <authorization> section of a configuration file.

URL authorization is implemented as an ISAPI interceptor. When an application, virtual directory, or URL is configured to use URL authorization, each request to a URL is routed to the URL authorization ISAPI interceptor. The URL authorization wildcard script map uses Authorization Manager to authorize access to the requested URL. The URL must be associated with an Authorization Manager policy store that contains the authorization policy for the URL. After the client has been authorized to access the URL, the Execute URL feature of the URL authorization ISAPI passes the request to the appropriate handler for the URL, such as ASP.dll, another ISAPI, or the static file handler. Figure 5.5 shows this process. In this figure, the wildcard script map is named URL Authz ISAPI, Authorization Manager is named .NET Authz Framework, and the Execute URL feature is named ExecURL.

By using URL authorization, you can control access based on information that is available only at run time. For example, if you have a Web page that should be available only to employees in a given cost center or to employees of a certain age, you can assign roles to the correct users based on LDAP queries that check the cost center or age attributes on a user object. If employees can access only certain pages on certain days of the week or during a certain time of day, you can create a BizRule that grants access to the URL based on these values or any value that can be asserted at run time, including IIS server variables.

For more information about Authorization Manager, see "Authorization Manager" in Help and Support Center for Windows Server 2003.