Home/ Questions/Q 8463813
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T14:33:33+00:00

I am studying for a Microsoft exam and am going through some sample questions.

  • 0

I am studying for a Microsoft exam and am going through some sample questions. I have this question:

“You are developing an ASP.NET Web Application which is configured to use the membership and role providers.

You need to allow all users to perform a HTTP GET but must allow only the user named Moderator to perform a POST operation. Which configuration should you add to the web.config file?”

<authorization>
  <deny verbs="POST" users="*" />
  <allow verbs="POST" users="Moderator" />
  <allow verbs="GET" users="*" />
</authorization>

<authorization>
  <allow verbs="GET" users="*" />
  <allow verbs="POST" users="Moderator" />
  <deny verbs="POST" users="*" />
</authorization>

There were two other answers but they were obviously wrong so I haven’t replicated them here.

The only difference I can spot between the two sets of rules is the order in which the rules are placed.

The correct answer is the second set of rules. Here the rule first Allows POST access for “Moderator” and then removes it for everyone else. This seems counter-intuitive to me – to give 1 person a privilege, then remove that privilege from everyone and yet the 1 person still has the privilege afterwards.

If anything the first set of rules makes more sense – first deny everyone then selectively give access to individuals. Apparently this is wrong though!

Can anyone explain why this is the case so I can understand this better?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is just a case of first come first served. ASP.NET processes the rules in order until it hits one that matches, therefore in the first scenario it will hit the deny rule for POST before it reaches the allow.

    If anything the first set of rules makes more sense – first deny everyone then selectively give access to individuals.

    That’s not quite how it works. The rules are checked per request, therefore, what the first rules are basically saying is:

    1. Deny all POST requests from everyone.
    2. Allow POST requests for Moderator.
    3. Allow GET requests for everyone.

    All in that order. The problem here is when Moderator sends in a POST request, it will match the first rule (as it’s for everyone) and be denied. However, the second scenario is saying:

    1. Allow GET requests for everyone.
    2. Allow POST requests for Moderator.
    3. Deny POST requests for everyone.

    So when Moderator sends a Post request, it will match the 2nd rule and allow the request to continue. If anyone else sends in a POST request, they will hit the 3rd rule and be denied.

    • 0