ASP.NET supports resource-specific authorization without requiring you to change code and recompile the application with declarative authorization rules, which you can define in the web.config file. These rules defined by you are acted by a specific HTTP module named UrlAuthorizationModule. This module examines these rules and checks each request to make sure users can’t access resources you’ve specifically restricted. This type of authorization is called URL authorization because it considers only two details:
– the security context of the user
– the user and the URL of the resource that the user is attempting to access.
If the page is forbidden and you’re using forms authentication, the user will be redirected to the login page. If the page is forbidden and you’re using Windows authentication, the user will receive an “access denied” (HTTP 401) error page, or a more generic error message or custom error page, depending on the <customErrors> element.