URL 授权和非 Asp.Net 相关文件类型
URL授权仅适用于Asp.Net相关文件类型?1 但为什么它不能也适用于非Asp.Net文件类型呢?
谢谢
URL authorization only applies to Asp.Net related file types?1 But why couldn’t it also be applied to non-Asp.Net file types?
Thanx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是因为 ASP.NET 的脚本映射。 只有某些扩展名会映射到 ASP.NET。 其余的由 IIS 直接处理。 这是出于性能原因而设计的。
有两种方法可以处理这个问题。
在 NTFS 文件 ACL 的 web.config 文件中复制授权规则(即直接设置文件夹和文件的权限)。 确保用户的身份验证方案与用于控制访问的帐户和组相匹配...换句话说,如果您使用 SQL 来存储用户名令牌,则这将不起作用,因为这些令牌不一定会映射回域用户和组/角色。
创建一个 IHttpHandler 来为您提供服务非 ASP.NET 文件。 在
ProcessRequest方法中,对传入 URL 调用Server.MapPath(url)方法,然后使用Response.WriteFile(filename)流式传输文件代码>. 您可能需要首先设置 ContentType 属性。 而且,(这是坏消息),您可能仍然需要执行声明性或命令性访问检查 - 仅在 web.config 文件中包含条目可能不起作用。 请参阅使用 HTTP 进行自定义 ASP.NET 处理有关编写您自己的处理程序的更多信息。 为每种内容类型创建单独的处理程序可能是个好主意。 一旦您编写了一个,您就会发现它们是多么容易制作。您可以尝试(我自己没有尝试过)添加; web.config 文件中您拥有额外的元素 元素 -- 使用元素来删除继承的 HttpHandler 并在子文件夹级别添加另一个(也许指向同一个类?)。 我不确定这是否有效,但值得一试。
最后,如果您确实不想完成所有这些工作,您可以简单地在 IIS 中添加更多扩展映射。 例如,请查看如何:注册 HTTP 处理程序,您可以将 .jpg 文件的映射添加到 aspnet_isapi.dll(查看 .aspx 等的现有映射)。 您不需要将 HttpHandler 元素添加到您的 web.config,因为机器级别的 web.config 已经包含此条目:
请注意,这可能会给您的站点带来非常严重的性能问题。
This is because of the script maps for ASP.NET. Only certain extensions are mapped into ASP.NET. The rest are handled directly by IIS. This is by design, for performance reasons.
There are two ways to handle this.
Duplicate your authorization rules in the web.config files in NTFS File ACLs (that is, set permissions on folders and files directly). Make sure that the user's authentication scheme matches the accounts and groups used for controlling access... in other words, if you're using SQL to store username tokens, this won't work, because those tokens won't necessarily map back to domain users and groups/roles.
Create an IHttpHandler to serve up your non-ASP.NET files. From the
ProcessRequestmethod, call theServer.MapPath(url)method on the incoming URL, then stream out the file usingResponse.WriteFile(filename). You will probably need to set the ContentType property first. And, (here's the bad news), you may still need to perform a declarative or imperative access check -- just having the entries in the web.config files may not work. See Custom ASP.NET Processing with HTTP for more information on writing your own handler. It's probably a good idea to make separate handlers for each content type. Once you've written one, you'll see how easy they are to make.You could try (haven't tried this myself) to add <httpHandlers> elements to web.config files where you have additional <authorization> elements -- use the <remove> element to remove the inherited HttpHandler and add another one at the subfolder level (perhaps pointing back to the same class?). I'm not sure this will work, but it's worth a try.
Finally, if you really don't want to go through and do all this work, you could simply add more extension mappings in IIS. For example, take a look at How to: Register HTTP Handlers, you can add a mapping for .jpg files to the aspnet_isapi.dll (take a look at the existing mappings for .aspx and so on). You do not need to add an HttpHandler element to your web.config, because the machine level web.config already contains this entry:
Please note that this may have very serious performance issues on your site.