web.config 授权 拒绝未经授权
我正在开发一个 .NET for ASP.NET Web 应用程序,并试图拒绝所有未经授权的用户访问我的应用程序,但只允许他们访问登录页面。
下面是我的 system.web 部分中的代码片段:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="60" name="APPNAME" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
我在外部也有这个代码片段,以允许访问登录页面:
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
但是,当我未登录时,我仍然可以访问页面,我怎样才能阻止它发生?
我什至在主文件夹中添加了一个 Web.Config 文件,该文件夹存储了大部分网站文件,其内容为:
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
但这仍然没有任何效果。
解决方案
我遵循了 asp.net 的一些优化技巧 (http: //www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx)并删除了我实际需要的AnonymousIdentification httpModule。
I am developing a .NET for ASP.NET Web Application and am trying to deny all users who are unauthorised from accessing my application but allowing them only to the login page.
Below is a snippet of the code which is inside my system.web section:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="60" name="APPNAME" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
I also have this outside to allow access to the login page:
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
However I am still able to access pages when I am not logged in, how could I stop this from happening?
I have even added a Web.Config file to the Main folder which stores most of the website files which the contents of is:
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
But this is still not having any effect.
Solution
I had followed some optimisation tips for asp.net (http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx) and removed the AnonymousIdentification httpModule which I actually needed.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我想您会发现,如果您将具有不同预期角色的不同网页放在不同的文件夹中,处理 ASP.NET 授权会容易得多。这不是一个要求。只是更容易管理。
如果您使用的是 VS 2010(我不确定这是 Express 版本),请尝试使用“项目”菜单底部的 ASP.NET 配置工具。
我发现通过首先使用该工具,对安全性进行一些更改,然后查看它的作用,可以轻松了解 web.config 文件的工作原理。
如果您刚刚在 VS 2010 中使用空白 ASP.NET 应用程序,则可以通过进行以下两项更改来锁定除登录和注册页面之外的所有内容:
在根 web.config
中 在 Account 子文件夹中的 web.config 中
您将执行以下操作:看到的是用户立即被定向到登录页面,但他们仍然可以注册。
I think what you will find is that it is far easier to deal with ASP.NET authorization if you put different web pages with different intended roles in different folders. That's not a requirement. It's just easier to manage.
If you are in VS 2010 (I'm not sure this is in the express edition) try using the ASP.NET Configuration tool at the bottom of the Project menu.
I found that it was easy to learn how the web.config files worked by using that tool at first, making some changes to security, and then going and looking at what it did.
If you just start with a blank ASP.NET application in VS 2010, you can lock out everything but the login and register page by making two changes:
In the root web.config
In the web.config in the Account subfolder
What you'll see is that the user is immediately directed to the login page, but they can still register.
尝试将 LoginStatus 控件添加到您的页面检查您的登录状态。
您之前可能已经检查过“保存的密码”选项。使用 control userpassword2 命令检查并清除缓存的密码。
Try adding LoginStatus control to your page to check your login status.
You might have checked 'Saved password' option previously. Check and clear your cached password using control userpassword2 command.
您可以将新的 Web.config 放入需要应用权限的文件夹中。在里面做类似这样的事情
或者您可能需要用
You can put a new Web.config in the folder that needs the permissions applied. Inside it do something like this
Or you might need to wrap the
<authorization>tag with a<security>tag.