ASP.NET Forms Auth 允许访问子目录中的特定文件,而所有其他文件都应被拒绝
我在允许特定角色访问子目录中的特定页面时遇到问题。
我的 ASP.NET 应用程序有一个目录 ~/Forms/Administration,其访问权限受到限制。我想向一个特定的文件 ~/Forms/Administration/Default.aspx 授予 1 个额外的用户角色访问权限以及管理员角色。
在〜/ Forms / Administration中,我有一个web.config文件,如下所示:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator, User" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Forms/Administration/Default.aspx">
<system.web>
<authorization>
<allow roles="Administrator, User, AdditionalUser" />
</authorization>
</system.web>
</location>
</configuration>
Admin用户工作正常,但AdditionalUser总是失败。我已经尝试了很多事情 - 将位置列出为
<location path="Forms/Administration/Default.aspx">
并且
<location path="~/Forms/Administration/Default.aspx">
第一个通用规则中的拒绝=“*”是否具有先例?我尝试更改
<deny users="*"/>
为
<deny users="?"/>
,但最终使AdditionalUser 能够访问所有内容。建议?
编辑:我尝试将特定于位置的允许放在通用拒绝规则之前,以防顺序重要。同样的问题。
更新:我显然在这里遗漏了一些东西:我删除了拒绝 * 配置,并仅留下了位置特定部分。然后,我将其设置为拒绝所有角色,而不是允许某些角色 (*)。然而,当我登录时,它根本没有拒绝我。我什至将规则减少为不特定于文件,而是适用于整个目录,并且它并没有拒绝我任何东西。但是,原始的非位置特定规则确实有效,所以我知道正在读取此配置文件。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="Forms/Administration">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
I am having problems allowing a specific Role access to a specific page in a subdirectory.
My ASP.NET application has a directory, ~/Forms/Administration that has limited access. There is a specific file, ~/Forms/Administration/Default.aspx that I want to give 1 additional user role access to, as well as the Admin role.
In ~/Forms/Administration, I have a web.config file that looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator, User" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Forms/Administration/Default.aspx">
<system.web>
<authorization>
<allow roles="Administrator, User, AdditionalUser" />
</authorization>
</system.web>
</location>
</configuration>
The Admin user works just fine, but AdditionalUser always fails. I've tried a number of things - listing the location as
<location path="Forms/Administration/Default.aspx">
And as
<location path="~/Forms/Administration/Default.aspx">
Is the deny="*" from the first generic rule taking precedent? I tried changing
<deny users="*"/>
To
<deny users="?"/>
But that ends up giving AdditionalUser access to everything. Suggestions?
EDIT: I tried putting the location specific allow before the generic deny rule, in case order mattered. Same problem.
UPDATE: I am clearly missing something here: I removed the deny * config, and left only the location specific section. Then, instead of allowing on certain roles, I set that one to deny all (*). However, it is not denying me at all when I login. I even reduced the rule to not be file specific, but apply to the whole directory, and it's not denying me anything. However, the original non-location specific rules do work, so I know this config file is being read.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="Forms/Administration">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
有两件事:
该位置是相对于 web.config 文件的,因此如果您的 web.config 已位于 /Forms/Administration 中,则应将其更正为:
澄清允许和的顺序拒绝,授权将根据它找到的第一个匹配来申请,因此顺序非常重要。例如:
管理员将被拒绝,因为它与拒绝的第一个条目匹配...即使您在下一行指定允许管理员用户。因此,为了只允许管理员,正确的语法是:
总结
如果我正确地阅读了您想要的内容,这可能是您想要的最终产品:
Two things:
The location is relative to the web.config file, so if your web.config is already in /Forms/Administration it should be corrected to be:
To clarify about the order of Allow and Deny, authorization is going to apply based on the first match it finds, so order is very important. For instance:
Administrator will be denied since it matched the first entry of deny... even though you specified to allow the Administrator user on the next line. So to only allow the Administrator, the correct syntax would be:
In Summary
If I am reading what you want correctly, this is probably the final product you want: