当前位置: 文江博客话题详情

用于保护使用表单身份验证的站点的 IIS7 基本身份验证

发布于 2024-09-28 00:36:30 字数 707 浏览 2 评论 0原文

这应该比事实证明的要简单得多!

我有一个 ASP.Net Web 应用程序,它使用 FORMS 身份验证来保护网站的部分内容(即会员登录区域)。

现在我只想在整个网站上放置一个传统/简单的浏览器密码弹出窗口(目录安全性),因为我们正在测试它,并且不希望任何人偶然发现该网站并看到未完成的版本等!

在较旧的 IIS 版本中,这曾经非常简单。

我已经“安装了基本身份验证”(因为 IIS7 现在还没有开箱即用)。但是当我启用它时,它告诉我不能与任何基于重定向的身份验证(这是我的 FORMS 身份验证使用的身份验证)同时启用它。

所以这太愚蠢了。

必须有一种超级简单的方法来简单地在整个站点上放置一个廉价的弹出密码,而不影响您在 web.config 中为实际应用程序设置的其他身份验证方法。

非常感谢..

更新 IP 访问限制并不好,原因如下: - 我的 IP 是动态的,因此不断变化。 - 我不想通过要求他们在机器上打开控制台并计算出他们的 IP 地址或检查他们的路由器等来打扰任何需要查看该网站的人。他们中的许多人都是非技术业务用户,这会他们花了一个小时计算出他们的 IP 地址。 - 基本身份验证和 Windows 身份验证都不允许底层表单身份验证保留在下面。

我们在这里看到的似乎是微软试图过度设计事物的大规模案例,结果是超级简单的古老要求不再可能或容易实现。这必须以某种方式成为可能......任何人???

原文

This should be much simpler than it has proven to be!

I have an ASP.Net web app which uses FORMS authentication to secure part of the site (i.e. the member login area).

Now I simply want to put a traditional/simple browser password popup (directory security) across the whole site because we are testing it and don't want anyone to stumble across the site and see the unfinished version etc!

This used to be super simple in older IIS versions.

I have "installed basic authentication" (as IIS7 doesn't come out of the box with this now). But when I enable it, it tells me that I can't have that enabled at the same time as any redirect based authentication (which is what my FORMS authentication uses).

So that's just stupid.

There has to be a super simple way to simply put a cheap popup password across the whole site without impacting on the other authentication method that you have setup inside web.config for the actual application.

Many thanks..

UPDATES
IP access restrictions are no good for a couple of reasons:
- My IP is dynamic and therefore constantly changing.
- I don't want to bother anyone that needs to see the site by asking them to bring up a console on their machine and work out their IP address or check their router etc. Many of them are non-technical business users and it will take them an hour to work out their IP address.
- Both basic auth and windows auth don't allow the underlying forms authentication to remain in place underneath.

What we seem to have here is a massive case of Microsoft trying to over-engineer things and as a result a super simple age-old requirements is no longer possible or easily achieveable. This has to be possible somehow... ANYONE???

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

困倦 2024-10-05 00:36:30

我遇到了同样的问题。我将建立一个仅限预览组的测试版网站。该网站使用表单身份验证,但预览组中的一些人将拥有网站帐户,而其他人则没有。无论如何,每个人都需要进行 root 身份验证才能访问预览版。

到目前为止,我唯一完全按照我想要的方式工作的是 Helicon Ape。我正在进行试验,到目前为止一切顺利。

根目录中的标准 .htaccess 文件。

AuthUserFile c:\fakepath\.htpasswd
AuthType Basic
AuthName "SITE SECURITY"
Require valid-user

用户 .htpasswd 添加用户名和密码:用户名:加密密码

I am running into the same issue. I will be putting up a beta site limited to a preview group. The website uses forms authentication but some people from the preview group will have website accounts and others will not. Irrespective everyone will need to authenticate at root to gain access to the preview.

So far the only thing I have working exactly the way I want it is Helicon Ape. I am running the trial and so far so good.

Standard .htaccess file in root.

AuthUserFile c:\fakepath\.htpasswd
AuthType Basic
AuthName "SITE SECURITY"
Require valid-user

User .htpasswd to add a username and password: username:encryptedpassword.

回复 原文
雨夜星沙 2024-10-05 00:36:30

您所描述的是默认 ASP.NET 的限制,它只能一次运行一个身份验证模块。解决方案是构建您自己的 IHttpModule 执行您的自定义身份验证,如果成功,则将请求传递给继续使用表单的 ASP.NET。

以下是该模块的基本实现。它将返回 401 Unauthorized 并要求用户登录领域 WOPR。然后它将接受密码Joshua,忽略指定的用户名。

将其编译为单独的程序集并将其添加到 web.config 的 system.web/httpModulessystem.webServer/modules 部分中。无需对您的 Web 应用程序进行其他修改。

using System;
using System.Text;
using System.Web;

namespace Research {
    public class AuthenticationModule : IHttpModule {
        public void Init(HttpApplication app) {
            app.BeginRequest += (sender, e) => {
                if (!Authenticate(app.Context)) {
                    app.Context.Response.Status = "401 Unauthorized";
                    app.Context.Response.StatusCode = 401;
                    app.Context.Response.AddHeader("WWW-Authenticate", "Basic realm=WOPR");

                    app.Response.ClearContent();
                    app.Context.Response.End();
                }
            };
        }

        public void Dispose() {
        }

        public static Boolean Authenticate(HttpContext context) {
            var authHeader = context.Request.Headers.Get("Authorization");
            if (String.IsNullOrEmpty(authHeader))
                return false;

            if (!authHeader.StartsWith("Basic "))
                return false;

            var base64Credentials = authHeader.Substring(6);
            var binaryCredentials = Convert.FromBase64String(base64Credentials);
            var asciiCredentials = Encoding.ASCII.GetString(binaryCredentials);
            if (!asciiCredentials.Contains(":"))
                return false;

            var credentials = asciiCredentials.Split(new[] { ':' }, 2);
            return credentials[1] == "Joshua";
        }
    }
}

What you describe is a limitation of default ASP.NET, it is only built to run one authentication module at a time. The solution is to build your own IHttpModule that does your custom authentication, and if successful, pass the request to ASP.NET which continue to use Forms.

The following is a basic implementation of such module. It will return a 401 Unauthorized and ask the user to login to the realm WOPR. It will then accept the password Joshua, ignoring the username specified.

Compile this as a separate assembly and add it to your web.config, in the system.web/httpModules and system.webServer/modules sections. No other modification of your web application is required.

using System;
using System.Text;
using System.Web;

namespace Research {
    public class AuthenticationModule : IHttpModule {
        public void Init(HttpApplication app) {
            app.BeginRequest += (sender, e) => {
                if (!Authenticate(app.Context)) {
                    app.Context.Response.Status = "401 Unauthorized";
                    app.Context.Response.StatusCode = 401;
                    app.Context.Response.AddHeader("WWW-Authenticate", "Basic realm=WOPR");

                    app.Response.ClearContent();
                    app.Context.Response.End();
                }
            };
        }

        public void Dispose() {
        }

        public static Boolean Authenticate(HttpContext context) {
            var authHeader = context.Request.Headers.Get("Authorization");
            if (String.IsNullOrEmpty(authHeader))
                return false;

            if (!authHeader.StartsWith("Basic "))
                return false;

            var base64Credentials = authHeader.Substring(6);
            var binaryCredentials = Convert.FromBase64String(base64Credentials);
            var asciiCredentials = Encoding.ASCII.GetString(binaryCredentials);
            if (!asciiCredentials.Contains(":"))
                return false;

            var credentials = asciiCredentials.Split(new[] { ':' }, 2);
            return credentials[1] == "Joshua";
        }
    }
}
回复 原文
终弃我 2024-10-05 00:36:30

因为您想要使用 FORMS 身份验证,所以有一个简单的解决方案...

  1. 将此部分添加到主标题下的 web.config 中。不要合并它——只需将其复制粘贴为一个块即可。位置标记会将这些规则与 web.config 的其余部分隔离,并允许稍后轻松删除。

     <位置allowOverride="false">
             <系统.web>
                 <身份验证模式=“表单”>
                     <表单loginUrl =“frontdoor.aspx”名称=“.ASPXFORMSAUTH”>
                     
                 
                 <授权>
                     <拒绝用户=“?” >>

  2. 创建一个名为“frontdoor.aspx”的页面。从以下链接获取该 aspx 页面的内容:http://msdn.microsoft。 com/en-us/library/xdt4thhy.aspx(向下滚动到显示“创建登录页面”的位置)

  3. 全部完成!这将锁定您的整个网站,并允许您独立于网站的其余部分指定前门的用户名和密码(我将此过程称为“锁定前门”)。前门凭据在前门文件本身中指定(不是很安全,但足以满足您(我们)的需要)在此条件中:

    [第 6 行:]

    If ((UserEmail.Text = "TheSharedFrontDoorLogonName") And (UserPass.Text = "AndItsPassword")) 然后

修改条件以满足您的需求,然后向您的客户发送电子邮件/business-键入前门的凭据。

There is a simple solution for you since you want to use FORMS authentication...

  1. Add this section to your web.config under the main header. Do not merge it -- just copy paste it as one block. The location tag will isolate these rules from the rest of the web.config and allow its easy removal later.

     <location allowOverride="false">
             <system.web>
                 <authentication mode="Forms">
                     <forms loginUrl="frontdoor.aspx" name=".ASPXFORMSAUTH">
                     </forms>
                 </authentication>
                 <authorization>
                     <deny users="?" />
                 </authorization>
             </system.web>
         </location>

  2. Create a page called "frontdoor.aspx". Get the contents of that aspx page from this link: http://msdn.microsoft.com/en-us/library/xdt4thhy.aspx (scroll down to where it says: "To create the logon page")

  3. ALL DONE! This will lock your entire site and allow you to specify the username and password (I call this process "locking the front door") for the front door independently from the rest of the site. The front door credentials are specified in the front door file itself (not very secure but good enough for what you (we) need) in this conditional:

    [Line 6:]

    If ((UserEmail.Text = "TheSharedFrontDoorLogonName") And (UserPass.Text = "AndItsPassword")) Then

Modify the conditional to suit your needs and then e-mail your clients/business-types the credentials to the front door.

回复 原文
~没有更多了~

关于作者

清风夜微凉

暂无简介

0 文章
0 评论
654 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lorenzathorton8

文章 0 评论 0

Zero

文章 0 评论 0

萧瑟寒风

文章 0 评论 0

mylayout

文章 0 评论 0

tkewei

文章 0 评论 0

17818769742

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文