浏览器和网络客户端在安全性方面有什么区别?
我有一个 ASP.Net 页面,可以执行一些文件 IO 工作。当我从 Web 浏览器(即 chrome)请求它时,它会成功,但是当我从应用程序中的 WebClient 实例请求它时,它会给我一个“System.Security.SecurityException”。这两个请求有显着差异吗?为了让此页面在我的 Web 客户端中正常工作,我需要了解有关代码访问安全性的哪些信息?
以下是原始的 fiddler 请求和响应:
浏览器请求:
GET http://192.168.1.89/QuickCutConsoleDataProvider/UpdateItemFiles.aspx HTTP/1.1
Host: 192.168.1.89
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
浏览器响应:
HTTP/1.1 200 OK
Via: 1.1 PHOBOS
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 35189
Date: Tue, 14 Dec 2010 14:08:46 GMT
Content-Type: application/zip
Server: Microsoft-IIS/7.5
Cache-Control: private
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
... Binary Content ...
Web 客户端请求:
POST http://192.168.1.89/QuickCutConsoleDataProvider/UpdateItemFiles.aspx?Guid=e30e1826-3d96-4769-a540-acd911cccf02 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8cd697dcbf75ed4
Host: 192.168.1.89
Content-Length: 303
Expect: 100-continue
-----------------------8cd697dcbf75ed4
Content-Disposition: form-data; name="file"; filename="Catalog.xml"
Content-Type: application/octet-stream
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<catalog version="1.0">
<items />
</catalog>
-----------------------8cd697dcbf75ed4--
Web 客户端响应(例外):
HTTP/1.1 200 OK
Via: 1.1 PHOBOS
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 1244
Date: Tue, 14 Dec 2010 14:12:34 GMT
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
Cache-Control: private
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
<error type="System.Security.SecurityException">
<message>Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.</message>
<stack-trace><![CDATA[ at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.IO.File.GetLastWriteTimeUtc(String path)
at Ionic.Zip.ZipEntry.Create(String nameInArchive, ZipEntrySource source, Object arg1, Object arg2)
at Ionic.Zip.ZipEntry.CreateFromFile(String filename, String nameInArchive)
at Ionic.Zip.ZipFile.AddFile(String fileName, String directoryPathInArchive)
at Ionic.Zip.ZipFile.AddFile(String fileName)
at MyApplication.UpdateItemFiles.GetUpdateContent(XDocument a_xManifest, Stream[] a_arrExtraContent) in C:\Software\MyApplication\Alpha\Web Interface\UpdateItemFiles.aspx.cs:line 282
at MyApplication.UpdateItemFiles.Page_Load(Object sender, EventArgs e) in C:\Software\MyApplication\Alpha\Web Interface\UpdateItemFiles.aspx.cs:line 31]]></stack-trace>
<inner-exception>null</inner-exception>
</error>
I have an ASP.Net page that does some file IO work. When I request it from a web browser, namely chrome, it succeeds, but when I request it from a WebClient instance in my application it gives me a 'System.Security.SecurityException'. Are there significant differences in the two requests? What do I need to do know about code-access-security in order to get this page to work from within my Web Client?
Here is the raw fiddler requests and responses:
Browser Request:
GET http://192.168.1.89/QuickCutConsoleDataProvider/UpdateItemFiles.aspx HTTP/1.1
Host: 192.168.1.89
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Browser Response:
HTTP/1.1 200 OK
Via: 1.1 PHOBOS
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 35189
Date: Tue, 14 Dec 2010 14:08:46 GMT
Content-Type: application/zip
Server: Microsoft-IIS/7.5
Cache-Control: private
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
... Binary Content ...
Web Client Request:
POST http://192.168.1.89/QuickCutConsoleDataProvider/UpdateItemFiles.aspx?Guid=e30e1826-3d96-4769-a540-acd911cccf02 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8cd697dcbf75ed4
Host: 192.168.1.89
Content-Length: 303
Expect: 100-continue
-----------------------8cd697dcbf75ed4
Content-Disposition: form-data; name="file"; filename="Catalog.xml"
Content-Type: application/octet-stream
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<catalog version="1.0">
<items />
</catalog>
-----------------------8cd697dcbf75ed4--
Web Client Response (exception):
HTTP/1.1 200 OK
Via: 1.1 PHOBOS
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 1244
Date: Tue, 14 Dec 2010 14:12:34 GMT
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
Cache-Control: private
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
<error type="System.Security.SecurityException">
<message>Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.</message>
<stack-trace><![CDATA[ at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.IO.File.GetLastWriteTimeUtc(String path)
at Ionic.Zip.ZipEntry.Create(String nameInArchive, ZipEntrySource source, Object arg1, Object arg2)
at Ionic.Zip.ZipEntry.CreateFromFile(String filename, String nameInArchive)
at Ionic.Zip.ZipFile.AddFile(String fileName, String directoryPathInArchive)
at Ionic.Zip.ZipFile.AddFile(String fileName)
at MyApplication.UpdateItemFiles.GetUpdateContent(XDocument a_xManifest, Stream[] a_arrExtraContent) in C:\Software\MyApplication\Alpha\Web Interface\UpdateItemFiles.aspx.cs:line 282
at MyApplication.UpdateItemFiles.Page_Load(Object sender, EventArgs e) in C:\Software\MyApplication\Alpha\Web Interface\UpdateItemFiles.aspx.cs:line 31]]></stack-trace>
<inner-exception>null</inner-exception>
</error>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这在很大程度上仍在 Windows 身份验证中运行 - 尽管您认为您已经更改了它。我敢打赌,模仿也已经开始了。
仔细检查身份验证。在进行 IO 操作时,吐出一些调试代码来记录当前身份。
This is very much still running in windows authentication - although you believe you have changed it. I bet impersonation is also on.
Double check the authentication. Spit out some debug code to log current identity when it is doing the IO operation.
该问题与 IIS 身份验证无关。这是我使用的 Zip 库 DotNetZip。 CAS 不愿意授予它文件 IO 权限。我最终不得不用文件流代理 IO 操作。唯一的缺点是,无论我想要添加到 Zip 存档中的文件,我都必须保持流打开,直到保存存档。它们是文件流,因此使用的内存很少。
有人提到了 WCF,这本来是理想的选择,但决策者认为这种方式太昂贵了。
The problem had nothing to do with IIS authentication. It was the Zip library I was using, DotNetZip. CAS wasn't willing to give it File IO permissions. I finally had to proxy IO operations with file streams. The only downside is that ever file I wanted to add to the Zip archive, I had to leave a stream open until the archive was saved. They were file streams so there was very little memory used.
Someone mentioned WCF, and that would have been ideal, but the decision maker decided that that way was to expensive.