Asp.Net Webforms 安全性 - 破坏应用程序迁移到 .Net 4
我已将应用程序从 .Net 3.5 中的 WebForms 移至 .Net 4。唯一的更改是对 web.config 进行删除,以删除 3.5 扩展,因为它们现在是 .Net 4 的一部分。
我在使用 FormsAuthentication 和自定义主体进行安全保护的站点中有以下小程序标记(持久软件 JUpload 控件):
<APPLET
id="UploadCtl"
CODE="persits.transfer.gui.UploadUI.class"
ARCHIVE="JUpload.jar"
WIDTH="99%" HEIGHT="200"
NAME="JUpload" MAYSCRIPT="yes"
>
<PARAM NAME="cabbase" VALUE="JUpload.cab" />
<PARAM NAME="UseSockets" VALUE="false" />
<param name="DNDOverrideEnabled" value="true" />
<PARAM NAME="ShowTransferButton" VALUE="false" />
<PARAM NAME="AllowAddFiles" VALUE="true" />
<param name="AllowRemoveFiles" value="true" />
<param name="UploadURL" value="/site/manageDocumentsPost.aspx" />
<param name="FinalURL" value="/site/manageDocuments.aspx" />
<PARAM NAME="DebugInformation" VALUE="true">
<param name="MaxFileSize" value="2500" />
<PARAM NAME="Cookie1" VALUE="ASP.NET_SessionId=<% =SessionId %>">
<PARAM NAME="Cookie2" VALUE="<%=FormsCookieName %>=<%=FormsCookieValue %>">
</APPLET>
基本上,该控件将发布到 UploadURL 中指定的 url。这两个 cookie 参数用于确保用户的 SessionId 和 FormsAuthTicket 在进行发布时由上传小程序发送。
正如我所说,这在 .Net 3.5 (CLR 2.0) 中完美运行。转向 .Net 4、CLR4,似乎发生的情况是,对 /site/ManageDocumentsPost.aspx 的请求被重定向到登录页面,然后控件会显示此内容(假设上传顺利)。不过,帖子页面从未真正执行其代码(并且帖子不应返回任何内容,从而导致控件请求 FinalUrl)。
使用Fiddler,我可以看到manageDocumentsPost 导致重定向,并且此重定向具有不同的Asp.Net SessionId。
有什么想法可能会改变导致这种情况吗?更重要的是,有什么想法让它再次发挥作用吗?
谢谢 安迪
I've moved an application from WebForms in .Net 3.5 to .Net 4. The only change was to the web.config to remove the 3.5 extensions, since they are part of .Net 4 now.
I have the following applet tag (Persists software JUpload control) in a site securied using FormsAuthentication and a custom principal:
<APPLET
id="UploadCtl"
CODE="persits.transfer.gui.UploadUI.class"
ARCHIVE="JUpload.jar"
WIDTH="99%" HEIGHT="200"
NAME="JUpload" MAYSCRIPT="yes"
>
<PARAM NAME="cabbase" VALUE="JUpload.cab" />
<PARAM NAME="UseSockets" VALUE="false" />
<param name="DNDOverrideEnabled" value="true" />
<PARAM NAME="ShowTransferButton" VALUE="false" />
<PARAM NAME="AllowAddFiles" VALUE="true" />
<param name="AllowRemoveFiles" value="true" />
<param name="UploadURL" value="/site/manageDocumentsPost.aspx" />
<param name="FinalURL" value="/site/manageDocuments.aspx" />
<PARAM NAME="DebugInformation" VALUE="true">
<param name="MaxFileSize" value="2500" />
<PARAM NAME="Cookie1" VALUE="ASP.NET_SessionId=<% =SessionId %>">
<PARAM NAME="Cookie2" VALUE="<%=FormsCookieName %>=<%=FormsCookieValue %>">
</APPLET>
Basically the control will post to the url specified in UploadURL. The two cookie parameters are there to ensure that the user's SessionId and FormsAuthTicket are sent by the upload applet when doing the post.
As I stated, this works perfectly in .Net 3.5 (CLR 2.0). Moving to .Net 4, CLR4, what seems to happen is that the request for /site/ManageDocumentsPost.aspx gets redirected to the logon page, and the control then displays this assuming the upload went fine. The post page never actually executes it's code though (and the post should return nothing, thus causing the control to ask for the FinalUrl).
Using Fiddler I can see that the manageDocumentsPost causes a redirect, and this redirect has a different Asp.Net SessionId.
Any ideas what might have changed to cause this? More importantly, any ideas to get it functioning again?
Thanks
Andy
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,我想出了如何让它发挥作用。
以前我将主体存储在会话中,并在 AquireSessionState 事件中加载。
现在,我在登录期间将主体存储在缓存中,并将一些信息写入票证中,以便我可以在缓存中找到它。
在 AuthenticateRequest 事件中,如果用户经过身份验证,我可以轻松找到实际的主体并从缓存中获取它。由于某种原因,虽然控件导致此事件在未经身份验证的情况下触发,但会话和 formsauthcookie 都存在于请求中。我解密身份验证 cookie,然后使用票证中的信息再次找到主体。
这样用户就通过了事件处理程序结束的身份验证,一切就可以正常进行了。
希望对其他人有帮助。
Ok, I figured out how to get this working.
previously I was storing the principal in session, and loading in the AquireSessionState event.
Now I store the principal in the cache during logon and write some information into the ticket to allow me to locate it in the cache.
In the AuthenticateRequest event, if the user is authenticated I can easily find the actual principal and get it from the cache. For some reason though the control causes this event to fire unauthenticated, but the session and formsauthcookie are both present in the request. I decrypt the auth cookie, and then use the information in the ticket to find the principal again.
In this way the user is authenticated by the end of the event handler, and everything can proceed normally.
Hope that helps someone else.