asp.net 授权/身份验证处理非 asp.net 文件的方式是否发生了变化?
每当我过去使用 asp.net 身份验证/授权时,我都记得它从未用于保护 .htm .js .css 文件(实际上,任何不由 asp.net isapi dll 处理的文件)。
经过一段时间的其他工作后,我现在又回来做一些 Web 开发,这次使用 VS2010,现在情况正好相反。似乎所有文件都受到保护,因为我的登录页面上的图像和 .js 文件无法正常工作。
我的问题是,我最初关于如何处理非 asp.net 文件的假设是否错误?如果不是,这种变化是什么时候发生的? VS2010开发服务器是否发生了变化,现在意味着所有文件都由asp.net处理?
非常感谢。
编辑添加:
我刚刚注意到,当我从本地 IIS 服务器运行我的项目时,非 asp.net 文件(例如图像和 .js)不受保护。但是,当从 VS 开发服务器运行时,它们是这样的。显然,这归因于 IIS 和开发服务器之间的配置差异。这引出了另一个问题.. 是否可以配置 VS 开发服务器?
Whenever I've worked with asp.net authentication / authorization in the past, I can remember that it never used to secure .htm .js .css files (actually, any file that isn't processed by asp.net isapi dll).
After a while of doing other work I've now come back to doing some web development, this time using VS2010 and now the opposite is true. It appears as if all files are secured because the images and .js files on my login page aren't working.
My question is, was my initial assumption about how non asp.net files are dealt with wrong? If not, when did this change happen? Has there been a change in the VS2010 development server that now means that all files are processed by asp.net?
Many thanks.
Edit to add:
I've just noticed that when I run my project from a local IIS server, non asp.net files (eg images and .js) are NOT secured. However, when run from the VS Development server they are. Clearly this down to configuration differences between IIS and the dev server. This leads me to another question.. Is it possible to configure the VS dev server?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
此后我发现了一些与此问题相关的更多信息。
集成管道模式下的 IIS 7 确实会通过与 ASP.NET 内容相同的管道处理所有文件的请求,这意味着授权非 ASP.NET 文件的行为将会改变。
然而,为了保持向后兼容性,授权设置了一个先决条件,该先决条件将忽略任何非 ASP.NET 内容。这会造成行为没有改变的外观。
如果您想更改此行为并保护非 asp.net 内容,您可以通过将以下内容添加到 web.config 来覆盖此前提条件。
这有效地删除了 HttpModule 及其前提条件,并在没有前提条件的情况下重新添加它们。
Cassini被设置为使用集成管道模式,并且不具备向后兼容的前提条件。这意味着,如果您使用带有表单身份验证的 VS2010 开发服务器,则您别无选择,非 asp.net 内容将始终受到保护。
I've since found out some more info relating to this issue.
IIS 7 in integrated pipeline mode will indeed process the requests for all files through the same pipe as asp.net content, meaning that the behaviour of Authorizing non asp.net files will change.
However, to maintain backwards compatibility, Authorization has been set up with a precondition that will ignore anything that is not asp.net content. This creates the appearance that the behaviour hasn't changed.
If you would like to change this behaviour and secure non asp.net content, you can override this precondition by adding the following to the web.config.
This effectively removes the HttpModules along with their precondition and re-adds them without it.
Cassini is set up to use integrated pipeline mode and it doesn't have the backwards compatibility precondition. This means that if you're using the VS2010 dev server with forms authentication, you have no choice in the matter, non asp.net content will always be secured.
不,不是。这是 IIS 6(较旧版本)和 IIS7+ 中使用经典管道的默认工作方式,但可以通过通过 aspnet isapi 路由所有内容来更改它。
如果您在 IIS7+ 或 VS 开发 Web 服务器 (Cassini) 中使用集成管道,则所有请求都将通过 asp.net 身份验证进行路由。
No it wasn't. It is how it works by defualt in IIS 6 (an older) and in IIS7+ with classic pipeline but it can be changed by routing all content through aspnet isapi.
If you use integrated pipeline in IIS7+ or VS Developement Web server (Cassini) all requests are routed through asp.net authentication.