如何使用表单身份验证在 ASP.NET Web 应用程序中动态创建的资源上配置用户授权?
假设一些用户登录到我的网络应用程序。他们获得身份验证(作为匿名用户以外的用户),因此他们可以访问目录中的任何资源。 web.config 的 system.web/authorization 部分被设置为拒绝匿名用户的访问,如下所示:
<system.web><authorization>
<deny users="?" />
</authorization></system.web>
实际上,据我了解,这仅保护通过 ASP.NET 系统访问的文件。如果我将 JPG 文件放入其中,则每个人都可以访问它,而无需身份验证/授权。为了确保所有文件都受到保护,有一个不同的部分:
<system.webServer><security><authorization>
<add accessType="Deny" users="?" />
</authorization></security><system.webServer>
当然,现在当有人尝试访问 JPG 文件时,他们不会被重定向到登录页面。相反,他们会收到令人讨厌的 HTTP 错误 401.2 - 未经授权。
现在,假设用户在服务器上创建了一个文件。在这个复杂的表单身份验证和授权方案的上下文中,如何确保只有该用户的 Web 浏览器可以通过其 URL 访问该文件?例如,我必须修改 web.config 文件吗?如果是这样,我是否必须手动执行此操作还是可以通过代码完成?频繁修改是否会导致应用程序中断/重启?
Suppose some users log in to my web app. They get authenticated (as something other than the anonymous user), so they can access any resource in the directory. The system.web/authorization section of web.config is set to deny access to anonymous users like this:
<system.web><authorization>
<deny users="?" />
</authorization></system.web>
Actually, from what I understand, this only protects files accessed through the ASP.NET system. If I drop a JPG file in there, it's accessible to everyone, without authentication/authorization. In order to ensure all files are protected, there's a different section for that:
<system.webServer><security><authorization>
<add accessType="Deny" users="?" />
</authorization></security><system.webServer>
Of course, now when someone attempts to access the JPG file, they don't get redirected to the login page. Instead, they get a nasty HTTP Error 401.2 - Unauthorized.
Now, suppose a user causes a file to be created on the server. How, in context of this elaborate Forms Authentication and Authorization scheme, do I ensure that only that user's web browser can access the file via it's URL? For example, must I modify the web.config file? If so, do I have to do this manually or can it be done through code? Will modifying it frequently cause the application to be interrupted/restarted?
你不能保证这一点。对于表单身份验证和授权,您必须明确列出具体的用户或角色。没有机会动态指定这一点。
对于动态创建的资源,我使用通用处理程序。使用这种方法,不需要保护临时文件,因为没有临时文件。内容直接流式传输给用户。在这种方法中,您的保护是应用程序逻辑的一部分,可能位于通用处理程序内。
You can’t ensure this. With forms authentication and authorization you have to be explicit, listing concrete users or roles. No chance to specify this dynamically.
For dynamically created resources I use generic handlers. With this approach there is no need for protecting temporary files, because there are no temporary files. The content is directly streamed to the user. In this approach your protection is part of your application logic, possibly inside the generic handler.