将 Windows 身份验证重定向到自定义 401 页面
我们正在将一些过去在表单身份验证下运行的 Web 应用程序转换为现在作为 Windows 身份验证运行。我想重新创建表单身份验证所具有的页面安全性,并对实际页面进行最少的修改。我能够使用简化的网络应用程序重新创建我想要的效果。我正在 Server 2008 R2 集成管道 IIS 7.5 上运行该应用程序。
我使用 Windows 身份验证创建了一个简单的 3 页应用程序。这三个页面是:
- Openpage.aspx,对任何经过身份验证的用户开放
- Blockpage.aspx 对所有用户阻止(表示根据用户角色对部分用户阻止的目录或页面)
- ErrorPage.aspx,如果访问(并拒绝)blockedpage.aspx,则应用程序应转发到 ErrorPage.aspx,用户可以在其中获取有关应用程序的一般信息。
应用程序的 Web.Config:(
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows"/>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
<location path="blockedpage.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<httpErrors errorMode="Custom" >
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" path="/development/simplesecurityapp/errorpage.aspx" responseMode="ExecuteURL" />
</httpErrors>
<validation validateIntegratedModeConfiguration="false" />
<defaultDocument>
<files>
<clear />
<add value="openpage.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
如果我不尝试在 ASP.NET 级别重定向 401 错误,我只会收到标准的“未授权消息”,这不是我想要给用户的效果。)
但是,我收到一个我不明白的错误 - 每次服务器重置时,应用程序都会停止工作。 IIS只是简单地返回401错误,直到浏览器弹出手动登录控件,这是无法满足的。 (我从不希望我的用户看到浏览器登录提示)
但是,如果我在应用程序设置后替换 httperrors 部分(通过编辑 Web 配置,或使用服务器 GUI 更新它),则删除该部分,访问该页面,然后添加回该部分,应用程序开始按预期工作,并继续直到服务器重新启动,此时它开始再次向用户提供手动登录弹出窗口,但用户无法解决该问题。
1) 这是通过 Windows 身份验证保护应用程序安全的正确方法吗(是否有更好的方法来配置像表单中那样不可访问的目录,但仍提供自定义错误页面?)
2) 这是集成管道的影响吗?为什么是这样工作的吗?
We are converting some of our web applications that used to run under forms authentication, to now run as windows authentication. I want to recreate the page security that forms authentication had with minimum modification to the actual pages. I was able to recreate the effect I want, with a simplified web app. I am running the app on Server 2008 R2 integrated pipeline IIS 7.5.
I created a simple 3 page app using windows authentication. The three pages are:
- Openpage.aspx, that is open to any authenticated user
- Blockedpage.aspx that is blocked to all users (symbolic of a directory or page that would be blocked to a subset of users based on user role)
- ErrorPage.aspx,if blockedpage.aspx is accessed (and rejected) the application should forward to ErrorPage.aspx where the user gets generic information about the application.
The Web.Config for the app:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows"/>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
<location path="blockedpage.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<httpErrors errorMode="Custom" >
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" path="/development/simplesecurityapp/errorpage.aspx" responseMode="ExecuteURL" />
</httpErrors>
<validation validateIntegratedModeConfiguration="false" />
<defaultDocument>
<files>
<clear />
<add value="openpage.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
(If I don’t attempt to redirect the 401 errors at the asp.net level, I just get the standard “not authorized message” which is not the effect I want to give my users.)
However, I am getting an error that I don’t understand – every time the server resets, the app stops working. IIS simply returns 401 errors until the browser pops up a manual log-in control, which cannot be satisfied. (I never want my users to be presented with the browser log-in prompt)
However, if I replace the httperrors section once the application is set up (either by editing the web config, or updating it with the server GUI) removing the section, accessing the page, and then adding the section back, the application starts to work as expected, and continues to until the server is rebooted, at which time it starts giving users the manual login pop-up again, which they cannot resolve.
1) Is this the correct way to secure an app with windows authentication (is there a better way to configure a directory inaccessible like in forms, yet still supply a custom error page?)
2) Is this an effect of the integrated pipeline and why is it working this way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您正在尝试通过传输错误消息提供内容。
Forms 允许您执行此操作,因为它由第 7 层内容组成,例如 302 和 200。 401 被客户端浏览器解释为“服务器不喜欢我的凭据,因此打开一个对话框来请求新的凭据”。
经过身份验证的页面至少会产生 1 401 才能通过身份验证;您为其他事情超载了“错误”可能是问题的根源。
我不确定是否有一种优雅的方式来做你想做的事。
You're trying to provide content over a transport error message.
Forms allows you to do this because it's composed of layer 7 stuff, like 302s and 200s. 401s are interpreted by the client browser as "the server didn't like my credentials, so raise a dialog box to ask for new ones".
An authenticated page produces at least 1 401 in order to become authenticated; that you're overloading the "error" for something else is probably the root of the problem.
I'm not sure there's an elegant way of doing what you want.