ASP.NET用户权限
我对此感到非常困惑,并且没有任何文本/文档/SO问题为我阐明了这个问题。
我希望我的 asp.net MVC 应用程序能够将 XML 文档保存到服务器上的文件夹中。但我遇到了异常...
Access to the path 'D:\blah\blah\folder\xml_data.xml' is denied.
据我所知,我的应用程序正在一个没有写入权限的用户帐户下运行。
我想我以前遇到过这个问题,我的解决方案是联系我的网络托管服务商并要求他们授予我的网站权限。
但是,如果我想创建自己的具有相应权限的自定义角色集怎么办?这些必须添加到IIS中吗?我是否必须创建一个列表,然后将其交给网络主机?这样的列表会是什么样子?据我了解,无法在 web.config 中配置角色和权限,对吗?
一旦我设置了角色及其权限,如何设置应用程序运行的默认角色,以及如何以编程方式更改应用程序运行的角色?
附:我不想使用 asp.net 会员资格,我想知道如何自行设置。
I am quite confused about this and none of the texts / docs / SO questions have elucidated the matter for me.
I want my asp.net MVC app to be able to save an XML doc to a folder on the server. But I am getting an exception...
Access to the path 'D:\blah\blah\folder\xml_data.xml' is denied.
So as I understand it my application is running under a user account that does not have write permissions.
I think I had this problem before and my solution was to contact my web host and ask them to give my site permissions.
But what if I want to create my own custom set of roles with corressponding permissions? Do these have to be added into IIS? Would I have to create a list and then hand it over the the web host? What would such a list look like? As I understand it, it is not possible to configure roles and permissions in web.config, is that correct?
Once I have the roles and their permissions set up how to I set the default role for the app to run under and also how do I programitically change the role that the app is running under?
ps. I don't want to use asp.net membership I would like to know how to set this up myself.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用 ASP.NET 会员资格。我不在乎你是否不喜欢它。使用它。这很容易、很简单,而且安全性也很好。如果你自己做并且不知道自己在做什么,你就会搞砸安全。
人们对会员资格的评价很差,但它是一个很好的工具。大多数人只是对此做出了错误的假设。
您可以在成员资格/角色 API 中定义您的角色。这存储在您的数据库中。如果没有用户来应用角色,您就无法拥有角色,因此您需要某种类型的成员资格系统。
编辑:
这里有两种用户。第一个是 ASP.NET 工作进程在 IIS 下运行的用户。这是您的主机必须定义的用户,并允许访问各种文件夹以访问文件。
第二个是asp.net的IIdentity用户,这是asp.net为登录的Web用户定义的用户,它与Worker进程用户完全分开。除了分配给工作进程标识的权限外,IIdentity 用户没有固有的操作系统权限或特权。
换句话说,基于 IIDentity 的用户在 IIS 中以相同的工作进程身份运行。
例外情况是当您在 web.config 中定义“impersonate=true”时,这允许工作进程以相关用户的身份“登录”到操作系统。换句话说,工作进程将作为 Web 用户凭据运行。这要求 Web 用户在操作系统中也拥有凭据。
另一个例外是您可以在 web.config 中指定要模拟的特定操作系统用户。但是,同样,必须有一个操作系统用户可以模拟。此外,模拟是一种非常昂贵的操作,并且需要大量的系统资源。
请参阅 http://msdn.microsoft.com/en -us/library/aa292118(v=vs.71).aspx
Use asp.net membership. I don't care if you don't like it. Use it. It's easy, it's simple, and it gets security right. You will mess security up if you do it yourself and don't know what you're doing.
People give membership a bad rap, it's a good tool. Most people just make the wrong assumptions about it.
You define your roles in the membership/role API. This is stored in your database. You can't have roles without a user to apply them to, so you need a membership system of some type.
EDIT:
There are two kinds of users here. The first is the user that the ASP.NET worker process runs as under IIS. This is the user that your host must define, and allow to access various folders to access files.
The second is the IIdentity user of asp.net, this is the user that asp.net defines for the logged in web user, and this is completely seperate from the Worker process user. IIdentity users have no inherent operating system rights or privileges, other than those assigned to the worker process identity.
In other words, IIDentity based users run as the same Worker process identity in IIS.
The exception to this is when you define "impersonate=true" in the web.config, and this allows the worker process to "log on" to the OS as the user in question. In other words, the worker process will run as the web users credentials. This requires that the web user have credentials in the OS as well.
The other exception is that you can specify a specific OS user to impersonate in the web.config. But, again, there must be an operating system user to impersonate. Also, impersonation is a very expensive operation and takes a lot of system resources.
See http://msdn.microsoft.com/en-us/library/aa292118(v=vs.71).aspx