asp.net MVC安全根文件夹仅适用于授权用户
[英]asp.net MVC secure root folder only for authorized users
问题描述
I am having this small extranet service where users can log in, get all sorts of info and download few files. 
我拥有这个小型Extranet服务,用户可以在其中登录,获取各种信息并下载少量文件。
Is it possible to secure root folder in MVC asp.net project? 是否可以在MVC asp.net项目中保护根文件夹? I am having a project where users have to log in before using any material. 我有一个项目,用户在使用任何材料之前必须先登录。 How ever if I use for example "/material" folder for every pdf, jpg, etc. files, other unauthorized users can see those files also. 如果我对每个pdf,jpg等文件都使用“ / material”文件夹,那么其他未经授权的用户也可以看到这些文件。
For example everybody can see this file if they type www.example.com/material/pdf-file.pdf So I want only authorized / logged users to see this file. 例如,如果每个人都输入www.example.com/material/pdf-file.pdf,则每个人都可以看到此文件。因此,我只希望授权/登录用户查看此文件。 Is this possible? 这可能吗?
2 个解决方案
解决方案1
2 2015-11-13 15:46:17
I managed to get it work. 我设法使它起作用。 Here is how I did it. 这是我的方法。
The first I added this line to Web.config file: 我首先将此行添加到Web.config文件中:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
This allows dot chars in .pdf, .png, etc... in url's. 这样可以在网址的.pdf,.png等中使用点字符。
I added to RouteConfig.cs new routing for controller. 我将新的控制器路由添加到RouteConfig.cs中。
routes.MapRoute(
name: "Material",
url: "Material/Download/{file}",
defaults: new { controller = "Material", action = "Download", file = UrlParameter.Optional }
);
I created a new controller "Material". 我创建了一个新的控制器“材料”。
// GET: Material
[Authorize]
public ActionResult Download(string file)
{
string path = Server.MapPath(String.Format("~/App_Data/Material/{0}", file));
if(System.IO.File.Exists(path))
{
string mime = MimeMapping.GetMimeMapping(path);
return File(path, mime);
}
return HttpNotFound();
}
And also transfered material folder inside app_data. 并且还转移了app_data内的材料文件夹。
This seems to work nicely. 这似乎很好。 Only authorized users can access to material folder. 只有授权用户可以访问材料文件夹。
解决方案2
0 已采纳 2015-11-13 13:24:20
It's possible to do that, but there are a lot ways to accomplish that. 可以这样做,但是有很多方法可以实现。
A simplified scenario could be: 简化的方案可以是:
- Disable directory listing on IIS 在IIS上禁用目录列表
- Create a custom "download wrapper" controller+action for the purpose of serving of those files. 创建一个自定义的“下载包装” controller + action,以提供这些文件。
- Then wherever you create Action links, generate them using a
HtmlHelperwhich would redirect the client to the "wrapper" controllers action.然后,无论您在哪里创建Action链接,都可以使用HtmlHelper生成它们,它将客户端重定向到“包装器”控制器动作。 You can pass the filename in a parameter.您可以在参数中传递文件名。 - On the "wrapper" controller you could utize the
[Authorize]attribute or better yet, without using such attributes everywhere you could use FluentSecurity for handling the authorization.在“包装器”控制器上,您可以使用[Authorize]属性或更好的属性,而无需在任何地方都可以使用FluentSecurity来处理授权的属性。
After you create the "wrapper" controller your URL for getting a file could look like: 创建“包装器”控制器后,用于获取文件的URL如下所示:
www.example.com/ download / file /pdf-file.pdf
This example URL assumes controller name is 'download' and action name is 'file'. 此示例URL假定控制器名称为“ download”, 操作名称为“ file”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.