从c#web app中的网络共享访问文件
[英]Access files from network share in c# web app
问题描述
I have a web application that needs to read (and possibly write) files from a network share. 
我有一个Web应用程序,需要从网络共享中读取(并可能写入)文件。 I was wondering what the best way to do this would be? 我想知道最好的方法是什么?
I can't give the network service or aspnet accounts access to the network share. 我不能给网络服务或aspnet帐户访问网络共享。 I could possibly use impersonation. 我可以使用模仿。
The network share and the web application are both hosted on the same domain and I can create a new user on the domain specifically for this purpose however I'm not quite sure how to join the dots between creating the filestream and specifying the credentials to use in the web application. 网络共享和Web应用程序都托管在同一个域上,我可以专门为此目的在域上创建一个新用户但是我不太清楚如何在创建文件流和指定要使用的凭据之间加入点在Web应用程序中。
Unfortunately the drive isn't mapped as a network drive on the machine, it's only available to me as a network share so unfortunately I can't make a transparent call. 遗憾的是,驱动器未映射为计算机上的网络驱动器,它仅作为网络共享提供给我,所以不幸的是我无法进行透明呼叫。
There is one problem I can think of with impersonation... I can only impersonate one user per application domain I think but I'm happy to be corrected. 有一个问题,我可以模拟想到的......我只能模仿每个应用程序域一个用户我想 ,但我很高兴能得到纠正。 I may need to write this file to several different shares which means I may have to impersonate several users. 我可能需要将此文件写入多个不同的共享,这意味着我可能需要冒充几个用户。
I like the idea of creating a token... if I can do that I'll be able to ask the use up front for their credentials and then dynamically apply the security and give them meaningful error messages if access is denied... I'm off to play but I'll be back with an update. 我喜欢创建令牌的想法...如果我能做到这一点,我将能够预先使用他们的凭据,然后动态应用安全性并在访问被拒绝时给他们有意义的错误消息...我我要去玩,但我会回来更新。
5 个解决方案
解决方案1
3 2008-08-27 01:59:39
Given everyone already has domain accounts. 鉴于每个人都已拥有域帐户。 Try IIS integrated authentication. 尝试IIS集成身份验证。 You will get an ugly logon box off network but your creds should pass down to the file share. 您将从网络上获得一个丑陋的登录框,但您的信用卡应该传递到文件共享。
@lomaxx @lomaxx
Are you saying that only you have perms to the share or that you manually mapped it to a drive letter. 你是说只有你有共享权限或手动将其映射到驱动器号。 If the later you can use ucn \\host\\share the same way you would use ac:\\shared_folder. 如果以后你可以使用ucn \\ host \\ share,就像使用ac:\\ shared_folder一样。
Random Would it be a burden to mirror the share to a local folder on the host? 随机将共享镜像到主机上的本地文件夹是否是一种负担? I hear ROBOCOPY is pretty handy. 我听说ROBOCOPY非常方便。
Another Idea. 另一个想法。 Run IIS on your target share you can read via http and if you need to write investigate webdav. 在目标共享上运行IIS,您可以通过http阅读,如果您需要编写调查webdav。
解决方案2
0 2012-08-10 11:10:20
You do have some options and one of of those is impersonation as you mentioned. 你确实有一些选择,其中一个是你所提到的模仿。 However, another one I like to use and have used in the past is a trusted service call. 但是,我喜欢使用并在过去使用过的另一个是受信任的服务电话。 Let's assume for a moment that it's always much safer to limit access through IIS to ensure there are as few holes as possible. 让我们假设一下,通过IIS限制访问以确保尽可能少的漏洞总是更安全。 With that let's go down this road. 有了这个让我们走这条路。
Build a WCF service that has a couple of entry points and the interface might look like this. 构建一个具有几个入口点的WCF服务,界面可能如下所示。
public interface IDocumentService
{
public string BuildTrustedRelationship(string privateKey);
public byte[] ReadFile(string token, string fileName);
public void WriteFile(string token, string fileName, byte[] file);
}
Now, you can host this service via a Windows service very easily and so now all you need to do is on Application_start build the relationship with the service to get your token and you're off to the races. 现在,您可以非常轻松地通过Windows服务托管此服务,因此现在您需要做的就是在Application_start建立与服务的关系以获取您的令牌,然后您即可参加比赛。 The other nice thing here is that this service is internal, trusted, and I've even hosted it on the file server before and so it's much easier to grant permissions to this operation. 另一个好处是这个服务是内部的,可信任的,我甚至以前将它托管在文件服务器上,因此更容易为此操作授予权限。
解决方案3
0 2012-08-10 12:29:41
If you can create a new AD user, I think the simplest solution is to have the Application Pool run under that AD account's authority, which would mean your application is now running as the AD user. 如果您可以创建新的AD用户,我认为最简单的解决方案是让应用程序池在该AD帐户的权限下运行,这意味着您的应用程序现在作为AD用户运行。 You would need to add the AD user to the IIS Worker Process Group on the machine running your application. 您需要将AD用户添加到运行应用程序的计算机上的IIS工作进程组。 Then as long as your AD user has write permissions on the network share, you should be able to use the UNC path in your file operations. 然后,只要您的AD用户对网络共享具有写入权限,您就应该能够在文件操作中使用UNC路径。
解决方案4
0 2008-08-27 01:54:13
I've had no problems connecting to network shares transparently as if they were local drives. 我没有问题透明地连接到网络共享,就好像它们是本地驱动器一样。 The only issue you may have is what you mentioned: having the aspnet account gain access to the share. 您可能遇到的唯一问题是您提到的内容:让aspnet帐户获得对共享的访问权限。 Impersonation is probably the best way to do this. 假冒可能是最好的方法。
You should be able to use any filestream objects to access the network share as long as it has a drive letter on the server machine. 只要服务器计算机上有驱动器号,您就应该能够使用任何文件流对象来访问网络共享。
解决方案5
0 2008-08-27 01:56:45
Impersonation worked well for me in this scenario. 在这种情况下,模仿对我很有用。 We had a wizard that uploaded a zip file through the website, but we load balanced the site. 我们有一个通过网站上传zip文件的向导,但我们负载均衡了网站。 Therefore needed to setup a way to save the file on all the machines. 因此需要设置一种方法来保存所有计算机上的文件。
There are many different ways to do it. 有很多不同的方法可以做到这一点。 We decided to make all requests to run under the user we setup and just added the web.config entry and setup the security permissions on the folders for the user. 我们决定在我们设置的用户下运行所有请求,然后添加web.config条目并为用户设置文件夹的安全权限。 This kb article explains the setup very well. 这篇kb文章很好地解释了这个设置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.