堆栈内存溢出
  简体   繁体   English

如何限制用户访问HTTP Server上的文件?

[英]How to restrict user access the file on the HTTP Server?

 原文  2009-12-16 15:16:49       html/ security/ file

问题描述

I'm writing a web application that allow user upload their files on the app. 我正在编写一个Web应用程序,允许用户在应用程序上上传文件。 The file will be uploaded on the HTTP Server, after the user click the "upload" button. 用户单击“上传”按钮后,文件将上传到HTTP Server。 The user can receive the file by getting the file from the path.... ...for example: http://www.demo.com/user/abc/download/the_file.jpg 用户可以通过从路径获取文件来接收文件。...例如: http : //www.demo.com/user/abc/download/the_file.jpg

but I found that all the people can access this file using the path. 但是我发现所有人都可以使用路径访问此文件。 How can I do, or is there a better way to manage the file that only registered user or the file owner can download the file? 我该怎么办,或者有更好的方法来管理文件,只有注册用户或文件所有者才能下载文件?

2 个解决方案

解决方案1
 1  2009-12-16 15:21:14

If using something like apache httpd, you can use .htaccess files and have directories that are provisioned to users or groups if you want the user to continue accessing files at a path on the filesystem. 如果使用apache httpd之类的内容,则可以使用.htaccess文件,并且如果希望用户继续访问文件系统上某个路径上的文件,则可以使用已提供给用户或组的目录。

If you lock down the directory and have a script to manage file delivery, you can check permissions in the script and give the user the file requested or a 403. 如果您锁定目录并具有管理文件传递的脚本,则可以检查脚本中的权限并为用户提供所请求的文件或403。

I tend to use the script approach as it gives me more control over how the permissions are managed and more complex access scenarios. 我倾向于使用脚本方法,因为它使我可以更好地控制如何管理权限以及更复杂的访问方案。

解决方案2
 1 已采纳  2009-12-17 12:49:08

Serving a file directly within a script is not an option because of performance issues and it's not really possible to serve BIG files because of memory limits. 由于性能问题,不能直接在脚本中提供文件服务,并且由于内存限制,实际上无法提供BIG文件。

The best option is to use the Apache module mod_xsendfile . 最好的选择是使用Apache模块mod_xsendfile The idea is to redirect all requests to a PHP/Perl/Python script which will just set a HTTP header saying " Hey Apache, serve this file instead " and mod_xsendfile will take care of it. 这个想法是将所有请求重定向到一个PHP / Perl / Python脚本,该脚本将仅设置一个HTTP标头,上面写着“ 嘿Apache,请提供此文件 ”,然后mod_xsendfile会处理它。

And the client will never be able to download the file without this authentication. 如果没有此身份验证,客户端将永远无法下载文件。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何限制用户访问单独标签中的iframe? - How to restrict user to access iframe in separate tab? 如何限制文件/ URL的直接下载和访问? - How to restrict direct file/url download and access? 如何在Web浏览器中限制用户的文件类型 - How to restrict file types for a user in a web browser 使用 http 从本地服务器访问文件 - Access File Using http From Local Server 如何让用户限制下载? - how to make a user restrict to download? 如何在不影响元标记的情况下限制用户对文件夹的直接访问? - How to restrict user direct-access to folders without affecting the meta tags? Firebase 在没有用户登录的情况下限制对其他页面的访问 - Firebase Restrict Access to other pages without user logged in 如何在 React 中将用户输入限制为十六进制值? - How to restrict user input to hexadecimal value in React? 如何限制用户打开现有的php页面? - How to Restrict User to open a existing php page? 如何限制用户在表单中只输入布尔值? - How to restrict user to input only boolean in the Form?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM