如何使用Forms身份验证在ASP.NET Web应用程序中为动态创建的资源配置用户授权?
[英]How do I configure user authorization on dynamically created resources in an ASP.NET web app using Forms authentication?
问题描述
Suppose some users log in to my web app. 
假设有些用户登录我的网络应用程序。 They get authenticated (as something other than the anonymous user), so they can access any resource in the directory. 它们经过身份验证(不是匿名用户),因此可以访问目录中的任何资源。 The system.web/authorization section of web.config is set to deny access to anonymous users like this: web.config的system.web / authorization部分设置为拒绝匿名用户访问,如下所示:
<system.web><authorization>
<deny users="?" />
</authorization></system.web>
Actually, from what I understand, this only protects files accessed through the ASP.NET system. 实际上,据我所知,这只能保护通过ASP.NET系统访问的文件。 If I drop a JPG file in there, it's accessible to everyone, without authentication/authorization. 如果我在那里删除JPG文件,那么每个人都可以访问它,而无需身份验证/授权。 In order to ensure all files are protected, there's a different section for that: 为了确保所有文件都受到保护,有一个不同的部分:
<system.webServer><security><authorization>
<add accessType="Deny" users="?" />
</authorization></security><system.webServer>
Of course, now when someone attempts to access the JPG file, they don't get redirected to the login page. 当然,现在当有人试图访问JPG文件时,他们不会被重定向到登录页面。 Instead, they get a nasty HTTP Error 401.2 - Unauthorized. 相反,他们得到一个令人讨厌的HTTP错误401.2 - 未经授权。
Now, suppose a user causes a file to be created on the server. 现在,假设用户导致在服务器上创建文件。 How, in context of this elaborate Forms Authentication and Authorization scheme, do I ensure that only that user's web browser can access the file via it's URL? 在这个精心设计的表单身份验证和授权方案的上下文中,我是如何确保只有该用户的Web浏览器才能通过它的URL访问该文件? For example, must I modify the web.config file? 例如,我必须修改web.config文件吗? If so, do I have to do this manually or can it be done through code? 如果是这样,我是否必须手动执行此操作,还是可以通过代码完成? Will modifying it frequently cause the application to be interrupted/restarted? 经常修改它会导致应用程序被中断/重启吗?
2 个解决方案
解决方案1
2 2011-03-29 15:07:36
You can't ensure this. 你无法确保这一点。 With forms authentication and authorization you have to be explicit, listing concrete users or roles. 使用表单身份验证和授权,您必须明确,列出具体的用户或角色。 No chance to specify this dynamically. 没有机会动态指定它。
For dynamically created resources I use generic handlers. 对于动态创建的资源,我使用泛型处理程序。 With this approach there is no need for protecting temporary files, because there are no temporary files. 使用这种方法,不需要保护临时文件,因为没有临时文件。 The content is directly streamed to the user. 内容直接流式传输给用户。 In this approach your protection is part of your application logic, possibly inside the generic handler. 在这种方法中,您的保护是应用程序逻辑的一部分,可能在通用处理程序中。
解决方案2
0 2011-03-28 23:33:10
You can store the dynamically generated content as a blob in a database table rather than on the file system. 您可以将动态生成的内容作为blob存储在数据库表中,而不是存储在文件系统中。 Secure access to the record through normal application security logic. 通过普通应用程序安全逻辑安全访问记录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.