stackoom
  简体   繁体   中英

IIS / ASP / Static content: restrict access to directory content with guard

 原文  2013-09-24 08:29:11       c#/ asp.net/ authorization/ iis-6

Question

I'm looking for a solution concerning access restrictions using IIS6, a ASP.NET website ( SiteA , FW 2.0) and a website with static content ( SiteB ):

The Problem / Preconditions:

  • A user authenticated to SiteA should be able to access the static content of SiteB
  • Non-authenticated access to SiteB should be redirected to SiteA 's login script
  • Because SiteA is legacy code it doesn't use any of ASP.NET's authentication mechanisms. There is a method IsAuthenticated() = true/false which checks authentication status for SiteA .
  • I'm still free to place SiteB anywhere (depending on solution): in SiteA 's directory structure or somewhere else, maybe on another server

Considered Solution / How it could work:

  • SiteB is placed in SiteA directory structure (eg SiteA-Root/subfolder/SiteB-Root )
  • IIS should intercept requests to directory SiteA-Root/subfolder/SiteB-Root
  • IIS allows access if IsAuthenticated == true for each request to SiteA-Root/subfolder/SiteB-Root
  • IIS redirects to SiteA 's login page otherwise

What I've tried yet:

  • Using IIS-UrlRewrite and redirect any request to SiteB to a guard script, eg SiteA/Interceptor.aspx?referer=<Url of requested content of SiteB>
  • Interceptor.aspx loads <Url of requested content of SiteB> if IsAuthenticated() == true or redirects to the login page otherwise
  • Interceptor.aspx writes the loaded stream to it's own response
  • Problems:
    • any relative link in the loaded SiteB page doesn't work anymore -> requires parsing(?)
    • heavy processing because any request to SiteB is handled by Interceptor.aspx

Any suggestions would be appreciated. Thanks.

1 answers

solution1
 0 ACCPTED  2013-09-24 08:53:51

The problem with IIS 6.0 ( or anything pre IIS7.0), is that it does not support requests for static contents go through the ASP.NET life cycle. And hence you cannot access the events defined in Global.asax and other ASP.NET features such as authentication/authorization.

But I guess there is a way to override that behavior, as explained in this post: http://www.devtoolshed.com/globalasax-events-iis-6-and-iis-7-static-resources

So, once you have configured this to pass the requests through the ASP.NET lifecycle, isn't it possible to capture the request in one of those appropriate Global.asax events, and then set a Session value that this request is already authenticated or not? You can use proper Forms Authentication as well.

So if a request comes for the static content (which is a part of the sub folder in SiteA itself), all you have to check (in one of the events in Global.asax) if the request is already authenticated for the session, if not redirect to login form. Since you are doing a pass-through in-case it is already authenticated, you shouldnt be having broken links as well.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Asp.net mvc restrict specific users to access folder content Removing Server header from static content in IIS 7/8 ASP.NET static content always caches Static Content in NancyFX with ASP.Net Core static content not caching in Asp.net MVC Restrict static files access to authenticated users in ASP.Net asp.net mvc share content directory How to restrict access to WordPress content in .NET/PHP application Saving images relative to content directory where my site is running in IIS Publish ASP.Net Core App on local IIS - Content not found
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM