I'm trying to secure few HTML files in a folder (see my questions Protect Static Files with Authentication on ASP.NET Core and ASP.NET Core authorization permission access folder with Identity Server ). I created two projects with MVC and Razor Pages with the same result. Also, I have an integration with Identity Server. I can secure not HTML files.
Then, my idea was to use web.config
to allow only authenticated users to access to the folder like:
<location path="html">
<system.web>
<authorization>
<deny users ="*" />
</authorization>
</system.web>
</location>
and I merge it with the web.config
I found on my deployed application on Azure. The result is the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\PatientJourney.dll"
stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
<location path="infographics">
<system.web>
<authorization>
<deny users ="*" />
</authorization>
</system.web>
</location>
<location path="html">
<system.web>
<authorization>
<deny users ="*" />
</authorization>
</system.web>
</location>
</configuration>
html
folder is the physical folder under the root, infographics
is the virtual folder defined in the Startup.cs
app.UseStaticFiles(new StaticFileOptions
{
FileProvider = new PhysicalFileProvider(Path.Combine(env.ContentRootPath, "html")),
RequestPath = "/infographics",
OnPrepareResponse = ctx =>
{
if (ctx.Context.Request.Path.StartsWithSegments("/infographics"))
{
ctx.Context.Response.Headers.Add("Cache-Control", "no-store");
if (!ctx.Context.User.Identity.IsAuthenticated)
{
// respond HTTP 401 Unauthorized with empty body.
ctx.Context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
ctx.Context.Response.ContentLength = 0;
ctx.Context.Response.Body = Stream.Null;
// - or, redirect to another page. -
// ctx.Context.Response.Redirect("/");
}
}
}
});
Although I tried to deny access to both folders (physical and virtual) every user can access the files. Then, my questions.
Can I use web.config
for this secure a folder or it is not supported anymore? Why location
is the web.config
doesn't work? Is there any limitations? I want to block the html pages for non-authenticated users: any other ideas?
What about to manage users rights to access folders using middleware?
For example:
public class RequestResponseLoggingMiddleware
{
private readonly RequestDelegate _next;
public RequestResponseLoggingMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task Invoke(HttpContext context, ILogger<RequestResponseLoggingMiddleware> logger, IConfiguration configuration, UserManager<User> userManager)
{
/*
...Managing users access to folders using IConfiguration and UserManager...
*/
//Call the next delegate/middleware in the pipeline
await _next(context);
}
}
public static class RequestResponseExtensions
{
public static IApplicationBuilder UseRequestResponseLogging(this IApplicationBuilder builder)
{
return builder.UseMiddleware<RequestResponseLoggingMiddleware>();
}
}
In your Startup.cs:
app.UseRequestResponseLogging();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.