堆棧內存溢出
  簡體   English   中英

Asp.net Core 2.2,在靜態html文件之間移動時,中間件並不總是執行

[英]Asp.net Core 2.2, Middleware doesn't always execute when moving between static html files

 原文  2019-08-08 21:44:16       c#/ asp.net-core

問題描述

我有一個asp.net核心Web應用程序,在wwwroot外部有一個靜態文件目錄(所有html / csv)。 我創建了一個中間件來檢查用戶是否已通過身份驗證,然后他們才能訪問這些文件。 但是,當我從這些靜態文件中的一個html文件轉到另一個html文件(通過url或href)時,中間件有時並不總是執行。 即使注銷,我有時仍然可以訪問這些文件。 我也在使用Cookies身份驗證方案,而不是身份。 該中間件基於Scott Allen的教程https://odetocode.com/blogs/scott/archive/2015/10/06/authorization-policies-and-middleware-in-asp-net-5.aspx

我嘗試在中間件代碼中添加斷點,但我發現有時即使它是新請求,它也不會觸發。

啟動文件 

   public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));
            services.AddDefaultIdentity<IdentityUser>()
                .AddDefaultUI(UIFramework.Bootstrap4)
                .AddEntityFrameworkStores<ApplicationDbContext>();

            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

            services.AddAuthentication( options =>
            {
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            })
            .AddCookie(options =>
            {

                    options.AccessDeniedPath = "/Home/Index";
                    options.LoginPath = "/Identity/Account/Login";
            });
            services.AddAuthorization(options =>
            {
                options.AddPolicy("Authenticated", policy => policy.RequireAuthenticatedUser());
            });

            services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {


            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }

            app.UseHttpsRedirection();

            app.UseAuthentication();



            app.UseProtectFolder(new ProtectFolderOptions
            {
                Path = "/StaticFiles",
                PolicyName = "Authenticated",

            });



            app.UseStaticFiles();
            app.UseStaticFiles(new StaticFileOptions
            {
                FileProvider = new PhysicalFileProvider(
                Path.Combine(Directory.GetCurrentDirectory(), "Static_Files")),
                RequestPath = "/StaticFiles"
            });
            //app.UseStaticFiles(new StaticFileOptions
            //{
            //    FileProvider = new PhysicalFileProvider(


            //        Path.Combine(Directory.GetCurrentDirectory(), "StaticFiles")),
            //        RequestPath = "/StaticFiles"
            //});



            app.UseCookiePolicy();



            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");

            });
        }

        private object RedirectResult()
        {
            throw new NotImplementedException();
        }
    }

中間件 

    public class ProtectFolderOptions
    {
        public PathString Path { get; set; }
        public string PolicyName { get; set; }
    }
    // Extension method used to add the middleware to the HTTP request pipeline.
    public static class ProtectFolderExtensions
    {
        public static IApplicationBuilder UseProtectFolder(this IApplicationBuilder builder, ProtectFolderOptions options)
        {
            return builder.UseMiddleware<ProtectFolder>(options);
        }
    }

    // You may need to install the Microsoft.AspNetCore.Http.Abstractions package into your project
    public class ProtectFolder
    {
        private readonly RequestDelegate _next;
        private readonly PathString _path;
        private readonly string _policyName;

        public ProtectFolder(RequestDelegate next,ProtectFolderOptions options)
        {
            _next = next;
            _path = options.Path;
            _policyName = options.PolicyName;
        }

        public async Task Invoke(HttpContext httpContext, IAuthorizationService authorizationService)
        {



            if (httpContext.Request.Path.StartsWithSegments(_path))
            {
                var authorized = await authorizationService.AuthorizeAsync(httpContext.User, null, _policyName);


                if (authorized.Succeeded == false)
                {
                    await httpContext.ChallengeAsync();
                    return;
                }
            }



            await _next(httpContext);
        }

除非已登錄,否則用戶不應訪問Static_Files目錄中的這些文件。 但是,注銷后,有時仍可以訪問這些html文件。 退出后,中間件有時不會觸發,並且當我在URL中調用新請求或使用其內部href遍歷html文件時,我將獲得對html文件的訪問權限。

1 個解決方案

解決方案1
 0  2019-08-09 00:15:08

您的靜態文件可能正在瀏覽器中緩存,因此,一旦合法訪問它們,就將其緩存,並且隨后的請求無需等待服務器,直到資源到期為止。

您可以使用以下方式禁用文件緩存:- 

app.UseStaticFiles(new StaticFileOptions()
{
    OnPrepareResponse = (context) =>
    {
        context.Context.Response.Headers["Cache-Control"] = "no-cache, no-store";
        context.Context.Response.Headers["Expires"] = "-1";
        context.Context.Response.Headers["Pragma"] = "no-cache";
    }
});

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 ASP.NET Core 2.0靜態文件,但是.html不起作用? 靜態文件中間件應該放在ASP.NET核心管道中的哪個位置? ASP.NET CORE 2.2 本地化在服務器上不起作用 Asp.net核心 - 調用方法()不會在中間件中調用 在 asp.net 核心 2.2 上上傳文件 API 時不能使用替換 function Asp.Net Core 2.2 - 了解身份驗證中間件和外部登錄 Asp.net core 3.0 - 靜態文件不加載 配置 ASP.NET Core 身份驗證中間件以在 Authorization 標頭無效時始終返回 401 Html and Css that I created outside ASP.NET doesn't fit when I add it in ASP.NET CORE Razor ASP.NET Core 2.2 Razor Pages 為什么 OnPost() 有效,而 OnPostAsync() 無效?
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM