问题描述
我有一个网站在 IIS 7.5 服务器上运行,在共享主机上使用 ASP.NET 4.0,但完全信任.
I have a website running on a IIS 7.5 server with ASP.NET 4.0 on a shared host, but in full trust.
该站点是一个基本的文件浏览器",允许访问者登录并显示可供他们使用的文件列表,并且显然可以下载文件.静态文件(主要是 pdf 文件)位于站点上名为 data 的子文件夹中,例如http://example.com/data/...
The site is a basic "file browser" that allows the visitors to login and have a list of files available to them displayed, and, obviously, download the files. The static files (mostly pdf files) are located in a sub folder on the site called data, e.g. http://example.com/data/...
该站点使用 ASP.NET 表单身份验证.
The site uses ASP.NET form authentication.
我的问题是:如何让 ASP.NET 引擎处理对数据文件夹中静态文件的请求,使对文件的请求通过 ASP.NET 进行身份验证,并且用户无法深层链接到一个文件并抓取他们不允许拥有的文件?
My question is: How do I get the ASP.NET engine to handle the requests for the static files in the data folder, so that request for files are authenticated by ASP.NET, and users are not able to deep link to a file and grab files they are not allowed to have?
最好的问候,埃吉尔.
推荐答案
如果您的应用程序池在集成模式下运行,那么您可以执行以下操作.
If you application pool is running in Integrated mode then you can do the following.
将以下内容添加到您的顶级 web.config.
Add the following to your top level web.config.
<system.webServer>
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
现在您可以使用 web.config 中的标准 ASP.NET 权限来强制对目录中的所有文件进行表单身份验证.
Now you can use the standard ASP.NET permissions in your web.config to force forms authentication for all files in the directory.
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="Forms" />
</system.web>
这篇关于如何在 IIS 7.5 上使用 ASP.NET 表单身份验证保护静态文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!