即使不存在路由使用RouteExistingFiles阻止访问现有文件 [英] Using RouteExistingFiles to block access to existing files even if no route exists
问题描述
在ASP.net MVC 2,我可以使用 routes.RouteExistingFiles = TRUE; 来的所有请求都会通过路由系统发送,即使它们在文件系统上存在。
In ASP.net MVC 2, I can use routes.RouteExistingFiles = true; to send all requests through the routing system, even if they exist on the file system.
通常情况下,这最终击中{控制器} / {行动} / {ID}路线,抛出一个异常,因为控制器不能找到。
Usually, this ends up hitting the "{controller}/{action}/{id}" route and throws an exception as the controller cannot be found.
我不想用这条路虽然(我只有几个网址,它们是专门映射),但我还是想prevent访问文件系统。
I do not want to use that route though (I have only a few URLs and they are specifically mapped), yet I would still like to prevent access to the file system.
基本上,我想白名单使用IgnoreRoute页面。是否有一个内置的方式做到这一点?
Basically I want to Whitelist pages using IgnoreRoute. Is there a built-in way to do this?
我目前的做法是,仍然有途径{*}什么并产生404时,这个被击中,但我只是想知道,如果事情是建立-IN了吗?
My current approach is to still have a route "{*anything}" and generate a 404 when this is hit, but I'm just wondering if something is built-in already?
推荐答案
这是授权的Web.config在ASP.NET MVC应用程序中的一些有效的用途之一。 :)
This is one of the few valid uses of Web.config authorization in an ASP.NET MVC application. :)
我建议设置回RouteExistingFiles为false(使路由和MVC管道不处理这些请求,IIS和ASP.NET核心做)。将所有您想要拒绝访问到一个文件夹中的文件,然后删除一个Web.config到该文件夹:
I'd recommend setting RouteExistingFiles back to false (so that Routing and the MVC pipeline don't handle these requests, IIS and ASP.NET core do). Put all of the files for which you want to deny access into a single folder, then drop a Web.config into that folder:
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
这是直接服务于这些文件,这将prevent IIS和ASP.NET。
This will prevent IIS and ASP.NET from serving these files directly.
这篇关于即使不存在路由使用RouteExistingFiles阻止访问现有文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
