具有MVC和ASP.NET标识的网址授权 [英] Url Authorization with MVC and ASP.NET Identity

问题描述

我想保护我的应用程序中特定文件夹和资源，这些文件夹和资源不在我的mvc应用程序的路由之内.我希望这些资源仅对经过身份验证的用户可用(只要经过身份验证，哪个角色就不会有不足之处).

I want to secure specific folders and resources in my application that are outside of the routes for my mvc application. I want these resources to only be available to authenticated users (which role is not of concequence as long as they are authenticated).

最初， UrlAuthorizationModule 就是答案.我关注了这篇文章，了解IIS 7.0 URL授权，从某种意义上讲，它可以响应web.config中的配置元素.

Initially it seemed that the UrlAuthorizationModule would be the answer. I followed this article, Understanding IIS 7.0 URL Authorization, and I can get the module to work in the sense that it responds to the configuration elements in the web.config.

我当前的问题是我认为，它是基于IIS中的匿名用户而不是 asp.net身份.

My current problem is that I think it is enacting the rules based on the anonymous user in IIS and not the authenticated user in asp.net identity.

我使用标准的html文件进行测试，而不是尝试加载脚本，因为该脚本也将加载到MVC管道之外.

I use a standard html file for testing instead of trying to load a script as this would also be loaded outside of the MVC pipeline.

• 在Visual Studio 2015中.
  • 新的默认.net 4.6.2 Web项目
  • MVC模板
  • 身份验证= Individual User Accounts
  • In Visual Studio 2015.
    • New default .net 4.6.2 web project
    • MVC template
    • Authentication = Individual User Accounts
    • 身份验证->匿名身份验证(已启用)

    添加到web.config

    <configuration>
    ...
    <location path="Data">
      <system.webServer>
        <security>
          <authorization>
            <clear/>
            <add accessType="Deny" users="*"/>
            <add accessType="Allow" users="?"/>
          </authorization>
        </security>
      </system.webServer>
    </location>
    ...
    </configuration>
    

    添加到文件夹结构

    /Data/Protected.html // this file just has some basic Hello World content to display so you can see if it is loaded or not.
    

    观察结果

    • 使用此配置，始终会拒绝Data路径中的所有内容，无论用户是否通过身份验证都无关紧要.
    • 如果我将web.config中的Deny和Allow的两行切换为相同，则同样如此.
    • 如果我用Deny完全删除了该行，那么即使用户未通过身份验证，也始终允许访问.
    • 如果我添加角色并使用roles作为角色名称而不是users属性，则该角色也将被完全忽略.

    Observed Results

    • With this configuration everything in the Data path is always denied, it does not matter if the user is authenticated or not.
    • The same is true if I switch the 2 lines for Deny and Allow in the web.config.
    • If I completely remove the line with Deny then access is always allowed even when the user is not authenticated.
    • If I add a role and use roles with the role name instead of users attribute the role is also completely ignored.

    我想念什么?如何获取网址授权模块使用MVC/WebAPI和 ASP.NET身份 Individual user accounts还是完全不可行?

    What am I missing? How can I get the Url Authorization module to work with MVC/WebAPI and ASP.NET Identity Individual user accounts or is this simply not doable?

    我也乐于接受其他想法，也许答案是编写自定义的HttpModule或HttpHandler?

    I am open to alternative ideas as well, maybe the answer is to write a custom HttpModule or HttpHandler?

    为什么&详情

    这些资源是javascript文件，简而言之，未经身份验证的用户只能使用一部分脚本.根目录中有2个目录，一个目录用于应用程序的身份验证部分，一个目录用于应用程序的未身份验证部分.这样做的原因与应用程序中的用户授权或安全性无关，它是将应用程序的暴露表面积限制为未经身份验证的请求.

    These resources are javascript files, in short only a portion of the scripts should be available to unauthenticated users. There are 2 directories in the root, one for the authenticated part of the app and one for the non-authenticated part of the app. The reason for this has nothing to do with user authorization or security in the application, it is to limit the exposed surface area of the application to non-authenticated requests.

    推荐答案

    [TL; DR;]
    转到完整的根web.config" 部分以查看所需的web.config设置.

    [TL;DR;]
    Go to "Complete root web.config" section to see the needed web.config setup.

    以隐身模式进行测试，以防止浏览器缓存问题！ 并使用Ctrl+F5，因为脚本和html文件会被缓存.

    Test this in incognito-mode to prevent browser caching issues! And use Ctrl+F5 because scripts and html files get cached.

    首先在根web.config中拒绝对所有匿名用户的访问.

    First deny access to all anonymous users in the root web.config.

    <authorization>
        <deny users="?"/>        
    </authorization>
    

    此处的web.config允许公开 可访问一个文件夹.在我的示例中，此文件夹称为css，位于MVC应用程序的根目录中.对于css文件夹，我将以下授权添加到根web.config中:

    The web.config here allows one folder to be publicly accessible. This folder, in my example here, is called css and sits in the root of the MVC application. For the css folder I add the following authorization to the root web.config:

    <location path="css">
        <system.web>
            <authorization>          
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    

    如果您想要更多的公用文件夹，则可以添加更多这些位置路径.

    You can add more of these location paths if you want more public folders.

    虽然在用户登录之前将无法访问所有其他文件，但css文件夹及其内容将始终可访问.

    While all other files will not be accessible until the user logs in, the css folder and its contents will always be accessible.

    我还在根web.config中添加了一个静态文件处理程序，这很关键，因为您希望由asp.net管道针对特定文件类型管理请求 :

    I have also added a static file handler to the root web.config, This is critical as you want the request to be managed by the asp.net pipeline for the specific file type(s):

    <handlers>
        <add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
    </handlers> 
    

    完整的根web.config

    <system.web>
        <authentication mode="None" />
        <authorization>
            <deny users="?"/>        
        </authorization>
        <compilation debug="true" targetFramework="4.6.2" />
        <httpRuntime targetFramework="4.6.2" />
    </system.web>
    <location path="css">
        <system.web>
            <authorization>          
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <system.webServer>
        <modules>
            <remove name="FormsAuthentication" />           
            <remove  name="UrlAuthorization" />
            <add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />     
        </modules>
        <handlers>
            <add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
        </handlers>      
    </system.webServer>
    

    ---

    默认情况下，ASP.NET只会将允许和拒绝规则应用于托管处理程序处理的文件.静态文件不受托管处理程序的管理.

    ---

    ASP.NET by default will only apply the allow and deny rules to files handled by the managed handler. Static files are not managed by the managed handler.

    您还可以设置:(如果不是真的不需要，不要这样做！)

     <modules runAllManagedModulesForAllRequests="true">
    

    使用runAllManagedModulesForAllRequests="true"，所有HTTP模块都将在每个请求上运行，而不仅仅是托管请求(例如.aspx，ashx).这意味着模块将在每个.jpg，.gif，.css，.html，.pdf，...请求上运行.

    With runAllManagedModulesForAllRequests="true" all the HTTP modules will run on every request, not just managed requests (e.g. .aspx, ashx). This means modules will run on every .jpg ,.gif ,.css ,.html, .pdf, ... request.

    一件重要的事情
    您不必将UrlAuthorizationModule添加到模块部分，因为它已经是ASP.NET管道的一部分.这意味着它将仅对托管文件运行，而不是静态的！

    One important thing
    You don't have to add the UrlAuthorizationModule to the modules section as it is already part of the ASP.NET pipeline. This means, it will run only for managed files, not static!

    如果现在删除UrlAuthorizationModule并将其重新添加到模块部分，它将在先决条件"integratedMode"下运行，而不再在"managedHandler"下运行！因此可以访问静态文件.

    If you now remove and then re-add the UrlAuthorizationModule to the modules section, it will run under precondition "integratedMode" and not under "managedHandler" anymore! And will therefore have access to static files.

    <remove  name="UrlAuthorization" />
    <add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
    

    ---

    如果将前提条件设置为托管: <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="managedHandler" />，则UrlAuthorizationModule将不再限制对静态文件的访问.

    ---

    If you set the precondition to managed: <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="managedHandler" />, then the UrlAuthorizationModule will not restrict access to static files anymore.

    您可以通过注销时成功访问scripts文件夹中的脚本文件来进行测试.按Ctrl + F5，以确保获得脚本文件的新副本.

    You can test this by accessing a script file in the scripts folder successfully while being logged out. Hit Ctrl+F5 to make sure you get a fresh copy of the script file.

    ASP.NET之间的区别UrlAuthorization<-> IIS URL授权

    Difference between ASP.NET UrlAuthorization <--> IIS URL Authorization

    请务必记住，managedHandler的前提条件 在ASP.NET UrlAuthorization模块上.前提条件告诉你 仅在以下情况下调用URL授权模块: 处理将请求映射到托管代码的过程，通常是.aspx或 .asmx页面.另一方面，IIS URL授权适用于所有 内容.您可以从 ASP.NET URL授权模块.那里是为了防止表演 您在每次请求(例如请求 .html或.jpg页面)将必须通过托管代码.

    It is important to keep in mind that the managedHandler precondition is on the ASP.NET UrlAuthorization module. The precondition tells you that the URL authorization module is invoked only when the code that handles the request is mapped to managed code, typically an .aspx or .asmx page. IIS URL Authorization, on the other hand, applies to all content. You can remove the managedHandler precondition from the ASP.NET Url Authorization module. It is there to prevent a performance penality you have to pay when every request (such as a request to .html or .jpg pages) would have to go through managed code.

    P.S .:某些web.config属性区分大小写！

    P.S.: Some web.config attributes are case sensitive!

    这篇关于具有MVC和ASP.NET标识的网址授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！