如何锁定在ASP.NET MVC的路径？ [英] How to lock down paths in ASP.NET MVC?

问题描述

我在玩弄MVC 4，第一次检查出什么改变/添加/等相比，MVC 3。

I'm playing around with MVC 4 for the first time to check out what's been changed/added/etc compared to MVC 3.

要开始，我创建了一个空白的MVC 4 Web应用程序，并开始从头开始构建。

To start off, I created a blank MVC 4 Web Application and started building from scratch.

相反，我所注意到的第一件事情就是在MVC 4个不同的事实是，以下web.config设置没有在网页上的可访问性影响：

One of the first things that I noticed that is different in MVC 4 is the fact that the following web.config settings have no affect on the accessibility of the web pages:

<configuration>
    <location path="">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
    </location>
    .....
</configuration>

早在MVC 3，上述授权设置会否认所有匿名用户访问该网站中的任何内容。不过，如果我添加了相同的设置到一个MVC4 Web.config文件中，一个匿名拥有了秒的URL自由支配他/她选择。

Back in MVC 3, the authorization settings above would deny all anonymous users from accessing any content within the site. However, if I add the same settings to an MVC4 Web.config file, an anonymous has free reign over an URL that s/he chooses.

什么我需要在MVC 4做以锁定所有路径，就像我在MVC 3做？

What do I need to do in MVC 4 to lock-down all paths like I did in MVC 3?

推荐答案

在看看<一个href=\"http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx\">Securing你的ASP.NET MVC应用程序4和新的使用AllowAnonymous属性<​​/A>。

Take a look at Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute.

您不能使用路由或web.config文件中，以确保你的MVC应用程序（所有版本）。以确保您的MVC应用程序的唯一方式是应用授权属性...

You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute...

<一个href=\"http://blogs.msdn.com/b/rickandy/archive/2010/08/24/securing-your-mvc-application.aspx\">Quote

MVC使用的路线，不URL映射到喜欢的WebForms，PHP和传统的Web服务器的物理文件位置。因此，使用的web.config将在您的网站肯定打开一个安全漏洞。

MVC uses routes and does not map URLs to physical file locations like WebForms, PHP and traditional web servers. Therefore using web.config will definitely open a security hole in your site.

产品团队将有一个沟通，如果这改变了未来，但现在它是没有例外该规则。

例如：

开始使用默认的ASP.Net MVC项目（互联网/内联网）。

Start with the default ASP.Net MVC project (internet/intranet).

编辑Web.config中加入：

Edit the web.config adding:

<location path="Home">
  <system.web>
    <authorization>
      <deny users="*">
    </authorization>
  </system.web>
</location>

运行项目，默认情况下将使用的默认的路线 /首页/指数，你看到的内容，简单地绕过的web.config没有更改默认的模板。为什么？由于ASP.Net管道比较请求在web.config中指定的位置的URL。然而，在授权事件已在管道路由发生（默认路由选择或自定义路由）执行，并允许对所谓禁区内接。

Run the project, by default you will use the Default route /Home/Index and you see content, simply bypassing the web.config with no changes to the default template. Why? Because the ASP.Net pipeline is comparing the URL requested to the location specified in the web.config. However, after the Authorization Event has been executed in the pipeline the routing taking place (Default routing or custom routing) and allows access to the supposedly restricted area.

此外，任何MVC 重定向（）也将作为再次通相同的安全措施授权管道事件后路由发生。

Additionally, any MVC Redirect() will also by-pass the same security measures as again the routing takes place after the Authorization Pipeline Event.

我不认为任何人应该接受的八九不离十工作的安全性。难道它正确的第一次，不要偷懒，用的东西，不是设计用来与特定的技术来使用。

I don't think anyone should accept sorta working security. Do it correctly the first time, don't be lazy and use something that wasn't designed to be used with a specific technology.

这篇关于如何锁定在ASP.NET MVC的路径？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！