ASP.NET身份 - 保护未经身份验证的用户的目录 [英] ASP.NET Identity - protecting a directory from unauthenticated users

问题描述

我正在使用ASP.NET 4.5 OWIN Identity，并尝试阻止对所有但经过身份验证的用户的目录的访问。该目录包含原始文件，因此它不可能将它们包装在ASP LoggedInTemplate标签中。

I am using ASP.NET 4.5 OWIN Identity and attempting to block access to a directory for all but authenticated users. The directory contains raw files, so it isnt possible to wrap them in the ASP LoggedInTemplate tag.

当我尝试阻止访问匿名用户的目录时，它将失败。

When I try and prevent access to the directory to anonymous users, it fails.

我尝试将以下内容添加到主Web.config文件中：

I have tried adding the following to the main Web.config file:

<system.web>
    <authorization>
        <deny users="?" />
    </authorization>
</system.web>

<location path="/docs">    
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</location>

这样做会给服务器500错误，并突出显示位置path =/ docs行作为错误。这是一个托管解决方案，因此，对于改变IIS服务器配置以允许覆盖的选项不可用，但对于遇到此问题的任何人来说，这似乎是一个潜在的解决方案。

Doing this gives server 500 errors and highlight the location path="/docs" line as the source of the error. This is a hosted solution, so options for changing the IIS server config to allow overrides arent available to me, though that does seem one potential solution for anyone experiencing this issue.

我现在已经从主web.config中删除了上述内容，并在我要保护的目录中添加了一个单独的web.config文件。新的web.config包含以下内容：

I have now removed the above from the main web.config and added a separate web.config file in the directory that I want to protect. The new web.config contains this:

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
</configuration>

这没有错误，但允许未经身份验证的用户访问该文件夹，这是我正在尝试

This gives no errors, but allows unauthenticated users access to the folder, which is what I am trying to prevent.

任何有关描述如何解决此问题的文章的提示或指针都将非常感谢。

Any ideas or pointers to any article that describes how to resolve this would be much appreciated.

推荐答案

我的环境的解决方案是在子目录中使用web.config文件，但为相关文件类型添加自定义处理程序定义。

The solution to this for my environment was to use the web.config file in the sub directory, but to add a custom handler definition for the file types in question.

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  <system.webServer>
    <handlers>
      <add name="PDFHandler" verb="*"
        path="*.pdf"
        type="System.Web.StaticFileHandler"
        resourceType="Unspecified" />
    </handlers>
  </system.webServer>
</configuration>

然后，Web服务器只允许经过身份验证的用户访问子目录中的文件。

The web server then allows authenticated users only to access the files in the sub directory.

这篇文章引导我解决了以下问题： http：// www。 primaryobjects.com/CMS/Article112

This article led my to the solution: http://www.primaryobjects.com/CMS/Article112

这篇关于ASP.NET身份 - 保护未经身份验证的用户的目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！