为什么授权不适用于silverlight中的html页面？ [英] Why authorization does not work for html page in silverlight?

问题描述

我们目前有使用Forms身份验证的silverlight应用程序。我计划摆脱表单身份验证并使用Azure AD + Open ID Connect + OWIN进行身份验证。我根据文章配置了所有内容

这里

我希望用户自动重定向到Azure的身份验证页面，如果他们没有认证，所以我添加了以下代码在Default.aspx页面（这是一个启动页面）

 public class默认值：System.Web.UI.Page 
 {
 protected void Page_Load（object sender，EventArgs e）
 {
 SignIn（）; 
} 
 
 public void SignIn（）
 {
 //发送OpenID Connect登录请求。 
 if（！System.Web.HttpContext.Current.Request.IsAuthenticated）
 {
 HttpContext.Current.GetOwinContext（）。Authentication.Challenge（new AuthenticationProperties {RedirectUri =" /" }，OpenIdConnectAuthenticationDefaults.AuthenticationType）; 
} 
} 
} 

并阻止匿名用户访问除Default.aspx以外的所有内容。下面是我完整的web.config文件

< configuration> 
< appSettings> 
< add key =" webpages：Version"值= QUOT; 3.0.0.0" /> 
< add key =" webpages：Enabled"值= QUOT假QUOT; /> 
< add key =" ClientValidationEnabled"值= QUOT;真" /> 
< add key =" UnobtrusiveJavaScriptEnabled"值= QUOT;真" /> 
< add key =" ida：ClientId" value =" some client id" /> 
< add key =" ida：Tenant"值= QUOT; sometenant.onmicrosoft.com" /> 
< add key =" ida：AADInstance"值= QUOT; HTTPS：//login.microsoftonline.com/ {0}" /> 
< add key =" ida：PostLogoutRedirectUri"值= QUOT; https：//开头本地主机：44312 /" /> 
< / appSettings> 
< system.web> 
< compilation debug =" true" targetFramework = QUOT; 4.5.1" /> 
< httpRuntime targetFramework =" 4.5.1" /> 
< authorization> 
< deny users ="？" /> 
< / authorization> 
< /system.web> 
< location path =" Default.aspx"> 
< system.web> 
< authorization> 
< allow users =" *" /> 
< / authorization> 
< /system.web> 
< / location> 
< / configuration> 

这个工作正常。现在我被重定向到azure进行身份验证，并且匿名用户也无法访问任何aspx页面。 

但是，每个银光应用程序也有html页面（具有JavaScript的页面） silverlight对象）。匿名用户可以通过输入网址并访问silverlight来访问此页面而不会出现任何问题。 

为什么授权不适用于HTML网页？

我发布了我的代码在这里  https://github.com/laksh01/AzureWithSL（您需要使用自己的Azure客户端ID才能登录）

解决方案

这不是一个银色问题。

这是允许访问的托管页面，Silverlight载入其中。

asp.net论坛是：

http://forums.asp.net/

。

您的问题是工作进程不提供htm文件默认情况下。意思是iis只提供文件而不检查它的任何安全性。

您需要将页面更改为aspx或将.htm添加到由服务器提供的内容列表中。工作流程。

这是一篇旧文章，详细说明了如何执行此操作。较新版本的iis可能不同，并且可能有更简洁的方法来完成此过程。

http://forums.asp.net/t/1184547.aspx

但这基本上就是问题。

we have currently silverlight application which is using Forms Authentication. I am planning to get rid of forms authetication and use Azure AD + Open ID Connect + OWIN for authentication. I have configured everything as per the article here

I want user to automatically get redirected to Azure's authentication page if they are not authentticated, so i added the following code in Default.aspx page ( which is a startup page)

public class Default: System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            SignIn();
        }

        public void SignIn()
        {
            // Send an OpenID Connect sign-in request.
            if (!System.Web.HttpContext.Current.Request.IsAuthenticated)
            {
                HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
            }
        }
    }

and block anonymous user from accessing everything except Default.aspx. Below is my complete web.config file

<configuration>
  <appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    <add key="ida:ClientId" value="some client id" />
    <add key="ida:Tenant" value="sometenant.onmicrosoft.com" />
    <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
    <add key="ida:PostLogoutRedirectUri" value="https://localhost:44312/" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5.1" />
    <httpRuntime targetFramework="4.5.1" />
    <authorization>     
      <deny users="?"/>
    </authorization>
  </system.web>
  <location path="Default.aspx">   
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

This is working fine. Now i get redirected to azure for authentication, and also anonymous user cannot access any aspx pages. 

However, every silver-light application also has html page (the one that has JavaScript for silverlight object ). Anonymous user is able to access this page by typing the url and access silverlight without any problem. 

Why authorization doesn't work with HTML pages?

I posted my code here https://github.com/laksh01/AzureWithSL (You need to use your own Azure Client ID in order to login)

解决方案

This isn't a silverlight question.

It's the hosting page that's allowing access, Silverlight is loaded in that.

asp.net forums are:

http://forums.asp.net/

.

Your problem is that htm files are not served by the worker process by default. Meaning iis just serves the file and doesn't check any security on it.

You need to either change your page to be an aspx OR add .htm to the list of stuff served by the worker process.

Here's an old post gives detailed instructions of how to do this. Newer versions of iis are probably different and there may well be a neater way of doing the process.

http://forums.asp.net/t/1184547.aspx

But that's essentially the issue.

这篇关于为什么授权不适用于silverlight中的html页面？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！