限制对web.config中文件/文件夹的访问 [英] Restrict access to file/folder in web.config
问题描述
我尝试了各种方式来尝试限制对文件夹的访问,从最简单的拒绝对所有用户的访问,仅向自己授予访问权限到尝试将角色/用户组合在一起,等等.特别是,文件夹混合了aspx和html文件.
I've tried all manner of variations in trying to restrict access to a folder, from the simplest of denying access to all users and just granting access to myself to trying a combination of roles/users etc. In particular, the folder has a mix of aspx and html files.
有人可以协助吗?这是我根据其他类似问题得出的结论:
Can anyone assist? Here's pretty much what I have based on other similar questions:
<configuration>
<system.web>
<!-- mode=[Windows|Forms|Passport|None] -->
<authentication mode="Windows" />
</system.web>
<system.webServer>
<handlers>
<add name="HTMLHandler" type="System.Web.StaticFileHandler" path="*.html" verb="GET" />
</handlers>
</system.webServer>
<location path="AdminOnly">
<system.web>
<authorization>
<deny users="*" />
<allow users="domain\user1, domain\user2, domain\user3" />
<allow roles="domain\role1, domain\role2" />
</authorization>
</system.web>
</location>
</configuration>
编辑 解决方案终于提出了.
EDIT The solution has presented at last.
这是对授权段的理解的结合(感谢Tetsuya提供有关订购授权规则的有用提示),包括处理程序段以及为托管代码配置应用程序池.
It was a combination of understanding the authorization segment (thanks to Tetsuya for the helpful tip in relation to ordering authorization rules), including the handler segment and also configuring the application pool for managed code.
推荐答案
似乎在编写authorization元素时顺序错误,必须首先声明allow部分,以允许某些角色的某些用户拒绝其他内容.
Seems you have wrong order in composing authorization element, the allow part must be declared first to allow certain users in certain roles before denying everything else.
因此,以下这种构造是错误的,因为在允许定义的用户之前拒绝所有已解决的用户:
So, this construction below is wrong due to denying all users resolved before allowing defined users:
<location path="AdminOnly">
<system.web>
<authorization>
<deny users="*" />
<allow users="domain\user1, domain\user2, domain\user3" />
<allow roles="domain\role1, domain\role2" />
</authorization>
</system.web>
</location>
正确的顺序应该是这样的:
The correct order should be like this:
<location path="AdminOnly">
<system.web>
<authorization>
<allow roles="role1, role2" />
<allow users="user1, user2, user3" />
<deny users="*" />
</authorization>
</system.web>
</location>
在参考部分中,萨卡(Guru Sarkar)解释了出了什么问题:
In the reference section, Guru Sarkar explains what goes wrong:
常见错误
我看到有人抱怨他们已经设置了自己的角色
正确地输入了他们的web.config,但仍然
授权无效.即使他们允许访问他们的
用户无法访问特定页面/文件夹的角色.常见原因
因为这是将<deny../>放在<allow ../>之前.由于授权是从上到下完成的,因此将检查规则,直到找到匹配项.
I have seen people complaining that they have setup their roles
correctly and also made entry to their web.config but still their
authorization doesn't work. Even they have allowed access to their
role that user cannot access particular page/folder. The common reason
for that is placing <deny../> before <allow ../>. Since the authorization is done from top to bottom, rules are checked until a match is found.
参考:
这篇关于限制对web.config中文件/文件夹的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
