Aspnet Core-web.config授权 [英] Aspnet Core - web.config Authorization
问题描述
我正在尝试将授权"元素添加到web.config中,就像以前在经典的asp.net中一样:
I am trying to add "authorization" elements to web.config, like it used to work in classic asp.net:
全局配置-应该全局"限制访问:
global configuration - should limit access "globally":
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="AD\some.user" />
<deny users="*" />
</authorization>
...
基于位置"的配置:
<configuration>
<location path="RelativePath" >
<system.web>
<authorization>
<allow roles="AD\some.user" />
<deny users="*" />
</authorization>
</system.web>
</location>
两个版本对于IIS中托管的aspnet.core似乎根本不起作用
both versions appear to be not working at all for aspnet.core hosted in IIS
这是什么工作:
全局":
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AD\johannes.colmsee" />
</authorization>
</configuration>
位置"基于:
<configuration>
<location path="RelativePath" >
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AD\denis.kopic" />
</authorization>
</security>
</system.webServer>
</location>
这很好.
现在我的问题:
aspnet核心根本不支持第一版"吗?还是我做错了什么?
does aspnet core not support the "first version" at all? Or is it something I do wrong?
推荐答案
ASP.NET Core不支持也不使用web.config.发布的web.config仅用于IIS托管,因为IIS要求这样做.如果您碰巧要发布到其他Web服务器,则可以完全丢弃web.config.
ASP.NET Core does not support nor use web.config. The published web.config is there only for IIS hosting, since IIS requires this. If you happened to publish to a different web server, you could discard web.config entirely.
通过查看已发布的web.config的内容应该显而易见的是,它非常裸露.几乎唯一存在的就是AspNetCoreHosting模块配置,这当然是在IIS内托管ASP.NET Core所必需的.
It should be apparent from looking at the contents of the published web.config, that it is extremely bare. Pretty much the only thing that exists is the AspNetCoreHosting module config, which of course is necessary for hosting ASP.NET Core inside IIS.
现在,关于为什么第二个版本实际上 did 起作用的原因是,因为第二个版本放置在 system.webServer 内,而该版本直接用于IIS的配置,因此IIS是在将任何内容移交给ASP.NET Core应用之前,都要进行非常高级别的授权.可以满足您的需求,但这是一种非常粗鲁的方法,因为您最终可能必须为不同的路径,用户和授权级别定义许多这样的部分,并且然后将其与您最终在ASP.NET Core应用程序中进行的更改保持同步.由于IIS只是将其视为静态路径,因此,如果移动或重命名任何内容,最终都可能会意外地在安全性方面造成漏洞,因为尚未将IIS配置为授权该新位置.
Now, as for why the second version actually did work, that's because it was placed inside system.webServer, which is directly for configuration of IIS, so IIS is doing the authorization at a very high-level before anything is handed off to your ASP.NET Core app. That may work for your needs, but it's an extremely rough-shod approach, as you'll have to likely end up defining many such sections for different paths, users, and authorization levels, and then keep that in sync with anything you end up changing in the ASP.NET Core app. Because IIS is looking at this as just static paths, if you move or rename anything, you can end up accidentally opening a hole in your security, since IIS will not yet have been configured to authorize that new location.
总之,您应该删除所有内容,并 Windows仍支持Auth .
Long and short, you should remove all this and handle authorization via your ASP.NET Core app. Windows Auth is still supported.
这篇关于Aspnet Core-web.config授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
