保护对ASP.NET Core中.html文件的请求 [英] Secure requests to .html files in ASP.NET Core
问题描述
我有一个用ASP.NET Core编写的Web应用程序.通过检查会话是否包含在第一个请求时从Web服务获取的Json对象来完成身份验证.(使用公钥/私钥等)
I have a web application written in ASP.NET Core. Authentication is done by checking if the Session contains a Json object that is obtained from a webservice at the first request. (using public/private keys etc.)
此Json对象内部是一个与Web根文件夹下面的物理文件夹相对应的数字.
Inside this Json object is a number that corresponds with a physical folder beneath the Web root folder.
因此,当用户访问此文件夹中的文件时,应检查是否允许这样做.实际上,此文件夹中有一个完整的静态网站,因此在发送之前,必须检查对.html文件的每个请求.
So, when a user accessing files within this folder it should check if this is allowed. In fact, there is a whole static website within this folder, so every request to an .html file has to be checked, before served.
我猜这可以使用一些自定义的中间件来完成,但是我不确定从哪里开始.
I guess this can be done using some custom middleware, but I'm unsure where to start.
有人知道如何完成这项工作吗?
Anyone has a clue on how to get this done?
推荐答案
唯一真正的方法是通过 授权的操作来代理HTML文件.例如.您不想直接链接到 foo.html ,而是要使用/proxy?file=foo.html 之类的东西,而/proxy 是一项检查用户是否实际上有权查看 foo.html 的操作.
The only real way is to proxy the HTML files through an action that is authorized. For example. Instead of linking directly to foo.html, you'd like to something like /proxy?file=foo.html, where /proxy would be an action that checks whether the user is actually authorized to view foo.html or not.
文档:
静态文件中间件不提供授权检查.它提供的任何文件,包括wwwroot下的文件,都是可以公开访问的.要根据授权提供文件:
The Static File Middleware doesn't provide authorization checks. Any files served by it, including those under wwwroot, are publicly accessible. To serve files based on authorization:
-
将它们存储在wwwroot以及静态文件中间件可访问的任何目录之外.
Store them outside of wwwroot and any directory accessible to the Static File Middleware.
通过应用了授权的操作方法为他们提供服务.返回一个FileResult对象:
Serve them via an action method to which authorization is applied. Return a FileResult object:
public IActionResult BannerImage()
{
var file = Path.Combine(Directory.GetCurrentDirectory(),
"MyStaticFiles", "images", "banner1.svg");
return PhysicalFile(file, "image/svg+xml");
}
这篇关于保护对ASP.NET Core中.html文件的请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
