保护对ASP.NET Core中.html文件的请求 [英] Secure requests to .html files in ASP.NET Core
问题描述
我有一个用ASP.NET Core编写的Web应用程序.通过检查会话是否包含在第一个请求时从Web服务获取的Json对象来完成身份验证.(使用公钥/私钥等)
I have a web application written in ASP.NET Core. Authentication is done by checking if the Session contains a Json object that is obtained from a webservice at the first request. (using public/private keys etc.)
此Json对象内部是一个与Web根文件夹下面的物理文件夹相对应的数字.
Inside this Json object is a number that corresponds with a physical folder beneath the Web root folder.
因此,当用户访问此文件夹中的文件时,应检查是否允许这样做.实际上,此文件夹中有一个完整的静态网站,因此在发送之前,必须检查对.html文件的每个请求.
So, when a user accessing files within this folder it should check if this is allowed. In fact, there is a whole static website within this folder, so every request to an .html file has to be checked, before served.
我猜这可以使用一些自定义的中间件来完成,但是我不确定从哪里开始.
I guess this can be done using some custom middleware, but I'm unsure where to start.
有人知道如何完成这项工作吗?
Anyone has a clue on how to get this done?
推荐答案
唯一真正的方法是通过 授权的操作来代理HTML文件.例如.您不想直接链接到 foo.html
,而是要使用/proxy?file=foo.html
之类的东西,而/proxy
是一项检查用户是否实际上有权查看 foo.html
的操作.
The only real way is to proxy the HTML files through an action that is authorized. For example. Instead of linking directly to foo.html
, you'd like to something like /proxy?file=foo.html
, where /proxy
would be an action that checks whether the user is actually authorized to view foo.html
or not.
文档:
静态文件中间件不提供授权检查.它提供的任何文件,包括wwwroot下的文件,都是可以公开访问的.要根据授权提供文件:
The Static File Middleware doesn't provide authorization checks. Any files served by it, including those under wwwroot, are publicly accessible. To serve files based on authorization:
-
将它们存储在wwwroot以及静态文件中间件可访问的任何目录之外.
Store them outside of wwwroot and any directory accessible to the Static File Middleware.
通过应用了授权的操作方法为他们提供服务.返回一个FileResult对象:
Serve them via an action method to which authorization is applied. Return a FileResult object:
public IActionResult BannerImage()
{
var file = Path.Combine(Directory.GetCurrentDirectory(),
"MyStaticFiles", "images", "banner1.svg");
return PhysicalFile(file, "image/svg+xml");
}
这篇关于保护对ASP.NET Core中.html文件的请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!