IIS 6忽略Web.config中的授权设置 [英] IIS 6 ignores Web.config authorization settings
问题描述
上下文:
- IIS 6在Windows 2003服务器
- ASP.NET 3.5 SP1
- 从虚拟目录中运行C#Web应用程序
有,我想不成为一些文件。例如,在根目录不应该是访问一个的hibernate.cfg.xml
。也有日志中日志目录中的文件。在本地开发服务器(Visual Studio 2008中)NHibernate的配置文件可以在几个方面,通过Web.config进行保护:
There are a few files that I would like not to serve. For example, there's a hibernate.cfg.xml
in the root directory that should not be accessible. There are also log files in a logs directory. On the local development server (Visual Studio 2008) The NHibernate config file can be protected in a couple of ways through Web.config:
<location path="hibernate.cfg.xml">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
或
<httpHandlers>
...
<add path="*.cfg.xml" verb="*" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>
在不同的目录中的日志可以通过另一个Web.config文件进行保护:
The logs in a different directory can be protected through another Web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
当应用程序使用aspnet_compiler.exe编译和部署到IIS 6服务器,这些工作都没有。在日志中没有错误。这些文件是可读的任何人。该应用程序被编译并安装使用的MSBuild如下:
None of these work when the application is compiled using aspnet_compiler.exe and deployed to an IIS 6 server. No errors in the logs. The files are readable to anyone. The application is compiled and installed using MSBuild as follows:
<AspNetCompiler Force="true" Debug="true" PhysicalPath="$(DeploymentTempPath)\$(DeploymentAppName)" TargetPath="$(DeploymentPath)\$(DeploymentAppName)" VirtualPath="/$(DeploymentAppName)" />
如何让IIS 6尊重Web.config中的授权规则。
How do I make IIS 6 respect the authorization rules in Web.config.
注:假设我不能移动部署目录以外的这些文件
Note: assume that I can't move these files outside of the deployment directory.
推荐答案
它看起来像IIS不转发对于.xml或.txt文件到ASP.NET请求,所以它有没有机会申请的授权控制。
It looks like IIS does not forward the request for .xml or .txt files to ASP.NET, so it has no chance to apply its authorization controls.
要解决这个问题,我不得不做以下(从这个论坛帖子):
To work around this, I had to do the following (from this forum post):
- 从IIS控制台,我的应用程序的虚拟目录中打开属性。
- 虚拟目录>配置
- 添加新的处理程序延期的.xml使用ASP.NET过滤器(
C:\\ WINDOWS \\ microsoft.net \\框架\\ V2.0.50727 \\ ASPNET_ISAPI.DLL
在我的情况) - 所有动词。取消选中两个脚本引擎和确认文件是否存在。
- From IIS Console, open properties of the virtual directory of my app.
- Virtual Directory > Configuration
- Add new handler for extension ".xml" using the ASP.NET filter (
c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll
in my case) - All verbs. Uncheck both "Script engine" and "Verify that file exists".
有没有办法从的Web.config
?
这篇关于IIS 6忽略Web.config中的授权设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!