IIS 6忽略Web.config中的授权设置 [英] IIS 6 ignores Web.config authorization settings

问题描述

上下文：

• IIS 6在Windows 2003服务器


• ASP.NET 3.5 SP1


• 从虚拟目录中运行C＃Web应用程序

有，我想不成为一些文件。例如，在根目录不应该是访问一个的hibernate.cfg.xml 。也有日志中日志目录中的文件。在本地开发服务器（Visual Studio 2008中）NHibernate的配置文件可以在几个方面，通过Web.config进行保护：

There are a few files that I would like not to serve. For example, there's a hibernate.cfg.xml in the root directory that should not be accessible. There are also log files in a logs directory. On the local development server (Visual Studio 2008) The NHibernate config file can be protected in a couple of ways through Web.config:

<location path="hibernate.cfg.xml">
    <system.web>
      <authorization>
        <deny users="?"/>
        <deny users="*"/>
      </authorization>
    </system.web>
</location>

或

<httpHandlers>
...
    <add path="*.cfg.xml" verb="*" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>

在不同的目录中的日志可以通过另一个Web.config文件进行保护：

The logs in a different directory can be protected through another Web.config file:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

当应用程序使用aspnet_compiler.exe编译和部署到IIS 6服务器，这些工作都没有。在日志中没有错误。这些文件是可读的任何人。该应用程序被编译并安装使用的MSBuild如下：

None of these work when the application is compiled using aspnet_compiler.exe and deployed to an IIS 6 server. No errors in the logs. The files are readable to anyone. The application is compiled and installed using MSBuild as follows:

<AspNetCompiler Force="true" Debug="true" PhysicalPath="$(DeploymentTempPath)\$(DeploymentAppName)" TargetPath="$(DeploymentPath)\$(DeploymentAppName)" VirtualPath="/$(DeploymentAppName)" />

如何让IIS 6尊重Web.config中的授权规则。

How do I make IIS 6 respect the authorization rules in Web.config.

注：假设我不能移动部署目录以外的这些文件

Note: assume that I can't move these files outside of the deployment directory.

推荐答案

它看起来像IIS不转发对于.xml或.txt文件到ASP.NET请求，所以它有没有机会申请的授权控制。

It looks like IIS does not forward the request for .xml or .txt files to ASP.NET, so it has no chance to apply its authorization controls.

要解决这个问题，我不得不做以下（从这个论坛帖子）：

To work around this, I had to do the following (from this forum post):

1. 从IIS控制台，我的应用程序的虚拟目录中打开属性。


2. 虚拟目录>配置


3. 添加新的处理程序延期的.xml使用ASP.NET过滤器（ C：\\ WINDOWS \\ microsoft.net \\框架\\ V2.0.50727 \\ ASPNET_ISAPI.DLL 在我的情况）


4. 所有动词。取消选中两个脚本引擎和确认文件是否存在。

1. From IIS Console, open properties of the virtual directory of my app.
2. Virtual Directory > Configuration
3. Add new handler for extension ".xml" using the ASP.NET filter (c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll in my case)
4. All verbs. Uncheck both "Script engine" and "Verify that file exists".

有没有办法从的Web.config ？

这篇关于IIS 6忽略Web.config中的授权设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！