在ASP.NET MVC 3网站/媒体内容的授权 [英] Authorisation of Website/Media Content in ASP.NET MVC 3
问题描述
我想拒绝的文件夹或资源的访问中(prevent榨取)未登录时。在文件夹我有我的
I am trying to deny access to a folder or resources when not logged in (prevent leeching). In the folder I have my
的Web.config:(/媒体)
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<allow users="*" />
</authorization>
</system.web>
</configuration>
在code,我呼吁:
The code I am calling:
指数:
@Video.MediaPlayer(
path: "~/Media/Tree Felling2.wmv",
width: "600",
height: "400",
autoStart: false,
playCount: 1,
uiMode: "full",
stretchToFit: true,
enableContextMenu: true,
mute: false,
volume: 75)
@Video.Flash(path: "~/Media/sample.swf",
width: "80%",
//height: "600",
play: true,
loop: false,
menu: true,
bgColor: "red",
quality: "medium",
//scale: "showall",
windowMode: "transparent")
当登出:未显示闪光灯。媒体播放器连接不会媒介。 (如预期)
When logged out: flash is not shown. Media player wont connect to media. ( AS EXPECTED )
当登录:显示闪光灯。 但是,媒体播放器,仍然不会连接到媒体。
我在哪里去了?..
推荐答案
可惜这是与Windows媒体播放器FF一个已知的bug。它将在IE浏览器。
Unfortunately this is a known bug with the Windows Media Player for FF. It will work in IE.
这样做的理由不工作是pretty简单:插件不与请求一起发送身份验证cookie所以它是因为如果你不被认证
The reason for this not working is pretty simple: the plugin doesn't send the authentication cookie along with the request so it is as if you are not authenticated.
,使这项工作的唯一方法是将cookie值追加作为查询字符串参数请求,然后在服务器上重新同步会话。
The only way to make this work is to append the cookie value as a query string parameter to the request and then resynchronize the session on the server.
让我们把这些付诸行动,好吗?
Let's put that into action, shall we?
不幸的是,我们不能使用 @ Video.MediaPlayer 帮手,因为它不会允许您指定的查询字符串参数,它只能与物理文件(这有点很烂) 。所以:
Unfortunately we cannot use the @Video.MediaPlayer helper because it doesn't allow you to specify query string parameters, it works only with physical files (which kinda sucks). So:
<object classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6" height="400" width="600" >
<param name="URL" value="@Url.Content("~/media/test.wmv?requireAuthSync=true&token=" + Url.Encode(Request.Cookies[FormsAuthentication.FormsCookieName].Value))" />
<param name="autoStart" value="False" />
<param name="uiMode" value="full" />
<param name="stretchToFit" value="True" />
<param name="volume" value="75" />
<embed src="@Url.Content("~/media/test.wmv?requireAuthSync=true&token=" + Url.Encode(Request.Cookies[FormsAuthentication.FormsCookieName].Value))" width="600" height="400" type="application/x-mplayer2" autoStart="False" uiMode="full" stretchToFit="True" volume="75" />
</object>
和里面的的Global.asax 我们订阅的Application_BeginRequest 方法,并重新同步从要求身份验证cookie:
and inside Global.asax we subscribe to the Application_BeginRequest method and resync up the authentication cookie from the request:
protected void Application_BeginRequest()
{
if (!string.IsNullOrEmpty(Context.Request["RequireAuthSync"]))
{
AuthCookieSync();
}
}
private void AuthCookieSync()
{
try
{
string authParamName = "token";
string authCookieName = FormsAuthentication.FormsCookieName;
if (!string.IsNullOrEmpty(Context.Request[authParamName]))
{
UpdateCookie(authCookieName, Context.Request.QueryString[authParamName]);
}
}
catch { }
}
private void UpdateCookie(string cookieName, string cookieValue)
{
var cookie = Context.Request.Cookies.Get(cookieName);
if (cookie == null)
{
cookie = new HttpCookie(cookieName);
}
cookie.Value = cookieValue;
Context.Request.Cookies.Set(cookie);
}
这就是pretty多少呢。对于这项工作的唯一要求是在IIS 7中综合管线模式下运行,以便所有的请求经过ASP.NET,即使是那些对 .WMV 文件,否则在的BeginRequest 显然从来没有触发它们。
And that's pretty much it. The only requirement for this to work is to be running in IIS 7 Integrated Pipeline Mode in order for all requests to go through ASP.NET, even those for .wmv files, otherwise the BeginRequest will obviously never trigger for them.
如果您使用的是一些旧的Web服务器(如IIS 6.0),或在经典管道模式运行,并且不希望做ASP.NET所有请求的通配符映射,你可以把你的所有媒体文件在一个安全的位置(如〜/ App_Data文件)不能被用户直接访问,然后通过装饰与<code> [授权]控制器动作属性:
If you are using some legacy web server (such as IIS 6.0) or running in Classic Pipeline mode and don't want to do a wildcard mapping of all requests with ASP.NET you could put all your media files in a secure location (such as ~/App_Data) that cannot be directly accessed by users and then serve them through a controller action decorated with the [Authorize] attribute:
[Authorize]
public ActionResult Media(string file)
{
var appData = Server.MapPath("~/App_Data");
var filename = Path.Combine(path, file);
filename = Path.GetFullPath(filename);
if (!filename.StartsWith(appData))
{
// prevent people from reading arbitrary files from your server
throw new HttpException(403, "Forbidden");
}
return File(filename, "application/octet-stream");
}
和则:
<object classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6" height="400" width="600" >
<param name="URL" value="@Url.Action("media", "home", new { requireAuthSync = true, token = Request.Cookies[FormsAuthentication.FormsCookieName].Value })" />
<param name="autoStart" value="False" />
<param name="uiMode" value="full" />
<param name="stretchToFit" value="True" />
<param name="volume" value="75" />
<embed src="@Url.Action("media", "home", new { requireAuthSync = true, token = Request.Cookies[FormsAuthentication.FormsCookieName].Value })" width="600" height="400" type="application/x-mplayer2" autoStart="False" uiMode="full" stretchToFit="True" volume="75" />
</object>
这篇关于在ASP.NET MVC 3网站/媒体内容的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
