拒绝访问网页使用的web.config [英] Deny access to a webpage using web.config

问题描述

我已搜查谷歌和放大器; SO职位，但未能得到解决我的问题任何结果。

I have searched Google & SO posts, but could not get any results that solved my issue.

我的web.config是：

My web.config is:

<location path="~/reports/PayPeriodQtrReport.aspx, ~/reports/PayPeriodDetailReport.aspx">
  <system.web>
    <authorization>
      <allow roles="PayrollReports"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

<location path="~/reports/ManifestAnnualReport.aspx, ~/reports/ManifestDetailedReport.aspx">
  <system.web>
    <authorization>
      <allow roles="ManifestReports"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>  

授权工作的要求（意为PayrollReports角色的人，是不是能够看到该菜单项的清单报告和一个人用ManifestReports的作用是不能够看到该菜单项的工资报告）。

The authorization works as required (meaning a person with "PayrollReports" role, is not able to see the Manifest Reports in the menu item and a person with "ManifestReports" role is not able to see the Payroll Reports in the menu item).

问题：结果
正如PayrollReports角色的用户，我可以键入我的网址
 的http：\\\\ mysite.com \\报告\\ ManifestDetailedReport.aspx 和页面显示出来。什么应显示为unauthorizedaccess.aspx

Problem:
As a user with "PayrollReports" role, I can type into my url http:\\mysite.com\reports\ManifestDetailedReport.aspx and the page shows up. What should be displayed is unauthorizedaccess.aspx

同样，以ManifestReports角色的用户，我可以键入我的网址的http：\\\\ mysite.com \\报告\\ PayPeriodQtrReport.aspx 和页面显示向上。什么应显示为unauthorizedaccess.aspx

Similarly, as a user with "ManifestReports" role, I can type into my url http:\\mysite.com\reports\PayPeriodQtrReport.aspx and the page shows up. What should be displayed is unauthorizedaccess.aspx

问：
通过在URL中键入黑客进入该页面使用web.config中，我怎么能prevent用户？

Question: Using web.config, how can I prevent a user from hacking into the page by typing in the url?

推荐答案

您需要把每个文件在它自己的位置项，删除 〜/ ：

You need to put each file in it's own location entry and remove the ~/:

<location path="reports/PayPeriodQtrReport.aspx">
  <system.web>
    <authorization>
      <allow roles="PayrollReports"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

等等......

etc...

这假设你正在使用RoleProvider。无论您使用的是内置RoleProvider，或者您从 RoleProvider 继承，并在你的web.config中指定正确。定制RoleProvider

This assumes you are using a RoleProvider. Either you are using the built-in RoleProvider or you a custom RoleProvider that inherits from RoleProvider and is properly specified in your web.config.

这篇关于拒绝访问网页使用的web.config的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！