拒绝访问网页使用的web.config [英] Deny access to a webpage using web.config
问题描述
我已搜查谷歌和放大器; SO职位,但未能得到解决我的问题任何结果。
I have searched Google & SO posts, but could not get any results that solved my issue.
我的web.config是:
My web.config is:
<location path="~/reports/PayPeriodQtrReport.aspx, ~/reports/PayPeriodDetailReport.aspx">
<system.web>
<authorization>
<allow roles="PayrollReports"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="~/reports/ManifestAnnualReport.aspx, ~/reports/ManifestDetailedReport.aspx">
<system.web>
<authorization>
<allow roles="ManifestReports"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
授权工作的要求(意为PayrollReports角色的人,是不是能够看到该菜单项的清单报告和一个人用ManifestReports的作用是不能够看到该菜单项的工资报告)。
The authorization works as required (meaning a person with "PayrollReports" role, is not able to see the Manifest Reports in the menu item and a person with "ManifestReports" role is not able to see the Payroll Reports in the menu item).
问题:结果
正如PayrollReports角色的用户,我可以键入我的网址
的http:\\\\ mysite.com \\报告\\ ManifestDetailedReport.aspx
和页面显示出来。什么应显示为unauthorizedaccess.aspx
Problem:
As a user with "PayrollReports" role, I can type into my url
http:\\mysite.com\reports\ManifestDetailedReport.aspx
and the page shows up. What should be displayed is unauthorizedaccess.aspx
同样,以ManifestReports角色的用户,我可以键入我的网址的http:\\\\ mysite.com \\报告\\ PayPeriodQtrReport.aspx
和页面显示向上。什么应显示为unauthorizedaccess.aspx
Similarly, as a user with "ManifestReports" role, I can type into my url http:\\mysite.com\reports\PayPeriodQtrReport.aspx
and the page shows up. What should be displayed is unauthorizedaccess.aspx
问:
通过在URL中键入黑客进入该页面使用web.config中,我怎么能prevent用户?
Question: Using web.config, how can I prevent a user from hacking into the page by typing in the url?
推荐答案
您需要把每个文件在它自己的位置
项,删除 〜/
:
You need to put each file in it's own location
entry and remove the ~/
:
<location path="reports/PayPeriodQtrReport.aspx">
<system.web>
<authorization>
<allow roles="PayrollReports"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
等等......
etc...
这假设你正在使用RoleProvider。无论您使用的是内置RoleProvider,或者您从 RoleProvider
继承,并在你的web.config中指定正确。定制RoleProvider
This assumes you are using a RoleProvider. Either you are using the built-in RoleProvider or you a custom RoleProvider that inherits from RoleProvider
and is properly specified in your web.config.
这篇关于拒绝访问网页使用的web.config的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!