保护与界定了会员的角色Web文件夹 [英] Securing a web folder with out membership roles defined
问题描述
我们的网站托管在共享服务器上。我们有一个登录模块独立于任何成员的角色。我们没有用这个feature.Our登录db表只有电子邮件ID和pwd领域。
我们的一个文件夹(一般)的包含敏感文件:PDF格式; JPG; DOC文件等等。我们不希望被未经授权的用户以及任何搜索引擎如谷歌,雅虎和其他人访问此文件夹。
我们添加了以下线路中的web配置
Our site is hosted on a shared server. We have a login module independent of any membership roles. We have not used this feature.Our login db table only has email id and pwd fields. One of our folders (General) contains sensitive documents: pdf; jpg; doc files etc. We do not want this folder to be accessed by unauthorized users as well as any search engines such as google, yahoo and others. We added the below lines in the web config
<location path="General" allowOverride="true">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
这改变web配置已获得的文件夹访问权限中被拒绝的消息等的文件夹结果但是,现在我们希望我们的登录用户能够访问此文件夹中。我们尝试添加以下行登录的用户:
Roles.CreateRole(管理员);
然而,这是导致错误;它似乎asp.net试图创建成员关系表,无法。
是否有可能被完全忽视的部分成员强行分配给用户的角色?
This change in web config has secured the folder as accessing the folder results in permission denied message etc. However, now we want our logged in users to be able to access this folder. We tried adding the below line for logged in users: Roles.CreateRole("Administrators"); However, this is resulting in an error ; and it seems asp.net is trying to create membership table and is unable to. Is it possible to forcibly assign a Role to a user by completely ignoring the Membership part?
我们不使用sqlaspent表和不打算使用它。
我们还没有使用ASP.NET成员资格框架。
We are not using sqlaspent tables and no plans to use it. We are also not using ASP.NET Membership framework.
原来的问题重新定义:(允许角色=管理员行从web配置中删除)
Original question reframed: ( allow roles="Administrators" line removed from web config)
<location path="General" allowOverride="true">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
拒绝通用文件夹中的所有文件,上述变化在web配置结果的访问。是否有可能(1)修改web配置在运行时和变更拒绝用户,允许在说一般/ Test.aspx的页面加载部分或(2)一般/ Test.aspx的页面不同的文件夹加载不同的web配置用户加载?
The above changes in web config results in Access Denied for all files in General folder. Is it possible to (1) modify web config during run time and change deny users to allow users in say general/test.aspx page load section or (2) load a different web config from a different folder in general/test.aspx page load?
推荐答案
我不知道的方式,而不使用成员资格提供分配给用户的角色。有一件事我能想到的,是放弃了在Web配置位置部门和开始监测使用在Global.asax的Application_BeginRequest方法应用的每个请求,并检查请求是受限制的文件夹,如果用户(会话loged )。
I don't know a way assigning a Role to a user without using a membership provider. One thing I can think of, is giving up the location sector at the web config and start monitoring every request to the application using the Global.asax Application_BeginRequest method and check if the request is to the restricted folder and if the user loged in (session).
另一种方法是使用某种的HttpHandler做保存事
Another way is to use some kind of httpHandler to do the save thing.
编辑:
在您的登录表单,一旦被他的用户名和密码验证的用户分配一个便签本用户Administartor一个会话变量。
In your login form, once a user authenticated by his username and password assign a session variable that notes this user is Administartor.
void Login()
{
//check user+password
//...
if(UserIsAuthenticated)
{
Session["Administrator"] = true;
//more stuff to do with authenticate user
}
}
和在Global.asax中:
and in your Global.asax:
void Application_BeginRequest(object sender, EventArgs e)
{
if(Request.PhysicalPath.Contains("RestrictedFolderName")//you can do a more profound check here
{
if((bool)Session["Administrator"])
//all ok - do nothing
else
//not authorized user trying to access folder- do redirect or somthing
}
}
这篇关于保护与界定了会员的角色Web文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
