如何防止直接访问 asp.net 中的文件和文件夹? [英] How to Prevent direct access to files and folders in asp.net?

问题描述

我在 IIS7 上部署了一个 Web 应用程序，该应用程序的邮件附件文件保存在 Web 服务器的 Attachments 文件夹中，从申请.

问题是当从 Chrome 查看的相同 url 是从不同的机器输入时，可以查看/下载相同的 URL.我在谷歌搜索后尝试了几个解决方案，但这里网络服务器上的附件文件夹为网络服务启用了安全性.

http://machine-121/AdminManagement/Attachments/58501/17112014131251/FilledForm.pdf(可阅读)

我试过了

<预><代码><配置><system.web><身份验证模式=表单"/><授权><deny users="?"/><!--这将限制匿名用户访问--></授权></system.web><location path="login.aspx"><!-- Registration.aspx 页面的路径--><system.web><授权><allow users="*"/><!-- 这将允许用户访问每个人的 Registeration.aspx--></授权></system.web></位置></配置>

但没有成功任何建议/帮助都会有很大帮助.

解决方案

问题是 .pdf 扩展名没有被 ASP.NET 处理程序捕获，因为它不是一个文件映射到 ASPNET_ISAPI 的类型(又名 ASP.NET HTTP 运行时).因此，web.config 文件中的过滤不适用于这些文件.

您有两个选择:

1. 使用 IIS 配置面板将所有文件扩展名(或至少在这种情况下为 pdf 文件)映射到 ASPNET_ISAPI.请注意，这会增加服务器的负载，因为 IIS 本身的开销低于 IIS + ASP.NET；
2. 使用为您获取文件的 HTTP 处理程序.这也允许您对文件访问进行一些细粒度的授权检查.请参阅HTTP 处理程序简介.

I have deployed a web application on IIS7 and the application has mail attachment files saved on webserver's Attachments folder and it's working fine when the attachment is downloaded from application.

The problem is when the same url viewed from Chrome is typed from a different machine the same can be viewed/downloaded. I tried couple of solution after googling but here the Attachments folder on webserver have security enabled for Network services.

http://machine-121/AdminManagement/Attachments/58501/17112014131251/FilledForm.pdf (can be read)

I tried

<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>  <!--This will restrict anonymous user access-->
</authorization>
</system.web>
<location path="login.aspx"> <!-- Path of your Registration.aspx page -->
<system.web>
<authorization>
<allow users="*"/> <!-- This will allow users to access to everyone to Registeration.aspx--> 
</authorization>
</system.web>
</location>
</configuration>

but couldn't succeed any suggestion/help would be of great help.

解决方案

The problem is that the .pdf extension isn't caught by the ASP.NET handlers, since that isn't a file type that is mapped to ASPNET_ISAPI (aka the ASP.NET HTTP Runtime). Hence the filtering in your web.config file doesn't apply to those files.

You have two options:

1. Map all file extensions (or at least pdf files in this case) to ASPNET_ISAPI using the IIS configuration panel. Note that this will increase the load on your server since the overhead of IIS on itself is lower than IIS + ASP.NET;
2. Use an HTTP handler that gets the file for you. This allows you to do some fine grained authorization checks on the file access too. See the Introduction to HTTP Handlers.

这篇关于如何防止直接访问 asp.net 中的文件和文件夹?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！