如何在IIS 7.5与保护ASP.NET窗体身份验证的静态文件? [英] How do I protect static files with ASP.NET form authentication on IIS 7.5?
问题描述
我有一个共享主机使用ASP.NET 4.0的IIS 7.5服务器上运行的网站,但在完全信任。
I have a website running on a IIS 7.5 server with ASP.NET 4.0 on a shared host, but in full trust.
该网站是一个基本的文件浏览器,它允许观众登录并有提供给他们显示的文件列表,并且,很明显,下载文件。静态文件(主要是PDF文件)位于子文件夹的站点称为数据,例如 http://example.com/data/ ...
The site is a basic "file browser" that allows the visitors to login and have a list of files available to them displayed, and, obviously, download the files. The static files (mostly pdf files) are located in a sub folder on the site called data, e.g. http://example.com/data/...
该网站使用ASP.NET表单验证。
The site uses ASP.NET form authentication.
我的问题是:如何让ASP.NET引擎来处理数据文件夹中的静态文件的要求,所以文件的请求由ASP.NET验证,用户不能够深层链接他们不允许一个文件,文件抢有?
My question is: How do I get the ASP.NET engine to handle the requests for the static files in the data folder, so that request for files are authenticated by ASP.NET, and users are not able to deep link to a file and grab files they are not allowed to have?
最好的问候,埃伊尔。
推荐答案
如果您的应用程序池在集成模式下运行,那么你可以做以下。
If you application pool is running in Integrated mode then you can do the following.
以下内容添加到您的顶级web.config中。
Add the following to your top level web.config.
<system.webServer>
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
现在,你可以使用标准的ASP.NET权限你的web.config强制窗体身份验证为目录中的所有文件。
Now you can use the standard ASP.NET permissions in your web.config to force forms authentication for all files in the directory.
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="Forms" />
</system.web>
这篇关于如何在IIS 7.5与保护ASP.NET窗体身份验证的静态文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
