如何防止直接访问asp.net中的文件和文件夹? [英] How to Prevent direct access to files and folders in asp.net?
问题描述
我在IIS7上部署了一个Web应用程序,并且该应用程序的邮件附件文件保存在网络服务器的附件文件夹中,当从
下载附件时它正常工作应用程序。
I have deployed a web application on IIS7 and the application has mail attachment files saved on webserver's Attachments folder and it's working fine when the attachment is downloaded from
application.
问题是,从Chrome浏览器查看的同一网址是从其他计算机输入的,可以查看/下载相同的网址。我在google搜索后尝试了几个解决方案,但是网络服务器上的Attachments文件夹为网络服务启用了安全性。
The problem is when the same url viewed from Chrome is typed from a different machine the same can be viewed/downloaded. I tried couple of solution after googling but here the Attachments folder on webserver have security enabled for Network services.
http:// machine-121 / AdminManagement / Attachments / 58501/17112014131251 / FilledForm.pdf (可以阅读)
我试过
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/> <!--This will restrict anonymous user access-->
</authorization>
</system.web>
<location path="login.aspx"> <!-- Path of your Registration.aspx page -->
<system.web>
<authorization>
<allow users="*"/> <!-- This will allow users to access to everyone to Registeration.aspx-->
</authorization>
</system.web>
</location>
</configuration>
但未能成功任何建议/帮助会有很大帮助。
but couldn't succeed any suggestion/help would be of great help.
推荐答案
问题是ASP.NET处理程序没有捕获 .pdf 扩展名,因为这不是映射到ASPNET_ISAPI的文件类型(又名 ASP。 NET HTTP运行时)。因此, web.config 文件中的过滤不适用于这些文件。
The problem is that the .pdf extension isn't caught by the ASP.NET handlers, since that isn't a file type that is mapped to ASPNET_ISAPI (aka the ASP.NET HTTP Runtime). Hence the filtering in your web.config file doesn't apply to those files.
您有两种选择:
- 使用IIS配置面板将所有文件扩展名(或至少是这种情况下的pdf文件)映射到ASPNET_ISAPI。请注意,这会增加服务器的负载,因为IIS本身的开销低于IIS + ASP.NET;
- 使用为您获取文件的HTTP处理程序。这允许您对文件访问进行一些细粒度的授权检查。请参阅 HTTP处理程序简介。
- Map all file extensions (or at least pdf files in this case) to ASPNET_ISAPI using the IIS configuration panel. Note that this will increase the load on your server since the overhead of IIS on itself is lower than IIS + ASP.NET;
- Use an HTTP handler that gets the file for you. This allows you to do some fine grained authorization checks on the file access too. See the Introduction to HTTP Handlers.
这篇关于如何防止直接访问asp.net中的文件和文件夹?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
