限制对 web.config 中的文件/文件夹的访问

问题描述

为了限制对文件夹的访问，我尝试了各种变体，从最简单的拒绝所有用户访问和仅授予我自己访问权限到尝试角色/用户等的组合.特别是文件夹混合了 aspx 和 html 文件.

有人可以帮忙吗?这几乎是我根据其他类似问题得出的结论:

<预><代码><配置><system.web><!-- mode=[Windows|Forms|Passport|None] --><认证模式=Windows"/></system.web><system.webServer><处理程序><add name="HTMLHandler" type="System.Web.StaticFileHandler" path="*.html" verb="GET"/></处理程序></system.webServer><location path="AdminOnly"><system.web><授权><deny users="*"/><allow users="domainuser1, domainuser2, domainuser3"/><允许角色=域角色1，域角色2"/></授权></system.web></位置></配置>

编辑解决方案终于提出来了.

这是理解授权部分的组合(感谢 Tetsuya 提供有关订购授权规则的有用提示)，包括处理程序部分以及为托管代码配置应用程序池.

看来你在编写 authorization 元素时有错误的顺序，必须先声明 allow 部分以允许某些用户在拒绝其他一切之前担任某些角色.

因此，由于在允许定义的用户之前拒绝所有用户解析，因此以下构造是错误的:

<system.web><授权><deny users="*"/><allow users="domainuser1, domainuser2, domainuser3"/><允许角色=域角色1，域角色2"/></授权></system.web></位置>

正确的顺序应该是这样的:

<system.web><授权><allow roles="role1, role2"/><allow users="user1, user2, user3"/><deny users="*"/></授权></system.web></位置>

在参考部分，Guru Sarkar 解释了问题所在:

<块引用>

常见错误

我看到有人抱怨他们设置了自己的角色正确并进入了他们的 web.config 但仍然是他们的授权不起作用.即使他们允许访问他们的用户无法访问特定页面/文件夹的角色.常见的原因因为这是将 放在 之前.由于授权是从上到下进行，因此会检查规则，直到找到匹配项.

参考:

在 web.config 中为特定页面或文件夹设置授权规则

I've tried all manner of variations in trying to restrict access to a folder, from the simplest of denying access to all users and just granting access to myself to trying a combination of roles/users etc. In particular, the folder has a mix of aspx and html files.

Can anyone assist? Here's pretty much what I have based on other similar questions:

<configuration>
    <system.web>
       <!-- mode=[Windows|Forms|Passport|None] -->
       <authentication mode="Windows" />
    </system.web>
  <system.webServer>
    <handlers>
        <add name="HTMLHandler" type="System.Web.StaticFileHandler" path="*.html" verb="GET" />
    </handlers>
  </system.webServer>
    <location path="AdminOnly">
        <system.web>
            <authorization>
            <deny users="*" />
            <allow users="domainuser1, domainuser2, domainuser3" />
            <allow roles="domain
ole1, domain
ole2" />
            </authorization>
        </system.web>
    </location>
</configuration>

EDIT The solution has presented at last.

It was a combination of understanding the authorization segment (thanks to Tetsuya for the helpful tip in relation to ordering authorization rules), including the handler segment and also configuring the application pool for managed code.

Seems you have wrong order in composing authorization element, the allow part must be declared first to allow certain users in certain roles before denying everything else.

So, this construction below is wrong due to denying all users resolved before allowing defined users:

<location path="AdminOnly">
    <system.web>
        <authorization>
        <deny users="*" />
        <allow users="domainuser1, domainuser2, domainuser3" />
        <allow roles="domain
ole1, domain
ole2" />
        </authorization>
    </system.web>
</location> 

The correct order should be like this:

<location path="AdminOnly">
    <system.web>
        <authorization>
        <allow roles="role1, role2" />
        <allow users="user1, user2, user3" />
        <deny users="*" />
        </authorization>
    </system.web>
</location>

In the reference section, Guru Sarkar explains what goes wrong:

Common Mistakes

I have seen people complaining that they have setup their roles correctly and also made entry to their web.config but still their authorization doesn't work. Even they have allowed access to their role that user cannot access particular page/folder. The common reason for that is placing <deny../> before <allow ../>. Since the authorization is done from top to bottom, rules are checked until a match is found.

Reference:

Setting authorization rules for a particular page or folder in web.config

这篇关于限制对 web.config 中的文件/文件夹的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，WP2