我们有一个网站,客户在不久前做出决定后将其带回我们的服务器,将其外包给印度。
他们的一个页面使用SWF播放器播放一些视频。页面中的SWF对象显然是使用XML文件配置的。这是ASPX页面中的SWF代码:
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
width="900" height="600" id="tech" align="middle">
<param name="allowFullScreen" value="true" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="movie" value="/Images/flv/simple.swf?xml_path=/Client/XML/NFLNews.xml" />
<param name="quality" value="high" />
<param name="wmode" value="transparent">
<embed src="/Images/flv/simple.swf?xml_path=/Client/XML/NFLNews.xml" quality="high"
wmode="transparent" width="900" height="600" name="tech" align="middle"
allowscriptaccess="sameDomain" allowfullscreen="true"
type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer" />
</object>
请注意embed标记的src属性为:
src="/Images/flv/simple.swf?xml_path=/Client/XML/NFLNews.xml"
单击此页面时,会在文件/Client/XML/NFLNews.xml上抛出“拒绝访问”错误。但是,如果我直接浏览到XML文件,IIS会毫无错误地提供服务。
以下是IIS日志显示的请求:
#Fields: date time cs-uri-stem cs-uri-query s-contentpath sc-status
2012-11-28 16:09:33.482 /Videodisplay.aspx VID=22 "X:\inetpub\wwwroot\sitename\Videodisplay.aspx" 500
请注意,Videodisplay.aspx是托管SWF对象的页面。 XML文件根本不会显示在IIS日志中。
IIS抛出的确切错误是:
Server Error in '/' Application.
Access to the path 'F:\inetpub\wwwroot\lijsoccer.com\Client\XML\NFLNews.xml' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path 'F:\inetpub\wwwroot\lijsoccer.com\Client\XML\NFLNews.xml' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
我假设SWF对象必须在不同于IIS的安全上下文下运行? 或者还有其他事情发生在这里?我们从来没有真正处理Flash的内容,所以我对此都很陌生。
Windows 2008 R2,ASP.NET 4,IIS 7.5
更新:我已确定首先提供Everyone 读取,然后修改对SWF实际存在的XML文件的访问权限修改XML文件。显然我宁愿不让每个人都有权访问这个文件,所以我在文件中添加了一个审核条目,“每个人都失败了”,试图找出SWF文件运行的用户...但即使删除了来自每个人的写权限DID导致它再次失败,它没有写一个安全审计事件。所以我想现在我很难让每个人都对此文件具有写入权限,除非有人可以告诉我如何确定SWF在哪个用户下运行。