我有一个.NET应用程序,它使用存储在服务器上的文件夹中的一些图像。该文件夹不属于我的应用程序。此文件夹中的图像用作应用程序中某些div的背景图像。我将图像文件夹与我的应用程序一起发布到Web上,因此一切正常。但是,有没有办法限制文件夹访问我的.net应用程序或可以设置的设置,以便文件夹的内容不可浏览/可搜索?现在,我的应用程序使用类似www.domain.com/iisfoldername/picture.png的URL来设置div的背景。同样,如果您在浏览器中使用此类URL,则会提供图像。当我的应用程序没有请求时,是否可以阻止提供此URL?也就是说,如果有人在浏览器中输入此URL,则不会显示图像,但会在我的应用程序请求时显示图像。
我知道为文件夹设置身份验证。但是,如何将http请求限制为用户然后模拟此用户(如果可能)? “ 修改
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<appSettings>
<add key="webpages:Version" value="1.0.0.0" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:FederationMetadataLocation" value="https:ccc.com/Federation.xml" />
<add key="ida:Issuer" value="https://ccc.com" />
<add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>
<location path="Federation">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5" />
<!--Commented by Identity and Access VS Package-->
<!--<authentication mode="Forms"><forms loginUrl="~/Account/LogOn" timeout="2880" /></authentication>-->
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" applicationName="/" />
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
<providers>
<add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</roleManager>
<sessionState mode="InProc" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
</providers>
</sessionState>
</system.web>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="itextsharp" publicKeyToken="8354ae6d2174ddca" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-5.4.3.0" newVersion="5.4.3.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
</entityFramework>
<connectionStrings>
</connectionStrings>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/App/" />
</audienceUris>
<!--Commented by Identity and Access VS Package-->
<!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="LocalSTS"><keys><add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" /></keys><validIssuers><add name="LocalSTS" /></validIssuers></authority></issuerNameRegistry>-->
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://ccc.com">
<keys>
<add thumbprint="BA86062DD810B95F49FBF85F448507D63D15FB92" />
</keys>
<validIssuers>
<add name="http://ccc.com" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="https://ccc.com/" realm="https://localhost/App/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
</configuration>
答案 0 :(得分:1)
鉴于您的配置,我认为您最好的选择是使用URL重写。在这种情况下,如果用户直接请求图像或从其他网站引用图像,则将用户重定向到“假”图像(但如果从应用程序中的页面引用,则允许用户访问它们)。
要完成此操作,请使用Microsoft的IIS URL Rewrite扩展,您可以在此处下载: http://www.iis.net/downloads/microsoft/url-rewrite
在服务器上安装后,通过将以下内容添加到web.config来配置它(因为您的web.config中已经有一个system.webServer部分,只需在其中添加“rewrite”节点)。请注意所需的内联注释和替换。
<system.webServer>
<rewrite>
<rules>
<rule name="Whitelist Image Access" stopProcessing="true">
<!-- Evaluated for all image file requests -->
<match url="(?:jpg|jpeg|png|gif|bmp)$" />
<conditions>
<!--
Rule applies when user tries to access URL directly (no referrer)
-->
<add input="{HTTP_REFERER}" matchType="Pattern" pattern="^$" ignoreCase="true" />
<!--
Rule does NOT apply when pages on our site are the referrer
*** NOTE: Replace "ccc" and "com" with appropriate parts form your domain ***
-->
<add input="{HTTP_REFERER}" matchType="Pattern" pattern="^https?://(.*\.)?ccc\.com/.*$" ignoreCase="true" negate="true" />
<!--
Rule does NOT apply when accessing the replacement image when real ones are refused
*** NOTE: replace "no_access.png" with the name of the "fake" image you want to use ***
-->
<add input="{REQUEST_FILENAME}" matchType="Pattern" pattern="no_access.png" ignoreCase="true" negate="true" />
</conditions>
<!--
Temporary redirect (status code 307) to "fake" image
*** NOTE: Replace the URL below with the "fake" image URL ***
-->
<action type="Redirect" url="http://ccc.com/images/no_access.png" appendQueryString="false" redirectType="Temporary" />
</rule>
</rules>
</rewrite>
</system.webServer>