使用glimpse我可以在使用RuntimeEvent.ExecuteResource时访问会话信息。如果没有这个,则会暴露axd文件,除非特定用户登录,否则我宁愿禁用它。在下面的两个示例中,会话将为null。我也尝试过使用类实现IRequiresSessionState,但这也没有帮助。
namespace Glimpse
{
public class GlimpseSecurityPolicy:IRuntimePolicy
{
public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
{
try
{
var name = HttpContext.Current.Session["username"];
var name2 = policyContext.GetHttpContext().Session["username"];
}
catch (Exception)
{
}
// You can perform a check like the one below to control Glimpse's permissions within your application.
// More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
// var httpContext = policyContext.GetHttpContext();
// if (!httpContext.User.IsInRole("Administrator"))
// {
// return RuntimePolicy.Off;
// }
return RuntimePolicy.On;
}
public RuntimeEvent ExecuteOn
{
// The RuntimeEvent.ExecuteResource is only needed in case you create a security policy
// Have a look at http://blog.getglimpse.com/2013/12/09/protect-glimpse-axd-with-your-custom-runtime-policy/ for more details
get { return RuntimeEvent.EndRequest | RuntimeEvent.ExecuteResource; }
}
}
}
答案 0 :(得分:4)
原因是处理Glimpse.axd请求的Glimpse HttpHandler没有实现IRequireSessionState接口。
HttpHandler最终将执行IRuntimePolicy个RuntimeEvent.ExecuteResource属性值的ExecuteOn个实例{/ 1}}。
我认为最简单的解决方案是创建自己的IHttpHandler来实现IRequireSessionState界面,并将所有调用转发给Glimpse HttpHandler,如下所示。
public class SessionAwareGlimpseHttpHandler : IHttpHandler, IRequiresSessionState
{
private readonly HttpHandler _glimpseHttpHandler =
new Glimpse.AspNet.HttpHandler();
public void ProcessRequest(HttpContext context)
{
_glimpseHttpHandler.ProcessRequest(context);
}
public bool IsReusable
{
get { return _glimpseHttpHandler.IsReusable; }
}
}
请勿忘记更新您的web.config以使用该处理程序而不是原始处理程序:
...
<system.webServer>
...
<handlers>
<add name="Glimpse" path="glimpse.axd" verb="GET" type="YourNamespace.SessionAwareGlimpseHttpHandler, YourAssembly" preCondition="integratedMode" />
</handlers>
...
</system.webServer>
...
完成所有这些操作后,您应该能够访问Session内的IRuntimePolicy。