Securing a web folder with out membership roles de

2019-09-01 09:36发布

问题:

Our site is hosted on a shared server. We have a login module independent of any membership roles. We have not used this feature.Our login db table only has email id and pwd fields. One of our folders (General) contains sensitive documents: pdf; jpg; doc files etc. We do not want this folder to be accessed by unauthorized users as well as any search engines such as google, yahoo and others. We added the below lines in the web config

<location path="General" allowOverride="true">
<system.web>
  <authorization>
    <allow roles="Administrators" />
    <deny users="*" />
  </authorization>
</system.web>
   </location>

This change in web config has secured the folder as accessing the folder results in permission denied message etc. However, now we want our logged in users to be able to access this folder. We tried adding the below line for logged in users: Roles.CreateRole("Administrators"); However, this is resulting in an error ; and it seems asp.net is trying to create membership table and is unable to. Is it possible to forcibly assign a Role to a user by completely ignoring the Membership part?

We are not using sqlaspent tables and no plans to use it. We are also not using ASP.NET Membership framework.

Original question reframed: ( allow roles="Administrators" line removed from web config)

<location path="General" allowOverride="true">
    <system.web>
      <authorization>
              <deny users="*" />
      </authorization>
    </system.web>
       </location>

The above changes in web config results in Access Denied for all files in General folder. Is it possible to (1) modify web config during run time and change deny users to allow users in say general/test.aspx page load section or (2) load a different web config from a different folder in general/test.aspx page load?

回答1:

It sounds like a database connection issue. Your remote provider allows connections to your DB remotely? Can you connect to it using SQL Server Management Studio?

Some shared hosting providers don't allow remote access to SQL Servers.



回答2:

have you installed into database the sqlaspent tables?

If not yo need to using Aspnet SQl Server Registration Tool, create the correct structure table into database(which roles has been stored).

Create a membershipuser like an administrator, Jojom,Angelina Jolie or what you prefer with it's own property) Create default roles (customer,administrator etc)

bind user to membership and then you will able to use authorization rules.

your method say only to aspnet that only administrator member which are visibile via Context.User.IsInRole("Administrator") can access to this page ....but to be an administrator you need to be stored into a database or in a custom provider......



回答3:

I don't know a way assigning a Role to a user without using a membership provider. One thing I can think of, is giving up the location sector at the web config and start monitoring every request to the application using the Global.asax Application_BeginRequest method and check if the request is to the restricted folder and if the user loged in (session).

Another way is to use some kind of httpHandler to do the save thing.

Edit: In your login form, once a user authenticated by his username and password assign a session variable that notes this user is Administartor.

void Login()
{
    //check user+password
    //...
    if(UserIsAuthenticated)
    {
        Session["Administrator"] = true;
        //more stuff to do with authenticate user
    }
}

and in your Global.asax:

void Application_BeginRequest(object sender, EventArgs e)
{
    if(Request.PhysicalPath.Contains("RestrictedFolderName")//you can do a more profound check here
    {
         if((bool)Session["Administrator"])
             //all ok - do nothing
         else
             //not authorized user trying to access folder- do redirect or somthing 
    }
}