How do I configure user authorization on dynamically created resources in an ASP.NET web app using Forms authentication?
Suppose some users log in to my web app. They get authenticated (as something other than the anonymous user), so they can access any resource in the directory. The system.web/authorization section of web.config is set to deny access to anonymous users like this:
<system.web><authorization>
<deny users="?" />
</authorization></system.web>
Actually, from what I understand, this only protects files accessed through the ASP.NET system. If I drop a JPG file in there, it's accessible to everyone, without authentication/authorization. In order to ensure all files are protected, there's a different section for that:
<system.webServer><security><authorization>
<add accessType="Deny" users="?" />
</authorization>开发者_JS百科;</security><system.webServer>
Of course, now when someone attempts to access the JPG file, they don't get redirected to the login page. Instead, they get a nasty HTTP Error 401.2 - Unauthorized.
Now, suppose a user causes a file to be created on the server. How, in context of this elaborate Forms Authentication and Authorization scheme, do I ensure that only that user's web browser can access the file via it's URL? For example, must I modify the web.config file? If so, do I have to do this manually or can it be done through code? Will modifying it frequently cause the application to be interrupted/restarted?
You can’t ensure this. With forms authentication and authorization you have to be explicit, listing concrete users or roles. No chance to specify this dynamically.
For dynamically created resources I use generic handlers. With this approach there is no need for protecting temporary files, because there are no temporary files. The content is directly streamed to the user. In this approach your protection is part of your application logic, possibly inside the generic handler.
You can store the dynamically generated content as a blob in a database table rather than on the file system. Secure access to the record through normal application security logic.
精彩评论