问题描述:
本网站根目录有个文件夹例如A文件夹,里面包含的都是网站模板的静态页面,在没有登录授权的情况下是不允许访问的。在本机上测试是可以的,但配置在服务器上就失效,感觉没有进行form认证授权基本配置如下:
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings>
<add value="and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare " key="SQLInject" />
<add value="/WebBrowser_Version_3.0/404.html" key="SQLInjectErrPage" />
</appSettings>
<connectionStrings>
<add name="conStr" connectionString="server=.;uid=sa;pwd=kevin801125;database=WebShow" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<httpModules>
<add name="SqlstrAny" type="Kevin.ProSQLIn.SqlstrAny,ProSQLIn"/>
<add name="RequestFilter" type="Kevin.RequestFilter,FilterModel"/>
</httpModules>
<sessionState mode="InProc" timeout="30"></sessionState>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="10" defaultUrl="Default.aspx"></forms>
</authentication>
<compilation debug="true">
</compilation>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<!--<authentication mode="Windows"/>
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace. <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors> -->
<pages>
<controls>
<add tagName="MyHeader" tagPrefix="Kevin" src="~/Control/MyHeader.ascx"/>
<add tagName="MyFooter" tagPrefix="Kevin" src="~/Control/Footer.ascx"/>
</controls>
</pages>
</system.web>
<location path="A">
<system.web>
<authorization>
--><!--<allow roles="admin"/>--><!--
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>因为没有起作用,我就做了个HttpModel 进行请求过滤,判断请求的Url中是否包含A目录,在本机上测试正常执行,配置在IIS仍然失效,郁闷中。请求高手帮忙,谢谢。
代码如下: public class MyHttpModule:IHttpModule
{
#region IHttpModule Members public void Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(context_BeginRequest);
} void context_BeginRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
HttpRequest request = application.Request; string requestUrl = request.Url.ToString(); bool isDenied = false;
if (requestUrl.IndexOf("A") != -1)
{
if (request.Cookies[".ASPXFORMSAUTH"] != null)
{
isDenied = true;
}
else
{
isDenied = true;
}
} if (isDenied)
{
application.CompleteRequest();
application.Context.Response.Write("请求被终止。");
}
} public void Dispose()
{
}
#endregion
}郁闷中。
本网站根目录有个文件夹例如A文件夹,里面包含的都是网站模板的静态页面,在没有登录授权的情况下是不允许访问的。在本机上测试是可以的,但配置在服务器上就失效,感觉没有进行form认证授权基本配置如下:
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings>
<add value="and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare " key="SQLInject" />
<add value="/WebBrowser_Version_3.0/404.html" key="SQLInjectErrPage" />
</appSettings>
<connectionStrings>
<add name="conStr" connectionString="server=.;uid=sa;pwd=kevin801125;database=WebShow" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<httpModules>
<add name="SqlstrAny" type="Kevin.ProSQLIn.SqlstrAny,ProSQLIn"/>
<add name="RequestFilter" type="Kevin.RequestFilter,FilterModel"/>
</httpModules>
<sessionState mode="InProc" timeout="30"></sessionState>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="10" defaultUrl="Default.aspx"></forms>
</authentication>
<compilation debug="true">
</compilation>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<!--<authentication mode="Windows"/>
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace. <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors> -->
<pages>
<controls>
<add tagName="MyHeader" tagPrefix="Kevin" src="~/Control/MyHeader.ascx"/>
<add tagName="MyFooter" tagPrefix="Kevin" src="~/Control/Footer.ascx"/>
</controls>
</pages>
</system.web>
<location path="A">
<system.web>
<authorization>
--><!--<allow roles="admin"/>--><!--
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>因为没有起作用,我就做了个HttpModel 进行请求过滤,判断请求的Url中是否包含A目录,在本机上测试正常执行,配置在IIS仍然失效,郁闷中。请求高手帮忙,谢谢。
代码如下: public class MyHttpModule:IHttpModule
{
#region IHttpModule Members public void Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(context_BeginRequest);
} void context_BeginRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
HttpRequest request = application.Request; string requestUrl = request.Url.ToString(); bool isDenied = false;
if (requestUrl.IndexOf("A") != -1)
{
if (request.Cookies[".ASPXFORMSAUTH"] != null)
{
isDenied = true;
}
else
{
isDenied = true;
}
} if (isDenied)
{
application.CompleteRequest();
application.Context.Response.Write("请求被终止。");
}
} public void Dispose()
{
}
#endregion
}郁闷中。
非要增加一个<system.web>标记来放<authorization>吗