5.8w+
社区成员
- 主页
- .NET Framework
- ASP
- Web Services
- .NET互联网桌面应用
- VB
- 图表区
- 分析与设计
- 组件/控件开发
- AppLauncher
- 问答
100分问一个使用URL安全访问非.aspx文件的问题??在线等
在网上,经常有需要经过了验证的用户才能访问的一些非.aspx类型的文件,如.jpg,.doc,.zip等等,但对于这些文件,一般用户可以通过http://www.website.com/files/pictures/test.jpg的方式来绕过验证直接进行访问,因为匿名用户是允许访问这类文件的,如何才能有效的避免这种情况的发生呢?
...全文
请发表友善的回复…
发表回复
dotAge 2003-04-19
老牛呀,URL本来就是用来被别人访问的,如果你的东西因为被人猜到了URL而被偷,这只能怪你自己,谁让你把它放那儿的呢?
将文件放在一个安全的地方,然后读到文件流,再写到HTTP RESPONSE流
以JPG为例:
Dim MyFileStream As FileStream
Dim FileSize As Long
MyFileStream = New FileStream("/private/aPic.jpg", FileMode.Open)
FileSize = MyFileStream.Length
Dim Buffer(CInt(FileSize)) As Byte
MyFileStream.Read(Buffer, 0, CInt(FileSize))
MyFileStream.Close()
Response.ContentType = "Image/JPEG"
Response.BinaryWrite(Buffer)
将文件放在一个安全的地方,然后读到文件流,再写到HTTP RESPONSE流
以JPG为例:
Dim MyFileStream As FileStream
Dim FileSize As Long
MyFileStream = New FileStream("/private/aPic.jpg", FileMode.Open)
FileSize = MyFileStream.Length
Dim Buffer(CInt(FileSize)) As Byte
MyFileStream.Read(Buffer, 0, CInt(FileSize))
MyFileStream.Close()
Response.ContentType = "Image/JPEG"
Response.BinaryWrite(Buffer)
jonsonzxw 2003-04-18
我对上面讲到的使用ID的方式比较感兴趣,不知如何操作.
另外,请问韦小宝的老乡,你的那种方式能具体一些吗?我没操作过AD.
另外,请问韦小宝的老乡,你的那种方式能具体一些吗?我没操作过AD.
jonsonzxw 2003-04-18
我在网上找到一篇这样的文章,但不知具体如何操作,请告之,谢谢!!
On Window OS, security are basically enforced through a Window account and ACL (there is no way around it). If your resource are programmable (such as ASP, ASP.NET) then you can include your own custom logic to enforce security. If your resource are non-programmable, then you can only rely on the Window security feature to protect your resource. For web application/portal, Microsoft Site Server would be the recommended solution.
Alternatively, you can assign an ID to each of your resource. When an authenticated user submit the ID to your application, then in your code, you can open the file and send out the content. This way, the user will never actually know the real path/name of your resource, but just only the ID. I found that this is a common solution in many portal application.
I have implemented such a similar security and you can test and download the source code at http://www22.brinkster.com/ttawin/registration/ . If somehow you can download the zip file without login, then please let me know. Thanks.
On Window OS, security are basically enforced through a Window account and ACL (there is no way around it). If your resource are programmable (such as ASP, ASP.NET) then you can include your own custom logic to enforce security. If your resource are non-programmable, then you can only rely on the Window security feature to protect your resource. For web application/portal, Microsoft Site Server would be the recommended solution.
Alternatively, you can assign an ID to each of your resource. When an authenticated user submit the ID to your application, then in your code, you can open the file and send out the content. This way, the user will never actually know the real path/name of your resource, but just only the ID. I found that this is a common solution in many portal application.
I have implemented such a similar security and you can test and download the source code at http://www22.brinkster.com/ttawin/registration/ . If somehow you can download the zip file without login, then please let me know. Thanks.
WizardBear 2003-04-18
改后缀为.asp或.aspx
然后再定制权限
然后再定制权限
cmsoft 2003-04-18
那你存放这些文件里设置权限,给合AD进行访问就是了
jonsonzxw 2003-04-18
是以文件的形式存放的,不是存到库中的
cmsoft 2003-04-18
test.jpg以image类型放到数据库中不就行了?
shanxing 2003-04-18
不懂~~~
也帮你顶一下`~~~
也帮你顶一下`~~~
jonsonzxw 2003-04-18
UP一下
jonsonzxw 2003-04-18
表单验证好象对非.aspx文件无效果吧,老兄,如何设置呀,如.jpg文件
9527cn 2003-04-18
其实你提到的问题是一个安全性的问题,微软也一直被许多人指责为不负责任的公司,对于url来说他本身是一个极为不安全的入口,以前的黑客就曾经利用他攻击机器。这里其实没有什么特别安全的解决方法,能够彻底解决此问题,不过还是有四种方法的:
1、表单验证:通过他可以HttpCookies和Html表单来对请求者进行身份验证,(可以针对任何资源进行身份验证)---你可以用他试试
2、“护照”验证:使用MicroSoft专门的签名护照身份系统
3、Windows验证:通过WindowsChallenge/Response语义来对请求进行验证
4、自定义验证。
表单验证:
对你的web.config修改:
<system.web>
<authenrication mode = "Forms">
<forms name = "cookie-name"
path= "cookie-path"
loginurl= "url"
protection = "ALL|None|Encryption|Validation"
timeout = "number-of-minutes">
<credentials passwordFormat ="Clear|Sha1|MD5"> --这里是对用户密码指定加密算法
<user name = "User_name" password = "User_passwd">
.....
</credentials>
这些是用来验证用户的
限制资源访问是在web.config中添加
<system.web>
<authorization>
<allow users = "User_name,..." verb = "GET"/>
<allow users = "Other_user,..." verb = "POST"/>
<deny users = "?"/>
</authorization>
</system.Web>
其实现在很多应用情况下我们验证客户都不会将用户的列表放入<credentials>中,可能放在数据库表、XML文档中,但是我们可以利用基于表单的验证所提供的其它功能,比如自动重定向到注册页面,加密,检验验证,cookie的有效性。
有兴趣的话你可以去看看类库的System.Web.Security命名空间下的所有的类(都是安全验证的)表单验证的类称为FormsAuthenricarion。
1、表单验证:通过他可以HttpCookies和Html表单来对请求者进行身份验证,(可以针对任何资源进行身份验证)---你可以用他试试
2、“护照”验证:使用MicroSoft专门的签名护照身份系统
3、Windows验证:通过WindowsChallenge/Response语义来对请求进行验证
4、自定义验证。
表单验证:
对你的web.config修改:
<system.web>
<authenrication mode = "Forms">
<forms name = "cookie-name"
path= "cookie-path"
loginurl= "url"
protection = "ALL|None|Encryption|Validation"
timeout = "number-of-minutes">
<credentials passwordFormat ="Clear|Sha1|MD5"> --这里是对用户密码指定加密算法
<user name = "User_name" password = "User_passwd">
.....
</credentials>
这些是用来验证用户的
限制资源访问是在web.config中添加
<system.web>
<authorization>
<allow users = "User_name,..." verb = "GET"/>
<allow users = "Other_user,..." verb = "POST"/>
<deny users = "?"/>
</authorization>
</system.Web>
其实现在很多应用情况下我们验证客户都不会将用户的列表放入<credentials>中,可能放在数据库表、XML文档中,但是我们可以利用基于表单的验证所提供的其它功能,比如自动重定向到注册页面,加密,检验验证,cookie的有效性。
有兴趣的话你可以去看看类库的System.Web.Security命名空间下的所有的类(都是安全验证的)表单验证的类称为FormsAuthenricarion。
jonsonzxw 2003-04-18
up
abkn2 2003-04-18
改后缀,.aspx