问题
I have a directory on the root of my website which contains some files(usually html). These files should be accessed only for the logged-in user. How can I achieve this? I believe this could be done using impersonation but I don't have any idea about how exactly I can implement it. Could you please guide me on right direction?
Currently, I have added these settings to my Web.config file:
<location path="TestData"> <!-- 'TestData' is the directory which I want to deny access for -->
<system.web>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Is there anything that I have to do in coding?
PS: This is a webservice application.
Update: It works partially!!! to be specific:
It denies only the .aspx pages and even the logged-in user too cannot access the files.
I'm using Windows authentication.
回答1:
You don't need to impersonate. If you have forms or windows authentication, your <deny users="?"/> will deny all anonymous users. To answer your question: no, you don't have to explicitly deny any users within your code.
How to: Implement Simple Forms Authentication
In order to secure non-ASP.NET files, you will need to register an HttpHandler that will do this. Please see this reference on how to register the handler.
回答2:
you don't need impersonate. Impersonate is for making the app run as a different user from the user of the app pool in iis. source
If you're using forms/windows authentication then
<authorization>
<deny users="?"/>
</authorization>
should be enough and will block users who are not logged in
回答3:
You need to add
<authorization>
<deny users="?"/>
</authorization>
in <system.web></system.web>
And use form authentication like
[Update] : As you use windows authentication see
MSDN
来源:https://stackoverflow.com/questions/8743224/asp-net-directory-security