问题
I have a web application written in ASP.NET Core. Authentication is done by checking if the Session contains a Json object that is obtained from a webservice at the first request. (using public/private keys etc.)
Inside this Json object is a number that corresponds with a physical folder beneath the Web root folder.
So, when a user accessing files within this folder it should check if this is allowed. In fact, there is a whole static website within this folder, so every request to an .html file has to be checked, before served.
I guess this can be done using some custom middleware, but I'm unsure where to start.
Anyone has a clue on how to get this done?
回答1:
The only real way is to proxy the HTML files through an action that is authorized. For example. Instead of linking directly to foo.html, you'd like to something like /proxy?file=foo.html, where /proxy would be an action that checks whether the user is actually authorized to view foo.html or not.
A similar approach is laid out in the docs:
The Static File Middleware doesn't provide authorization checks. Any files served by it, including those under wwwroot, are publicly accessible. To serve files based on authorization:
Store them outside of wwwroot and any directory accessible to the Static File Middleware.
Serve them via an action method to which authorization is applied. Return a FileResult object:
public IActionResult BannerImage() { var file = Path.Combine(Directory.GetCurrentDirectory(), "MyStaticFiles", "images", "banner1.svg"); return PhysicalFile(file, "image/svg+xml"); }
来源:https://stackoverflow.com/questions/55166012/secure-requests-to-html-files-in-asp-net-core