在 c# web 应用程序中从网络共享访问文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29346/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Access files from network share in c# web app
提问by lomaxx
I have a web application that needs to read (and possibly write) files from a network share. I was wondering what the best way to do this would be?
我有一个需要从网络共享读取(并可能写入)文件的 Web 应用程序。我想知道这样做的最佳方法是什么?
I can't give the network service or aspnet accounts access to the network share. I could possibly use impersonation.
我无法授予网络服务或 aspnet 帐户访问网络共享的权限。我可能会使用模拟。
The network share and the web application are both hosted on the same domain and I can create a new user on the domain specifically for this purpose however I'm not quite sure how to join the dots between creating the filestream and specifying the credentials to use in the web application.
网络共享和 Web 应用程序都托管在同一个域上,我可以专门为此在域上创建一个新用户,但是我不太确定如何在创建文件流和指定要使用的凭据之间加入点在 Web 应用程序中。
Unfortunately the drive isn't mapped as a network drive on the machine, it's only available to me as a network share so unfortunately I can't make a transparent call.
不幸的是,该驱动器未映射为机器上的网络驱动器,它仅作为网络共享对我可用,因此不幸的是我无法进行透明调用。
There is one problem I can think of with impersonation... I can only impersonate one user per application domain I thinkbut I'm happy to be corrected. I may need to write this file to several different shares which means I may have to impersonate several users.
我可以想到一个关于模拟的问题......我认为每个应用程序域我只能模拟一个用户,但我很高兴得到纠正。我可能需要将此文件写入多个不同的共享,这意味着我可能需要冒充多个用户。
I like the idea of creating a token... if I can do that I'll be able to ask the use up front for their credentials and then dynamically apply the security and give them meaningful error messages if access is denied... I'm off to play but I'll be back with an update.
我喜欢创建令牌的想法......如果我能做到,我将能够预先询问使用他们的凭据,然后动态应用安全性并在访问被拒绝时向他们提供有意义的错误消息......我我要去玩了,但我会回来更新。
回答by Dan Herbert
I've had no problems connecting to network shares transparently as if they were local drives. The only issue you may have is what you mentioned: having the aspnetaccount gain access to the share. Impersonation is probably the best way to do this.
我在透明地连接到网络共享时没有遇到任何问题,就好像它们是本地驱动器一样。您可能遇到的唯一问题是您提到的:让aspnet帐户获得对共享的访问权限。模仿可能是最好的方法。
You should be able to use any filestream objects to access the network share as long as it has a drive letter on the server machine.
只要服务器计算机上有驱动器号,您就应该能够使用任何文件流对象来访问网络共享。
回答by Dale Ragan
Impersonation worked well for me in this scenario. We had a wizard that uploaded a zip file through the website, but we load balanced the site. Therefore needed to setup a way to save the file on all the machines.
在这种情况下,模拟对我来说效果很好。我们有一个通过网站上传 zip 文件的向导,但我们对网站进行了负载平衡。因此需要设置一种将文件保存在所有机器上的方法。
There are many different ways to do it. We decided to make all requests to run under the user we setup and just added the web.config entry and setup the security permissions on the folders for the user. This kbarticle explains the setup very well.
有许多不同的方法可以做到这一点。我们决定让所有请求在我们设置的用户下运行,并添加 web.config 条目并为用户设置文件夹的安全权限。这篇知识库文章很好地解释了设置。
回答by jason saldo
Given everyone already has domain accounts. Try IIS integrated authentication. You will get an ugly logon box off network but your creds should pass down to the file share.
鉴于每个人都已经拥有域帐户。尝试 IIS 集成身份验证。您将从网络中获得一个丑陋的登录框,但您的凭据应该传递到文件共享。
@lomaxx
Are you saying that only you have perms to the share or that you manually mapped it to a drive letter. If the later you can use ucn \host\share the same way you would use a c:\shared_folder.
@lomaxx
您是说只有您拥有共享权限还是您手动将其映射到驱动器号。如果后者,您可以像使用 ac:\shared_folder 一样使用 ucn \host\share。
Random Would it be a burden to mirror the share to a local folder on the host? I hear ROBOCOPY is pretty handy.
随机 将共享镜像到主机上的本地文件夹是否会带来负担?我听说 ROBOCOPY 非常方便。
Another Idea. Run IIS on your target share you can read via http and if you need to write investigate webdav.
另一个想法。在您的目标共享上运行 IIS,您可以通过 http 读取,如果您需要编写调查 webdav。
回答by Mike Perrenoud
You do have some options and one of of those is impersonation as you mentioned. However, another one I like to use and have used in the past is a trusted service call. Let's assume for a moment that it's always much safer to limit access through IIS to ensure there are as few holes as possible. With that let's go down this road.
您确实有一些选择,其中之一是您提到的模拟。但是,我喜欢使用并且过去曾经使用过的另一个是受信任的服务呼叫。让我们暂时假设限制通过 IIS 的访问以确保尽可能少的漏洞总是更安全。有了这个,让我们沿着这条路走下去。
Build a WCF service that has a couple of entry points and the interface might look like this.
构建具有几个入口点的 WCF 服务,其界面可能如下所示。
public interface IDocumentService
{
public string BuildTrustedRelationship(string privateKey);
public byte[] ReadFile(string token, string fileName);
public void WriteFile(string token, string fileName, byte[] file);
}
Now, you can host this service via a Windows service very easily and so now all you need to do is on Application_startbuild the relationship with the service to get your token and you're off to the races. The other nice thing here is that this service is internal, trusted, and I've even hosted it on the file server before and so it's much easier to grant permissions to this operation.
现在,您可以非常轻松地通过 Windows 服务托管此服务,因此现在您需要做的就是Application_start与该服务建立关系以获取您的令牌,然后您就可以参加比赛了。另一个好处是该服务是内部的、受信任的,而且我之前什至将它托管在文件服务器上,因此授予此操作的权限要容易得多。
回答by CodeMonkey1313
If you can create a new AD user, I think the simplest solution is to have the Application Pool run under that AD account's authority, which would mean your application is now running as the AD user. You would need to add the AD user to the IIS Worker Process Group on the machine running your application. Then as long as your AD user has write permissions on the network share, you should be able to use the UNC path in your file operations.
如果您可以创建一个新的 AD 用户,我认为最简单的解决方案是让应用程序池在该 AD 帐户的权限下运行,这意味着您的应用程序现在以 AD 用户身份运行。您需要将 AD 用户添加到运行应用程序的计算机上的 IIS 工作进程组。那么只要你的 AD 用户对网络共享有写权限,你就应该可以在你的文件操作中使用 UNC 路径。
