如何使用 ASP.NET 在纯 HTML 页面上进行表单身份验证?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3589020/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to do Forms Authentication on purely HTML pages using ASP.NET?
提问by Abe
I am using forms authentication in IIS7 to password-protect a dev site, but the authentication seems to get by-passed when the site contains only static HTMLfiles + login.aspx + web.config.
我在 IIS7 中使用表单身份验证来密码保护开发站点,但是当站点仅包含静态 HTML文件 + login.aspx + web.config时,身份验证似乎被绕过。
When I renamed the files to .aspx, I am prompted with the login form I am not doing anything fancy. I have a very simple login script and it should just redirect to index.html afterward.
当我将文件重命名为 .aspx 时,系统会提示我登录表单,我没有做任何花哨的事情。我有一个非常简单的登录脚本,之后它应该重定向到 index.html。
Any suggestions? To summarize, the entire site is using HTML (for now) and needs to be password protected.
有什么建议?总而言之,整个站点都在使用 HTML(目前)并且需要密码保护。
<authentication mode="Forms">
<forms name="appNameAuth" path="/" loginUrl="~/login.aspx" defaultUrl="index.html" protection="All" timeout="525600">
<credentials passwordFormat="Clear">
<user name="[user]" password="[password]" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
回答by Kelsey
To make the HTML files locked down by your forms authetication, you need have them served by ASP.NET. You can do this in IIS by associating the extension(s) you need (eg. .html, .htm, etc) with the aspnet_isapi.dll.
要通过表单身份验证锁定 HTML 文件,您需要让它们由 ASP.NET 提供服务。您可以在 IIS 中通过将您需要的扩展名(例如 .html、.htm 等)与 aspnet_isapi.dll 相关联来执行此操作。
Onces ASP.NET is servicing those files you can specify the permissions for them just like any aspx page.
一旦 ASP.NET 为这些文件提供服务,您就可以像任何 aspx 页面一样为它们指定权限。
For more information refer to MSDN:
有关更多信息,请参阅MSDN:
By default, IIS processes static content itself - like HTML pages and CSS and image files - and only hands off requests to the ASP.NET runtime when a page with an extension of .aspx, .asmx, or .ashx is requested.
IIS 7, however, allows for integrated IIS and ASP.NET pipelines. With a few configuration settings you can setup IIS 7 to invoke the FormsAuthenticationModule for all requests. Furthermore, with IIS 7 you can define URL authorization rules for files of any type. For more information, see Changes Between IIS6 and IIS7 Security, Your Web Platform Security, and Understanding IIS7 URL Authorization.
Long story short, in versions prior to IIS 7, you can only use forms authentication to protect resources handled by the ASP.NET runtime. Likewise, URL authorization rules are only applied to resources handled by the ASP.NET runtime. But with IIS 7 it is possible to integrate the FormsAuthenticationModule and UrlAuthorizationModule into IIS's HTTP pipeline, thereby extending this functionality to all requests.
默认情况下,IIS 本身处理静态内容(如 HTML 页面、CSS 和图像文件),并且仅在请求扩展名为 .aspx、.asmx 或 .ashx 的页面时才将请求移交给 ASP.NET 运行时。
但是,IIS 7 允许集成 IIS 和 ASP.NET 管道。通过一些配置设置,您可以设置 IIS 7 为所有请求调用 FormsAuthenticationModule。此外,使用 IIS 7,您可以为任何类型的文件定义 URL 授权规则。有关详细信息,请参阅 IIS6 和 IIS7 安全性之间的变化、您的 Web 平台安全性和了解 IIS7 URL 授权。
长话短说,在 IIS 7 之前的版本中,您只能使用表单身份验证来保护由 ASP.NET 运行时处理的资源。同样,URL 授权规则仅适用于由 ASP.NET 运行时处理的资源。但是使用 IIS 7,可以将 FormsAuthenticationModule 和 UrlAuthorizationModule 集成到 IIS 的 HTTP 管道中,从而将此功能扩展到所有请求。
回答by bigtv
In IIS7 if you want to protect *.html or *.htm files (or other non .net extensions) under forms authentication then add the following lines to your web.config:
在 IIS7 中,如果您想在表单身份验证下保护 *.html 或 *.htm 文件(或其他非 .net 扩展名),则将以下行添加到您的 web.config:
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
<add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
AND
和
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
<add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
</handlers>
</system.webServer>
回答by Mango Wong
Although this is an old question, I find the link in pomarc's answer really useful. Below is the summary which is suit for IIS7.
虽然这是一个老问题,但我发现 pomarc 的答案中的链接非常有用。以下是适用于 IIS7 的总结。
In your web.config, add or modify <handlers>under <system.webServer>:
在您web.config添加或修改<handlers>下<system.webServer>:
<handlers>
<add name="HTML" path="*.html" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" />
</handlers>
Replace verbvalue with your required one; scriptProcessorvalue with correct path of your environment.
verb用您需要的值替换value;scriptProcessor值与您的环境的正确路径。
Then, add or modify <compilation>and <httpHandlers>under <system.web>:
然后,添加或修改<compilation>和<httpHandlers>下<system.web>:
<compilation debug="false" strict="false" explicit="true">
<buildProviders>
<!--Add below so .html file will be handled by ASP.NET (for use of Forms Authentication)-->
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
<httpHandlers>
<!--Add below so .html file will be handled by ASP.NET (for use of Forms Authentication)-->
<add verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory" />
</httpHandlers>
Replace verbvalue with your required one.
verb用您需要的值替换值。
You may also include more extension separated by comma ','
您还可以包含更多以逗号“,”分隔的扩展名
回答by pomarc
I've solved the same problem a few days ago, by following the post by fr33m3 @ 11-21-2007, 3:19 PM on this thread: http://forums.asp.net/t/1184547.aspxfollow all the steps from 2. to 5. and you're done!
我已经解决了同样的问题,前几天,通过遵循fr33m3后@ 2007年11月21日,下午3时19分在此线程: http://forums.asp.net/t/1184547.aspx遵守所有从 2. 到 5. 的步骤就完成了!
hope this can help you like it helped me.
希望这可以帮助你喜欢它帮助我。
