asp.net-mvc 如何锁定 ASP.NET MVC 中的路径?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11765030/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to lock down paths in ASP.NET MVC?
提问by Jed
I'm playing around with MVC 4 for the first time to check out what's been changed/added/etc compared to MVC 3.
我第一次使用 MVC 4 来检查与 MVC 3 相比有哪些更改/添加/等。
To start off, I created a blank MVC 4 Web Application and started building from scratch.
首先,我创建了一个空白的 MVC 4 Web 应用程序并从头开始构建。
One of the first things that I noticed that is different in MVC 4 is the fact that the following web.config settings have no affect on the accessibility of the web pages:
我注意到与 MVC 4 不同的第一件事是以下 web.config 设置对网页的可访问性没有影响:
<configuration>
<location path="">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
.....
</configuration>
Back in MVC 3, the authorization settings above would deny all anonymous users from accessing any content within the site. However, if I add the same settings to an MVC4 Web.config file, an anonymous has free reign over an URL that s/he chooses.
回到 MVC 3,上面的授权设置将拒绝所有匿名用户访问站点内的任何内容。但是,如果我将相同的设置添加到 MVC4 Web.config 文件,匿名者可以自由支配他/她选择的 URL。
What do I need to do in MVC 4 to lock-down all paths like I did in MVC 3?
我需要在 MVC 4 中做什么才能像在 MVC 3 中那样锁定所有路径?
回答by Erik Philips
Take a look at Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute.
看看保护您的 ASP.NET MVC 4 应用程序和新的 AllowAnonymous 属性。
You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute...
您不能使用路由或 web.config 文件来保护您的 MVC 应用程序(任何版本)。保护您的 MVC 应用程序的唯一受支持的方法是应用 Authorize 属性...
MVC uses routes and does not map URLs to physical file locations like WebForms, PHP and traditional web servers. Therefore using web.config will definitely open a security hole in your site.
MVC 使用路由并且不会将 URL 映射到物理文件位置,如 WebForms、PHP 和传统 Web 服务器。因此,使用 web.config 肯定会在您的站点中打开一个安全漏洞。
Examples:
例子:
Start with the default ASP.Net MVC project (internet/intranet).
从默认的 ASP.Net MVC 项目(互联网/内联网)开始。
Edit the web.config adding:
编辑 web.config 添加:
<location path="Home">
<system.web>
<authorization>
<deny users="*">
</authorization>
</system.web>
</location>
Run the project, by default you will use the Defaultroute /Home/Indexand you see content, simply bypassing the web.config with no changes to the default template. Why? Because the ASP.Net pipeline is comparing the URL requested to the location specified in the web.config. However, afterthe Authorization Event has been executed in the pipeline the routing taking place (Default routing or custom routing) and allows access to the supposedly restricted area.
运行项目,默认情况下,您将使用默认路由/Home/Index并看到内容,只需绕过 web.config 而不更改默认模板。为什么?因为 ASP.Net 管道正在将请求的 URL 与 web.config 中指定的位置进行比较。然而,在管道中执行授权事件后,路由发生(默认路由或自定义路由)并允许访问所谓的受限区域。
Additionally, any MVC Redirect()will also by-pass the same security measures as again the routing takes place after the Authorization Pipeline Event.
此外,任何 MVCRedirect()也将绕过与在授权管道事件之后再次进行路由相同的安全措施。
I don't think anyone should accept sorta workingsecurity. Do it correctly the first time, don't be lazy and use something that wasn't designed to be used with a specific technology.
我认为任何人都不应该接受某种工作安全。第一次就做正确的事,不要偷懒,使用一些不是设计用于特定技术的东西。
