0

我有一个 .NET 应用程序,它使用存储在服务器文件夹中的一些图像。该文件夹不属于我的应用程序。此文件夹中的图像用作应用程序中某些 div 的背景图像。我将图像文件夹与我的应用程序一起发布到网络上,所以一切正常。但是,有没有办法限制文件夹对我的 .net 应用程序的访问或可以设置的设置,以便文件夹的内容不可浏览/搜索?现在,我的应用程序使用一个像www.domain.com/iisfoldername/picture.png设置div的背景。同样,如果您在浏览器中使用此类 URL,则会提供图像。当我的应用程序未请求此 URL 时,是否可以阻止提供此 URL?也就是说,如果有人在浏览器中输入此 url,则不会显示图像,而是会在我的应用程序请求时显示图像。

我知道为文件夹设置身份验证。但是我怎样才能限制一个用户的http请求,然后模拟这个用户(如果可能的话)?' 编辑

<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<appSettings>
  <add key="webpages:Version" value="1.0.0.0" />
  <add key="ClientValidationEnabled" value="true" />
  <add key="UnobtrusiveJavaScriptEnabled" value="true" />
  <add key="ida:FederationMetadataLocation" value="https:ccc.com/Federation.xml" />
  <add key="ida:Issuer" value="https://ccc.com" />
  <add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>
<location path="Federation">
<system.web>
  <authorization>
    <allow users="*" />
  </authorization>
</system.web>
</location>
  <system.web>
   <authorization>
    <deny users="?" />
  </authorization>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5" />
<!--Commented by Identity and Access VS Package-->
<!--<authentication mode="Forms"><forms loginUrl="~/Account/LogOn" timeout="2880" /></authentication>-->
<pages>
  <namespaces>
    <add namespace="System.Web.Helpers" />
    <add namespace="System.Web.Mvc" />
    <add namespace="System.Web.Mvc.Ajax" />
    <add namespace="System.Web.Mvc.Html" />
    <add namespace="System.Web.Routing" />
    <add namespace="System.Web.WebPages" />
  </namespaces>
</pages>
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
<profile defaultProvider="DefaultProfileProvider">
  <providers>
    <add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
  </providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
  <providers>
    <add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" applicationName="/" />
  </providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
  <providers>
    <add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
  </providers>
</roleManager>
<sessionState mode="InProc" customProvider="DefaultSessionProvider">
  <providers>
    <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
  </providers>
</sessionState>
</system.web>
 <runtime>
   <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
   <dependentAssembly>
    <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
    <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0" />
  </dependentAssembly>
  <dependentAssembly>
    <assemblyIdentity name="itextsharp" publicKeyToken="8354ae6d2174ddca" culture="neutral" />
    <bindingRedirect oldVersion="0.0.0.0-5.4.3.0" newVersion="5.4.3.0" />
  </dependentAssembly>
</assemblyBinding>
</runtime>
  <entityFramework>
    <defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
 </entityFramework>
 <connectionStrings>

 </connectionStrings>
 <system.webServer>
   <modules>
     <remove name="FormsAuthentication" />
     <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
 <system.identityModel>
   <identityConfiguration>
     <audienceUris>
       <add value="https://localhost/App/" />
     </audienceUris>
  <!--Commented by Identity and Access VS Package-->
  <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="LocalSTS"><keys><add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" /></keys><validIssuers><add name="LocalSTS" /></validIssuers></authority></issuerNameRegistry>-->
  <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
  <certificateValidation certificateValidationMode="None" />
  <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://ccc.com">
      <keys>
        <add thumbprint="BA86062DD810B95F49FBF85F448507D63D15FB92" />
      </keys>
      <validIssuers>
        <add name="http://ccc.com" />
      </validIssuers>
    </authority>
  </issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
     <cookieHandler requireSsl="true" />
      <wsFederation passiveRedirectEnabled="true" issuer="https://ccc.com/" realm="https://localhost/App/" requireHttps="true" />
   </federationConfiguration>
 </system.identityModel.services>
 </configuration>
4

1 回答 1

3

鉴于您的配置,我相信您最好的选择是使用 URL 重写。在这种情况下,如果用户直接请求图像或从其他网站引用图像,则将用户重定向到“假”图像(但如果从应用程序中的页面引用,则允许访问它们)。

为此,请使用 Microsoft 的 IIS URL 重写扩展,您可以在此处下载: http ://www.iis.net/downloads/microsoft/url-rewrite

一旦它安装在您的服务器上,通过将以下内容添加到您的 web.config 来配置它(因为您的 web.config 中已经有一个 system.webServer 部分,只需将“rewrite”节点添加到其中)。请注意所需的内联注释和替换。

  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Whitelist Image Access" stopProcessing="true">
          <!-- Evaluated for all image file requests -->
          <match url="(?:jpg|jpeg|png|gif|bmp)$" />
          <conditions>

            <!-- 
            Rule applies when user tries to access URL directly (no referrer) 
            -->
            <add input="{HTTP_REFERER}" matchType="Pattern" pattern="^$" ignoreCase="true" />

            <!-- 
            Rule does NOT apply when pages on our site are the referrer 
            *** NOTE: Replace "ccc" and "com" with appropriate parts form your domain ***
            -->
            <add input="{HTTP_REFERER}" matchType="Pattern" pattern="^https?://(.*\.)?ccc\.com/.*$" ignoreCase="true" negate="true" />

            <!-- 
            Rule does NOT apply when accessing the replacement image when real ones are refused
            *** NOTE: replace "no_access.png" with the name of the "fake" image you want to use ***
            -->
            <add input="{REQUEST_FILENAME}" matchType="Pattern" pattern="no_access.png" ignoreCase="true" negate="true" />
          </conditions>

          <!-- 
          Temporary redirect (status code 307) to "fake" image
          *** NOTE: Replace the URL below with the "fake" image URL *** 
          -->
          <action type="Redirect" url="http://ccc.com/images/no_access.png" appendQueryString="false" redirectType="Temporary" />

        </rule>
      </rules>
    </rewrite>
  </system.webServer>
于 2013-08-19T23:48:34.203 回答