0

I'm using the http://imageresizing.net/ component to display images on my webapplication.

My problem is that users need to be (forms)authenticated before retreiving an image although I allow anonymous users.

I created my own implementations for VirtualImageProvider and VirtualFile by implementing their Interfaces:

    public class CustomVirtualImageProvider : IVirtualImageProvider, IPlugin
{
    public bool FileExists(string virtualPath, NameValueCollection queryString)
    {
        return true;
    }

    public IVirtualFile GetFile(string virtualPath, NameValueCollection queryString)
    {
        var customVirtualFile = new CustomVirtualFile(virtualPath, queryString);

        return customVirtualFile;
    }

    public IPlugin Install(Config c)
    {
        c.Plugins.add_plugin(this);
        return this;
    }

    public bool Uninstall(Config c)
    {
        c.Plugins.remove_plugin(this);
        return true;
    }
}

and

    public class CustomVirtualFile : IVirtualFile
{
    private readonly string _virtualPath;

    public CustomVirtualFile(string virtualPath, NameValueCollection query)
    {
        _virtualPath = virtualPath;
        this.query = new ResizeSettings(query);
    }

    protected ResizeSettings query;

    public System.IO.Stream Open()
    {
        var pathService = new ICustomImagePathService();

        string path = pathService.GetPhysicalPathByVirtual(_virtualPath);

        var fi = new FileInfo(path);
        if (!fi.Exists)
        {
            return null;
        }

        CurrentLogger.Logger.Debug("Processing: " + _virtualPath);

        var ms = new MemoryStream();
        using (var file = new FileStream(path, FileMode.Open, FileAccess.Read))
        {
            var bytes = new byte[file.Length];
            file.Read(bytes, 0, (int)file.Length);
            ms.Write(bytes, 0, (int)file.Length);
        }

        ms.Seek(0, SeekOrigin.Begin);

        return ms;
    }

    public string VirtualPath { get { return _virtualPath; } }
}

In the web.config I've setup the DiskCache plugin:

<diskcache dir="/ImageCache" />

This /ImageCache is a VirtualDirectory within IIS.

I'm using asp.net FormsAuthentication.

The requirement is users need to be authenticated when getting images from: https://myhost/i/userprofile/(guid).

Un-authenticated users/requests are allowed to get images from: https://myhost/i/public/logos/(guid).

To achieve this, I created these folders in my webapplication:

  • /i
  • /i/public

In these folders I've added a test default.aspx page and these web.config's:

/i

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
     <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

/i/public

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</configuration>

Testing with the webpages works:

/i/default.aspx --> redirects to login page. Good.

/i/public/default.aspx --> shows the page. Good.

/i/userprofile/d39a2fe0-2f1d-9750-e8d4-ebbe0f87d790.jpg?w=50&h=50 --> redirect to login page. Good.

/i/public/applogo/297/3347df8d-ef47-4280-ac2d-75a740b5898e.jpg?w=100&h=100 --> redirect to login page. Not good.

Can some one help me with this issue? I want this last image to be shown to unauthenticated users.

Many thanks in advance.

4

2 回答 2

0

我通过进行以下更改使其工作:

1) 将匿名身份验证凭据(在 IIS 内)从 IUSR 更改为应用程序池标识

2) 将 runAllManagedModulesForAllRequests 设置回“true”。在测试期间,我尝试禁用它。

全部通过使用 ASP.NET Url 授权。

于 2016-07-01T13:27:28.670 回答
0

我认为您可能在这里错误地使用了 URL 授权。我认为 ”?” 表示任何经过身份验证的用户,但“*”表示所有用户,包括未经身份验证的用户。

您可能还需要使用<location>元素来确保您的配置特定于某些 URL。

您是否考虑过使用 IIS URL 授权而不是 ASP.NET URL 授权? https://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization

于 2016-06-30T18:17:49.683 回答