拒绝C# REST服务对路径的访问

Question

我对Windows环境非常陌生，我在c#上做了很多工作。我只是在我的Web上做了一次尝试。

当我试着写一篇文章时，我得到了这个：

{"Message": "An error has occurred.",
"ExceptionMessage": "Access to the path 'C:\\Path\\To\\API' is denied.",
"ExceptionType": "System.UnauthorizedAccessException",
"StackTrace": "   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\r\n   at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)\r\n   at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)\r\n   at MiningAPI.Controllers.ValuesController.Post(HttpRequestMessage request) in C:\\Users\\Tavernier\\Desktop\\MiningReport\\MiningAPI\\MiningAPI\\Controllers\\ValuesController.cs:line 90\r\n   at lambda_method(Closure , Object , Object[] )\r\n   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.<GetExecutor>b__9(Object instance, Object[] methodParameters)\r\n   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__1.MoveNext()"}

IUSRS和IIS_IUSRS的权限完全允许读取Web文件夹中的文件。我在Windows 10上运行IIS-10

更新：

在我通过Visual启动Web时，POST正在工作。(本地主机:港口，现为192.168.1.30:港口)

我试图将我的文件夹移动到D:，将NETWORK SERVICE添加到权限中。

Answer 1

所使用的用户取决于您的应用程序池。如果应用程序使用的IIS应用程序池中没有特定的标识，则默认为"IIS AppPool\“(没有引号)。

有关详细信息，请参阅https://www.iis.net/learn/manage/configuring-security/application-pool-identities。

我建议，应用程序池用户需要写入的任何文件夹都被授予显式的权限。允许应用程序池用户完全写入(特别是对代码目录)是不明智的，因为这可能导致源代码的修改(如果存在)。

检查权限的代码

下面是一些将对权限进行基本检查的代码。它不会找到用户所属的所有用户组，因此不会在扩展的情况下工作。但是，对于使用默认标识的应用程序池，它们应该获得应用程序池名或BUILTIN\User

Import-Module WebAdministration

$websites = (Get-ChildItem IIS:\Sites)

foreach ($website in $websites)
{
    $appPool = (Get-Item IIS:\AppPools\$($website.applicationPool))    
    Write-Output "Found $($website.name) with $($appPool.name) in mode $($appPool.processModel.identityType)";
    $folder = [System.Environment]::ExpandEnvironmentVariables($website.physicalPath);
    if ($appPool.processModel.identityType -eq 3)
    {
        $user = $appPool.processModel.userName;
        Write-Output "Using explicit username '$user'";
    } else {
        $user = "IIS AppPool\" + $appPool.name;
        Write-Output "Using application pool name '$user'";
    }

    $permission = (Get-Acl $Folder).Access | ?{$_.IdentityReference -match $User -or $_.IdentityReference -match "BUILTIN\\Users" } | Select IdentityReference,FileSystemRights
    If ($permission){
        $permission | % {Write-Host "User $($_.IdentityReference) has '$($_.FileSystemRights)' rights on folder $folder"}
    } Else {
        Write-Host "$User Doesn't have any permission on $Folder"
    }
}

在我的系统中，这将提供以下输出

Found Default Web Site with DefaultAppPool in mode ApplicationPoolIdentity
Using application pool name 'IIS AppPool\DefaultAppPool'
User BUILTIN\Users has 'ReadAndExecute, Synchronize' rights on folder C:\inetpub\wwwroot
User BUILTIN\Users has '-1610612736' rights on folder C:\inetpub\wwwroot

Answer 2

您的WebAPI尝试访问路径C:\\Path\\To\\API。它代表无法访问IIS的IIS用户运行。尝试授予对NETWORK_SERVICE用户的访问权限。然后从CMD执行iisreset，以防万一。

如果这不起作用，只需将项目移动到磁盘D:，因为磁盘C:是一个系统磁盘，它通常更具限制性。