C# REST API 对路径的服务访问被拒绝
C# REST API Service access to path denied
我是 Windows 环境的新手,为了让我的 c# API 在 IIS 上工作,我费了很大劲。我只设法在我的网站上执行 GET API。
当我尝试执行 POST 时,我得到了这个:
{"Message": "An error has occurred.",
"ExceptionMessage": "Access to the path 'C:\Path\To\API' is denied.",
"ExceptionType": "System.UnauthorizedAccessException",
"StackTrace": " at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\r\n at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)\r\n at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)\r\n at MiningAPI.Controllers.ValuesController.Post(HttpRequestMessage request) in C:\Users\Tavernier\Desktop\MiningReport\MiningAPI\MiningAPI\Controllers\ValuesController.cs:line 90\r\n at lambda_method(Closure , Object , Object[] )\r\n at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.<GetExecutor>b__9(Object instance, Object[] methodParameters)\r\n at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__1.MoveNext()"}
IUSRS 和 IIS_IUSRS 的权限完全允许读取 Web API 文件夹中的文件。
我在 Windows 10,运行 IIS-10
更新:
当我通过 Visual Studio 启动 Web API 时,POST 正在工作。 (localhost:port, 现在是 192.168.1.30:port)
我试图将我的文件夹移动到 D:,添加了 NETWORK SERVICE 权限。
您的 WebAPI 尝试访问路径 C:\Path\To\API。它代表无权访问它的 IIS 用户运行。也尝试授予 NETWORK_SERVICE 用户访问权限。然后从 CMD 执行 iisreset 以防万一。
如果这不起作用,只需将您的项目移动到磁盘 D:,因为磁盘 C: 是一个系统磁盘,通常限制更多。
正在使用的用户取决于您的应用程序池。如果您的应用程序使用的 IIS 应用程序池中没有特定标识,则默认值为 "IIS AppPool\<AppPool Name>"(不带引号)。
有关详细信息,请参阅 https://www.iis.net/learn/manage/configuring-security/application-pool-identities。
我建议明确授予应用程序池用户需要写入的任何文件夹的权限。允许应用程序池用户完全写入访问权限是不明智的,尤其是对代码目录,因为这可能导致修改源代码(如果存在)。
检查权限的代码
下面是一些对权限进行基本检查的代码。它不会关闭并找到用户所属的所有用户组,因此不会在扩展情况下工作。但是,对于使用默认身份的应用程序池,它们应该获得应用程序池名称或 BUILTIN\Users
Import-Module WebAdministration
$websites = (Get-ChildItem IIS:\Sites)
foreach ($website in $websites)
{
$appPool = (Get-Item IIS:\AppPools$($website.applicationPool))
Write-Output "Found $($website.name) with $($appPool.name) in mode $($appPool.processModel.identityType)";
$folder = [System.Environment]::ExpandEnvironmentVariables($website.physicalPath);
if ($appPool.processModel.identityType -eq 3)
{
$user = $appPool.processModel.userName;
Write-Output "Using explicit username '$user'";
} else {
$user = "IIS AppPool\" + $appPool.name;
Write-Output "Using application pool name '$user'";
}
$permission = (Get-Acl $Folder).Access | ?{$_.IdentityReference -match $User -or $_.IdentityReference -match "BUILTIN\Users" } | Select IdentityReference,FileSystemRights
If ($permission){
$permission | % {Write-Host "User $($_.IdentityReference) has '$($_.FileSystemRights)' rights on folder $folder"}
} Else {
Write-Host "$User Doesn't have any permission on $Folder"
}
}
在我的系统上,这给出了以下输出
Found Default Web Site with DefaultAppPool in mode ApplicationPoolIdentity
Using application pool name 'IIS AppPool\DefaultAppPool'
User BUILTIN\Users has 'ReadAndExecute, Synchronize' rights on folder C:\inetpub\wwwroot
User BUILTIN\Users has '-1610612736' rights on folder C:\inetpub\wwwroot
我是 Windows 环境的新手,为了让我的 c# API 在 IIS 上工作,我费了很大劲。我只设法在我的网站上执行 GET API。
当我尝试执行 POST 时,我得到了这个:
{"Message": "An error has occurred.",
"ExceptionMessage": "Access to the path 'C:\Path\To\API' is denied.",
"ExceptionType": "System.UnauthorizedAccessException",
"StackTrace": " at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\r\n at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)\r\n at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)\r\n at MiningAPI.Controllers.ValuesController.Post(HttpRequestMessage request) in C:\Users\Tavernier\Desktop\MiningReport\MiningAPI\MiningAPI\Controllers\ValuesController.cs:line 90\r\n at lambda_method(Closure , Object , Object[] )\r\n at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.<GetExecutor>b__9(Object instance, Object[] methodParameters)\r\n at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__1.MoveNext()"}
IUSRS 和 IIS_IUSRS 的权限完全允许读取 Web API 文件夹中的文件。
我在 Windows 10,运行 IIS-10
更新:
当我通过 Visual Studio 启动 Web API 时,POST 正在工作。 (localhost:port, 现在是 192.168.1.30:port)
我试图将我的文件夹移动到 D:,添加了 NETWORK SERVICE 权限。
您的 WebAPI 尝试访问路径 C:\Path\To\API。它代表无权访问它的 IIS 用户运行。也尝试授予 NETWORK_SERVICE 用户访问权限。然后从 CMD 执行 iisreset 以防万一。
如果这不起作用,只需将您的项目移动到磁盘 D:,因为磁盘 C: 是一个系统磁盘,通常限制更多。
正在使用的用户取决于您的应用程序池。如果您的应用程序使用的 IIS 应用程序池中没有特定标识,则默认值为 "IIS AppPool\<AppPool Name>"(不带引号)。
有关详细信息,请参阅 https://www.iis.net/learn/manage/configuring-security/application-pool-identities。
我建议明确授予应用程序池用户需要写入的任何文件夹的权限。允许应用程序池用户完全写入访问权限是不明智的,尤其是对代码目录,因为这可能导致修改源代码(如果存在)。
检查权限的代码
下面是一些对权限进行基本检查的代码。它不会关闭并找到用户所属的所有用户组,因此不会在扩展情况下工作。但是,对于使用默认身份的应用程序池,它们应该获得应用程序池名称或 BUILTIN\Users
Import-Module WebAdministration
$websites = (Get-ChildItem IIS:\Sites)
foreach ($website in $websites)
{
$appPool = (Get-Item IIS:\AppPools$($website.applicationPool))
Write-Output "Found $($website.name) with $($appPool.name) in mode $($appPool.processModel.identityType)";
$folder = [System.Environment]::ExpandEnvironmentVariables($website.physicalPath);
if ($appPool.processModel.identityType -eq 3)
{
$user = $appPool.processModel.userName;
Write-Output "Using explicit username '$user'";
} else {
$user = "IIS AppPool\" + $appPool.name;
Write-Output "Using application pool name '$user'";
}
$permission = (Get-Acl $Folder).Access | ?{$_.IdentityReference -match $User -or $_.IdentityReference -match "BUILTIN\Users" } | Select IdentityReference,FileSystemRights
If ($permission){
$permission | % {Write-Host "User $($_.IdentityReference) has '$($_.FileSystemRights)' rights on folder $folder"}
} Else {
Write-Host "$User Doesn't have any permission on $Folder"
}
}
在我的系统上,这给出了以下输出
Found Default Web Site with DefaultAppPool in mode ApplicationPoolIdentity
Using application pool name 'IIS AppPool\DefaultAppPool'
User BUILTIN\Users has 'ReadAndExecute, Synchronize' rights on folder C:\inetpub\wwwroot
User BUILTIN\Users has '-1610612736' rights on folder C:\inetpub\wwwroot