How to allow a specific domain to bypass my forms-based security

Discussion in 'ASP .Net Security' started by Larry Smith, Jan 6, 2009.

  1. Larry Smith

    Larry Smith Guest

    Hi there,

    I'm fairly new to both IIS and ASP.NET but an experienced Windows developer
    otherwise (with extensive Windows security experience). I already have a
    good entry-level understanding of IIS and ASP.NET security but would like to
    know how to allow requests from a specic domain to automatically bypass my
    forms-based security ("<authentication mode = "Forms"> in my "web.config"
    file). Is there something I can easily add to my IIS configuration and/or
    "web.config" that basically says, "allow domain.com to enter while everyone
    else has to log in". If not then can someone get me started on how to pull
    this off in code. Thanks.
     
    Larry Smith, Jan 6, 2009
    #1
    1. Advertising

  2. Larry Smith

    Joe Kaplan Guest

    How would you know that a request came from a specific domain? If you try
    to do this via source IP header, you run the risk that the client would
    spoof this. It isn't a reliable form of authentication.

    Do you need a real security feature here?

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Larry Smith" <no_spam@_no_spam_.com> wrote in message
    news:...
    > Hi there,
    >
    > I'm fairly new to both IIS and ASP.NET but an experienced Windows
    > developer otherwise (with extensive Windows security experience). I
    > already have a good entry-level understanding of IIS and ASP.NET security
    > but would like to know how to allow requests from a specic domain to
    > automatically bypass my forms-based security ("<authentication mode =
    > "Forms"> in my "web.config" file). Is there something I can easily add to
    > my IIS configuration and/or "web.config" that basically says, "allow
    > domain.com to enter while everyone else has to log in". If not then can
    > someone get me started on how to pull this off in code. Thanks.
    >
     
    Joe Kaplan, Jan 6, 2009
    #2
    1. Advertising

  3. Larry Smith

    Larry Smith Guest

    > How would you know that a request came from a specific domain? If you try
    > to do this via source IP header, you run the risk that the client would
    > spoof this. It isn't a reliable form of authentication.


    Thanks for the feedback but for my needs it's ok. I'm going to be opening a
    hosted site shortly that will normally be open to all (anonymous) users on
    the web. I periodically want to conduct some maintenance however so to
    facilitate this, I want to restrict all other users except myself. The
    easiest way I've been able to find to do this so far is to add the following
    to my "web.config" file:

    <authorization>
    <!-- Deny all unauthenticated users -->
    <deny users="?"/>
    </authorization>

    This will force all users to a login form where I can then control who can
    enter my site. That will only be me for now. During maintenance however, I
    want to conduct a test where I click a button on one of my pages which takes
    me to another site where a particular transaction is conducted. That site
    will then post back to a designated page on my site in a secure manner. When
    doing so however, I obviously don't want the page blocked by the above entry
    in my "web.config" file. This is why I'm trying to figure out how to allow
    that particular domain to bypass the login form. As for intruders, it's
    extremely unlikely anyone else will try to access the same page which is
    only known to the domain I'm dealing with. Even if it did occur, they won't
    get very far since I have an RSA-based security mechanism in place that will
    prevent them from doing any harm (it's a shared protocol between me and the
    specific domain I'm dealing with).

    If you know of a better or more "official" way I can do this then I'd be
    interested in knowing. Note BTW that I'd rather not rely on the IIS
    configuration panel to do assist since my site is hosted. I therefore don't
    want to rely on my web host's personnel to access the IIS configuration
    panel for me whenever I have to do maintenance. Thanks in advance for any
    help you can provide.
     
    Larry Smith, Jan 7, 2009
    #3
  4. Larry Smith

    bruce barker Guest

    you should supply a webservice page which you exclude from forms
    authentication (see docs for controlling login by path). the use an rsa
    key as a parameter to the webservice.

    -- bruce (sqlwork.com)

    Larry Smith wrote:
    >> How would you know that a request came from a specific domain? If you try
    >> to do this via source IP header, you run the risk that the client would
    >> spoof this. It isn't a reliable form of authentication.

    >
    > Thanks for the feedback but for my needs it's ok. I'm going to be opening a
    > hosted site shortly that will normally be open to all (anonymous) users on
    > the web. I periodically want to conduct some maintenance however so to
    > facilitate this, I want to restrict all other users except myself. The
    > easiest way I've been able to find to do this so far is to add the following
    > to my "web.config" file:
    >
    > <authorization>
    > <!-- Deny all unauthenticated users -->
    > <deny users="?"/>
    > </authorization>
    >
    > This will force all users to a login form where I can then control who can
    > enter my site. That will only be me for now. During maintenance however, I
    > want to conduct a test where I click a button on one of my pages which takes
    > me to another site where a particular transaction is conducted. That site
    > will then post back to a designated page on my site in a secure manner. When
    > doing so however, I obviously don't want the page blocked by the above entry
    > in my "web.config" file. This is why I'm trying to figure out how to allow
    > that particular domain to bypass the login form. As for intruders, it's
    > extremely unlikely anyone else will try to access the same page which is
    > only known to the domain I'm dealing with. Even if it did occur, they won't
    > get very far since I have an RSA-based security mechanism in place that will
    > prevent them from doing any harm (it's a shared protocol between me and the
    > specific domain I'm dealing with).
    >
    > If you know of a better or more "official" way I can do this then I'd be
    > interested in knowing. Note BTW that I'd rather not rely on the IIS
    > configuration panel to do assist since my site is hosted. I therefore don't
    > want to rely on my web host's personnel to access the IIS configuration
    > panel for me whenever I have to do maintenance. Thanks in advance for any
    > help you can provide.
    >
    >
     
    bruce barker, Jan 7, 2009
    #4
  5. Larry Smith

    Joe Kaplan Guest

    I think what I would probably try to do is have a piece of code that
    basically integrates with the existing forms login system and generates a
    forms login ticket/cookie directly based on the source IP server variable.

    Perhaps something that runs in BeginRequest or Authenticate like an
    HttpModule or Global.asax handler that generates a forms auth cookie via
    SetAuthCookie and sets a valid IPrincipal in Context.User would be
    sufficient. It should effectively provide SSO for clients presenting the
    required source IP and will challenge for forms auth as normal for those
    that do not.

    I also tend to agree with Bruce's parallel comment that providing a
    non-forms auth method for accessing a page designed for programmatic access
    like a web service is probably a good idea.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Larry Smith" <no_spam@_no_spam_.com> wrote in message
    news:...
    >
    > Thanks for the feedback but for my needs it's ok. I'm going to be opening
    > a hosted site shortly that will normally be open to all (anonymous) users
    > on the web. I periodically want to conduct some maintenance however so to
    > facilitate this, I want to restrict all other users except myself. The
    > easiest way I've been able to find to do this so far is to add the
    > following to my "web.config" file:
    >
    > <authorization>
    > <!-- Deny all unauthenticated users -->
    > <deny users="?"/>
    > </authorization>
    >
    > This will force all users to a login form where I can then control who can
    > enter my site. That will only be me for now. During maintenance however, I
    > want to conduct a test where I click a button on one of my pages which
    > takes me to another site where a particular transaction is conducted. That
    > site will then post back to a designated page on my site in a secure
    > manner. When doing so however, I obviously don't want the page blocked by
    > the above entry in my "web.config" file. This is why I'm trying to figure
    > out how to allow that particular domain to bypass the login form. As for
    > intruders, it's extremely unlikely anyone else will try to access the same
    > page which is only known to the domain I'm dealing with. Even if it did
    > occur, they won't get very far since I have an RSA-based security
    > mechanism in place that will prevent them from doing any harm (it's a
    > shared protocol between me and the specific domain I'm dealing with).
    >
    > If you know of a better or more "official" way I can do this then I'd be
    > interested in knowing. Note BTW that I'd rather not rely on the IIS
    > configuration panel to do assist since my site is hosted. I therefore
    > don't want to rely on my web host's personnel to access the IIS
    > configuration panel for me whenever I have to do maintenance. Thanks in
    > advance for any help you can provide.
    >
     
    Joe Kaplan, Jan 7, 2009
    #5
  6. Larry Smith

    Larry Smith Guest

    >I think what I would probably try to do is have a piece of code that
    >basically integrates with the existing forms login system and generates a
    >forms login ticket/cookie directly based on the source IP server variable.
    >
    > Perhaps something that runs in BeginRequest or Authenticate like an
    > HttpModule or Global.asax handler that generates a forms auth cookie via
    > SetAuthCookie and sets a valid IPrincipal in Context.User would be
    > sufficient. It should effectively provide SSO for clients presenting the
    > required source IP and will challenge for forms auth as normal for those
    > that do not.
    >
    > I also tend to agree with Bruce's parallel comment that providing a
    > non-forms auth method for accessing a page designed for programmatic
    > access like a web service is probably a good idea.


    Thanks for the feedback (to both of you). Do either of you know of a link
    with an example I can extrapolate from. I don't need a lot of hand-holding.
    Also, how do you get hold of the calling domain in code (or their IP address
    at the very least). Thanks.
     
    Larry Smith, Jan 7, 2009
    #6
  7. Larry Smith

    Joe Kaplan Guest

    Check out this document for the list of IIS server variables:

    http://msdn.microsoft.com/en-us/library/ms524602.aspx

    REMOTE_ADDR will give you the remote IP address. You could also try
    REMOTE_HOST to get the translated DNS name, but that might not be as
    reliable. Try it and see if that works for your needs.

    I don't have source code for unfortunately. I think the Authenticate event
    is likely to be the way to go with this as it will allow forms
    authentication to work normally first and then give your code a crack to
    handle this condition afterward.

    You could either take the approach to generate a fixed authenticated user
    context based on a match to your source IP and have this user participate in
    authorized access to the site or you could take the approach of allowing
    matches to this source IP access the site anonymously from the Context.User
    perspective.

    To do the former, you should just need to generate a valid IPrincipal object
    and set that in Context.User and then potentially generate a forms auth
    cookie for that user to handle subsequent requests. So, the first thing to
    check in the Authenticate event is whether the forms auth module has already
    authenticated a user.

    If you want requests that match this source IP to access the site
    anonymously, you can just call HttpContext.SkipAuthorization. This will
    instruct the UrlAuthorizationModule to skip this request and allow anonymous
    access to whatever was requested.

    I don't know enough about the details of your system to know which approach
    would be preferable.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Larry Smith" <no_spam@_no_spam_.com> wrote in message
    news:...
    > >I think what I would probably try to do is have a piece of code that
    > >basically integrates with the existing forms login system and generates a
    > >forms login ticket/cookie directly based on the source IP server
    > >variable.
    >>
    >> Perhaps something that runs in BeginRequest or Authenticate like an
    >> HttpModule or Global.asax handler that generates a forms auth cookie via
    >> SetAuthCookie and sets a valid IPrincipal in Context.User would be
    >> sufficient. It should effectively provide SSO for clients presenting the
    >> required source IP and will challenge for forms auth as normal for those
    >> that do not.
    >>
    >> I also tend to agree with Bruce's parallel comment that providing a
    >> non-forms auth method for accessing a page designed for programmatic
    >> access like a web service is probably a good idea.

    >
    > Thanks for the feedback (to both of you). Do either of you know of a link
    > with an example I can extrapolate from. I don't need a lot of
    > hand-holding. Also, how do you get hold of the calling domain in code (or
    > their IP address at the very least). Thanks.
    >
     
    Joe Kaplan, Jan 7, 2009
    #7
  8. Larry Smith

    Larry Smith Guest

    Thanks very much for all your advice. I'll research the ideas you presented
    and see if I can leverage them for my needs. Your help was greatly
    appreciated (same to the others).
     
    Larry Smith, Jan 7, 2009
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Thompson

    WebStart API development - bypass security

    Andrew Thompson, Sep 30, 2006, in forum: Java
    Replies:
    6
    Views:
    801
    Andrew Thompson
    Sep 30, 2006
  2. Larry Smith

    How to bypass forms-based authentication

    Larry Smith, Aug 25, 2008, in forum: ASP .Net
    Replies:
    0
    Views:
    406
    Larry Smith
    Aug 25, 2008
  3. Larry Smith
    Replies:
    8
    Views:
    405
    Larry Smith
    Jan 7, 2009
  4. Ryan Taylor
    Replies:
    1
    Views:
    700
    Ryan Taylor
    Sep 9, 2004
  5. Kursat
    Replies:
    1
    Views:
    331
    Dominick Baier
    May 7, 2007
Loading...

Share This Page