tags:

views:

261

answers:

5
+4  Q: 

Is it possible to configure a location in Web.config to only allow local connections

Hi All,

I've got a page in an ASP.Net app (its Mvc actually but not important) and I would like to only allow connections to this page from the local machine. I would love to do something like this in Web.config:

<location path="resources"><system.web><authorization><allow ips="local"/></authorization></system.web></location>

I know this is possible with a simple check in the page code behind (or controller) and its even possible just with IIS configuration but I would love a Web.config config as this would be the most elegant solution in my opinion. Anyone know if this is possible?

Thanks

Guido

A: 

This isn't what you asked for, but you could specify users of  the local machine. I can't imagine this is practical unless it's a small number of users you're wanting to authorize.

<location path="resources">
  <system.web>
    <authorization>
      <allow users="LOCALMACHINENAME\UsernameOfTrustedUser"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>
lance  2010-02-25 21:47:53
Hi Lance, This will not help as its the IIS user that will be running this page periodically and I am currently not 'Impersonation' so all users would be the IIS user.
gatapia  2010-02-25 21:50:54
Did you try this suggestion? It should work. The use of "Impersonation" is not relevant to the authentication example here.
Jennifer Zouak  2010-03-31 20:52:06
A: 

You could create your own configuration section that would be part of your web.config and then use the setting to control the behavior in global.asax Session_Start.

Payton Byrd  2010-02-26 00:27:02
A: 

Here is a link to a solution with a HttpModule.

Dirk  2010-02-28 14:30:41
Hi Dirk,Writing code to fix the problem is not the issue, its very straight forward wether through HttpModule or just in Session_Start/Request_Start/etc in Global.asax. I was just looking for a tidy out of the box solution which does not exist. But thanks
gatapia  2010-02-28 23:50:44
A: 

Run the site on a port other than 80, then access like this: http://localhost:1943 where 1943 is the new port number. Simple, quick, will also block calls to non .net content eg images.

James Westgate  2010-03-31 08:52:35
+1  A: 
  1. Invent a non-DNS alias for the machine, i.e. "PrivateHostName".
  2. Set this value in the local hosts file to point to 127.0.0.1.
  3. Set a (IIS) host header for the web site such that it only responds to requests to address "PrivateHostName".
  4. For all local calls use the private host name.

Remote clients will not be able to resolve the host name.

You could secure it more using a dedicated ip address tied to a virtual network adapter which would not actually respond to external requests.

Jennifer Zouak  2010-03-31 20:54:49

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps