tags:

views:

40

answers:

1
+5  Q: 

Implementing Security for Rss Feeds.

A)I want to be able to support password protection of my RSS feeds through the following authentication methods:

HTTP Basic Integrated Windows (NTLM/Kerberos) Digest

1)How can i do that in asp.net mvc

B) Reading over the RSS 2.0 specification, I saw nothing related to security, so I assume that security implemented for the RSS feed is handled on one end by the web server handling the HTTP request for the RSS feed, and on the other end by the client requesting access to the RSS feed. The client should collect a user name and password, and put that information into the request to the server. I'm curious to know how (or if) sites like UserLand, or ASP.NET Weblogs offer password protected RSS feeds, and on the other side of the fence, how are RSS aggregators like NewsGator, NewzCrawler, SharpReader, etc. handling password protected RSS feeds?

+1  A: 

RSS does not have any security built in. You can harness ASP.NET MVC by creating a custom ActionResult, which can provide authentication, this is with forms authentication, but you can see the idea.

public class RssActionResult : ActionResult
{
    public SyndicationFeed Feed { get;set; }

    public override void ExecuteResult(ControllerContext context)
    {
        if (context.HttpContext.Current.User.Identity.IsAuthenticated)
        {
            context.HttpContext.Response.ContentType = "application/rss+xml";
            Rss20FeedFormatter rssFormatter = new Rss20FeedFormatter(Feed);
            using (XmlWriter writer = XmlWriter.Create(context.HttpContext.Response.Output))
            {
                rssFormatter.WriteTo(writer);
            }
        }
        else
        {
            //Whatever, not authenticated
        }
    }
}
Dustin Laine  2010-03-10 08:09:22
Could you please explain why it is better to authenticate when executing the result, instead of authenticating (in) the controller action directly? Authentication is not inherent to RssActionResult, as it is not to ViewResult or JsonResult (and this is the reason why MVC does not implement authentication when executing the results, I believe)
Marek  2010-03-10 08:31:35
@Marek, good point. I was just showing an example. I have never myself had the need to secure RSS as I see a lot of problems posed with it. However using an RSSActionFilter as your feed will allow for the authentication to happen, wherever that may be.
Dustin Laine  2010-03-10 08:37:18

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security