Is there a away to block the access to my website from specific application or better to only allow one. In the logs i can see what application was used for the access of the site. So basicaly iis can differ wahat application were been used.
I have achived this with the HTTP Rewrite Module provided by microsoft.
Related
I work in a company where we have many different applications. To reduce code repetition and keep the experience for the users the same across applications we created a component library which is used by all applications.
Now we want to allow the users to switch between applications. Something similar like Google does:
Screenshot of Google Application Drawer
An additional requirement for our "Application Switcher" would be that it "updates" itself. Meaning if we change how this "Application Switcher" looks we don't want all applications which use this Switcher to create a new deployment and be newly deployed.
So currently we use the same header (from our component library) in all our applications. So, my idea was just to simply add a script tag to all the index.html pages of all the applications which should support this "Application Switcher". The Script would parse the DOM, find the header and inject a component for this application switcher. I wanted to host the actual script from a CDN like server and the script tag in the index.html just references this URL. This way we could change this script however we want, and all the applications will always get the latest version.
Now I did a small proof of concept in our environments and solved all the CORS issues but since we were fetching from an authenticated context and the script was also in an authenticated context I always got a 401.
Additionally, we have the requirement, that this "Application Switcher" shows different applications to different users i.e. depending on which apps a user is allowed to access. So, the script itself will also do calls to an "Application Switcher" backend providing it user-specific information.
Now this makes me think that my initial idea of just putting a script tag and fetching from a CDN was too simplistic. Now I'm thinking if it would be better to implement a rest endpoint in all applications to fetch this script. This way I don't have the problems of fetching a resource from an authenticated context from the user's browser and instead can handle all of this in the backend.
So long story short; I feel like a complete noob who just hacks around to get things working (or actually not working) and was wondering if any of the smart internet people out there (who might actually already have experience with this) could give me a hint what would be a clean way to implement this?
I have an app we've developed that will be translated to tagalog. No big deal, I thought. We've done translation dozens of times. However, apparently this culture is not supported by default. So I looked and found CultureAndRegionInfoBuilder, but that requires admin privileges, something my azure web site most definitely will not have.
Is there a way to use a custom culture without registering it, or alternatively, register a custom culture on a reserved Azure web site instance?
I find it absolutely mind boggling that I might have to use something other than Azure Websites simply because of the lack of forethought and design surrounding globalization.
I know this question is old but I did end up finding an alternative.
https://github.com/turquoiseowl/i18n
It sits outside your app as an IHttpModule that intercepts responses and does localization by replacing screens with a specific delimiter ([[[ and ]]] respectively, by default). It uses gettext/po standards and IMHO, is everything ASP.NET localization should have been from the beginning.
Does anyone know of any article/publication on the security architecture of Metro app?
For example, can the metro app call an external service. If it can,
under what condition. Will it prompt the user first? And if so will
they be able to change their restriction later and how?
Cross domain scripting in a website is usually considered a big
no-no. But if I were to turn the same code into a metro app (since
presumably they're both written in Html 5 + js), does it mean I can
make ajax calls to any server irrespective of their domain? Is it
even possible to port a website into an app? If so how easy is that?
What about accessing local file system? Or does it have to go
through the contracts to do so?
And this is kind of related but if I were to write a website (not an
app). And the site was opened using Metro IE10, can it subscribe
into the metro specific js events? I guess I'm trying to figure out
how to save cost by doing as little development as possible. I
prefer a website that can target multiple platforms and only target
specific platform for the features that absolutely require it - also
not to thrilled with the idea of having to go through microsoft in
order to publish my app.
Any help appreciated.
Metro applications can call into web services located on other machines, but their ability to interact with the local machine is severely limited.
Similarly, accessing arbitrary parts of the local filesystem is not permitted. If your application has the documents (or music or photos) library permission, it can access the files in those libraries.
We have a library of ZIP files that we would like to make available for download at an ASP.NET site.
The files are sitting on a NAS device that is accessible from out web farm.
Here is our initial strategy:
Map an IIS virtual directory to the shared drive at path /zipfiles
Users can download the zip files when given the URL
However, if users share links to the files, anyone can download them. We would instead like to make use of the ASP.NET forms authentication in our site to validate users' requests before initiating the file transfer.
A few problems:
A request for a zip file is handled by IIS, not ASP.NET. So it is not subject to forms authentication.
In addition, we don't want ASP.NET to handle the request, because it uses up an ASP.NET thread and is not scalable for download of large files. So, configuring the asp.net dll to handle *.zip requests is not an option.
Any ideas on this?
One idea we've tossed around is this:
Initial request for download will be for an ashx handler. This handler will, after authentication, generate a download token which is saved to a database. Then, the user is redirected to the file with token appended in QueryString (e.g. /files/xyz.zip?token=123456789). An ISAPI plugin will be used to check the token. Also, the token will expire after x amount of time.
Any thoughts on this? I have not implemented an ISAPI plugin so I'm not sure if this will even work.
I would like to avoid custom coding since security is an issue and I'd prefer to use a time-tested solution.
Forms authentication can't go without ASP.NET.
If you don't want to use ASP.NET at all, you can define an NTFS permission on file and to create domain accounts to your users. That will become a nightmare really fast.
To deal with large downloads into ASP.NET, you can take a look into Comet. That's basically a IHttpHandler but you'll need to use another ThreadPool (not ASP.NET). I suggest take a look into Smart Thread Pool.
I combined both a few months ago to create an application for download speed throttling and now runs very smoothly.
I read and understand your concern with using a handler to manage your static files, but if you use an async handler then you wont be blocking.
I think you might get the results you are looking for at a fair price.
Is there a way to get URI based access control directly in IIS that works with static content, ASP, WCF services and anything else that comes in looking something like an HTTP request?
Particularly I want the access control to be a bullet proof as possible preferably making the decision before IIS even tries to figure out what to service the request with.
This link sort of hints that this can't be done but it's old and I'd be very surprised if what I'm looking for doesn't exist.
This link has a few other options (and a less "aggressive" community)
An ideal solution would be able to declare that everything (static and dynamic content) under a given URL (for example https://dns.name/some/path/*) needs a login and the user must be in some group. Also, I'd rather set it up with a username/passord file (at least for now) rather than AD or some windows account system.
In short I want access control and I don't want to be writing code to get it.
This seems related but I'm not sure it's quite the same.
You can set access rules for ASP.NET or WCF web application in web.config file.
HOW TO: Control Authorization Permissions in an ASP.NET Application
If you have access to IIS and you know .htaccess syntax, you can use ISAPI_Rewrite 3. The Lite version is free.