 | |
Problem with webHttpBinding - it completly bypasses the asp.net authentication mechanism!
Dotnet Security microsoft.public.dotnet.security
 |
| | Thread Tools | Search this Thread | Display Modes |
#11
 
| |||
| |||
|
Re: Problem with webHttpBinding - it completly bypasses the asp.net authentication mechanism! -
07-20-2007
, 03:39 PM
|
Thanks - you are one step behind me / or in front - depending on your angle. Lutz Roeder is my best friend (though he does't know it ;-) I was firing it up as your post came in. Its a bit of a tricky read from a cursory glance but it certainly does respond to the compat attribute. If my 5 minute persual is correct i think it is processing the request on a different thread and therefore there is no context or pipeline? That could well be wrong....but that's how it looks on first glance. Incidentally - found a note here - http://msdn2.microsoft.com/en-us/lib...34(VS.90).aspx Cheers "Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in message news:8e6a913a1418d8c99920eaad6260 (AT) news (DOT) microsoft.com... If compat mode is not enabled - the WCF HttpModule will take the request off the pipeline in PostAuthenticateRequest and will directly jump to EndRequest. Like i wrote in my blog post. How can you verify that - use Reflector to look at System.ServiceModel.Activation.HttpModule You can find other bits and pieces of information on the internet of course  ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Hi Dominick Thanks for the info. Out of interest, how do you know this? Where did you read this up? There is scant information on any of this which i can find. In general, security for requests are hooked up by modules. Modules handle pipeline events despite the handler. when it is the handlers turn to execute it will, and then subsequent pipeline events will be handled by the modules. The fact that .svc has a System.ServiceModel.Activation.HttpHandler shouldn't affect the handling of the pipeline events by httpmodules which would take place regardless. The only way to do that is to unhook the other modules - and given these are copied and hooked up each time a new pipeline thread is created would be folly. Please explain more. Cheers "Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com wrote in message news:8e6a913a141748c9990ca28ad490 (AT) news (DOT) microsoft.com... By default - WCF completely bypasses the ASP.NET security pipeline. You can change this by going into ASP.NET compatibility mode. Have a look here: http://www.leastprivilege.com/Hostin...NETTheSurvival Gu ide.aspx ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) I host a service called MyService.svc in a private subfolder of my webapplication like so / /private /private/myservice.svc /private/privatepage.aspx i use a location tag to secure the private folder to deny anonymous users. i test this succesfully by using internet explorer to go to the /private/privatepage.aspx and noting that i get the redirection back to my loginpage.aspx with the rewturn url of /private/privatepage.aspx duly noted on the querystring. however - as you can guess by the post title - anyone is free to call my "private" myservice.svc despite being not logged in. the service is not protected. what gives? Cheers |
|
« Previous Thread
|
Next Thread »
| Thread Tools | Search this Thread |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.