Three Is It

Because two isn't enough and four is just too many

It is curious that physical courage should be so common in the world and moral courage so rare.
Mark Twain
Home Blogs Genealogy Brad's Bookshelf Subscriptions Contact Sign in
 

About the author

Brad Butts is a .NET developer and architect. He is married with children and enjoys reading, working out, and genealogy is his five minutes of spare time.
E-mail me Send mail
National Debt Clock

Recent posts

Recent comments

Archive

Authors

Tags

Categories


Blogroll

    Download OPML file OPML

    Disclaimer

    The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

    © Copyright 2010

    ASP.NET Routing Security Backdoor

    Some time ago, Phil Haack posted a really cool entry on the System.Web.Routing feature, new in .NET 3.5 SP1.

    In his post, he noted a "subtle potential security issue" where you might think you've secured a particular directory via a nested web.config and appropriate <authorization> element, but, in reality, you've totally circumvented that security.  Phil then re-included his security check by calling to the UrlAuthorizationModule.CheckUrlAccessForPrincipal method in his IRouteHandler implementation to determine if the user has permissions to the web resource being requested.  Here are two alternative approaches without having to add the UrlAuthorizationModule code:

    Option 1: Change the "BackDoor" Route
    Since the rule is to deny all requests to resources in the Admin sub-directory, if we change the route slightly to this:
    routes.MapWebFormRoute("Secret", "admin/BackDoor", "~/Admin/SecretPage.aspx", false);


    we can get the desired result:

     

    Option 2: Add a Location Path to the Authorization Configuration
    Leaving the Backdoor route as it is in the original demo code, another approach to take would be to add a <location> element around the authorization rule.  Thus, in the parent web.config file, we could add this configuration:

      <location path="backdoor">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>


    and achieve the desired result:

     

     

    All in all, though, I'm glad Phil chose the route he did because I had the chance to learn about the UrlAuthorizationModule.

     

    Be the first to rate this post

    • Currently 0/5 Stars.
    • 1
    • 2
    • 3
    • 4
    • 5

    Tags: ,
    Categories: Technology Blog
    Posted by Brad on Friday, September 12, 2008 5:14 PM
    E-mail | Kick it! | DZone it! | del.icio.us
    Permalink | Comments (15) | Post RSSRSS comment feed

    Related posts

    Comments

    Franchise Options gb

    Thursday, April 16, 2009 7:09 AM

    Franchise Options

    Hey - just checking out the blogengine.net platform on yoru site as I am looking to change over from wordpress. How are you finding it's backend and themes?

    Cheers

    Matthew Anderson

    Criminal Background Check us

    Thursday, April 30, 2009 6:35 AM

    Criminal Background Check

    Thanks for sharing this nice information with us.I installed it now in my blog,looks great!

    ZK@Web Marketing Blog us

    Sunday, May 24, 2009 11:05 AM

    ZK@Web Marketing Blog

    ASP.NET 2005 introduced a pretty solid menu which is integrated with a configuration driven sitemap. The cool part is that the menu can be hooked in with your security roles, so you don't have to worry about hiding or showing menu options based on the user - the menu options are automatically kept in sync with what the user is allowed to see. We'll talk about how to set this up, using an example from a website I worked on recently.

    Israel institute ly

    Sunday, June 07, 2009 1:31 PM

    Israel institute

    made my day

    Israel knesset qa

    Sunday, June 07, 2009 1:32 PM

    Israel knesset

    lovee it so much
    made my day

    Franchises for sale us

    Tuesday, June 09, 2009 4:52 PM

    Franchises for sale

    It's interesting, the blog engine platform seems very variable in form. My design skills are not so good as my C coding though, I would be interested in seeing what additional skins you can get for it. Nice blog btw, best wishes for it and keep up the posts. Smile Kind regards, Peter sims.

    Sulumits Retsambew us

    Wednesday, June 24, 2009 6:42 PM

    Sulumits Retsambew

    wow, it's a little bit complicated for me Frown

    Max GlipMax us

    Friday, June 26, 2009 6:21 PM

    Max GlipMax

    May be it's the first time for me visiting your blog, but I know it contains so many useful things here. thanks a lot.

    Web Design us

    Monday, June 29, 2009 7:05 AM

    Web Design

    Thanks A lot for sharing the Info. Nice Post.

    Jm-Experts! us

    Monday, July 27, 2009 10:33 AM

    Jm-Experts!

    Amazing Blog! i visit you regularly!

    Bank charges gb

    Thursday, July 30, 2009 2:32 AM

    Bank charges

    Hi. This information proved to be very useful. Can you please provide more aspects of this subject? Thanks.

    Pertamina us

    Monday, August 17, 2009 8:20 AM

    Pertamina

    Thanks for this nice info, it's so useful for me.

    Website Design Sydney au

    Tuesday, August 18, 2009 11:51 PM

    Website Design Sydney

    Hi.

    This is a very useful post, including all preceeding ones about the routing mechanism. But the sample is very hard to find because there are no links on the offcial mvc project and codeplex sites.

    Dentist Northern Ireland gb

    Monday, August 24, 2009 6:26 AM

    Dentist Northern Ireland

    Great resource to explore things for best knowledge, blogs are the best options.

    offshore web development us

    Thursday, September 03, 2009 8:24 AM

    offshore web development

    I have never think of such backdoor previously, thanks for sharing this information as every developers must have to take care of such things.

    Comments are closed