How to allow a specific domain to bypass my forms-based security

[Larry Smith]

Hi there,

I'm fairly new to both IIS and ASP.NET but an experienced Windows developer
otherwise (with extensive Windows security experience). I already have a
good entry-level understanding of IIS and ASP.NET security but would like to
know how to allow requests from a specic domain to automatically bypass my
forms-based security ("<authentication mode = "Forms"> in my "web.config"
file). Is there something I can easily add to my IIS configuration and/or
"web.config" that basically says, "allow domain.com to enter while everyone
else has to log in". If not then can someone get me started on how to pull
this off in code. Thanks.

 

[Joe Kaplan]

How would you know that a request came from a specific domain? If you try
to do this via source IP header, you run the risk that the client would
spoof this. It isn't a reliable form of authentication.

Do you need a real security feature here?

 

[Larry Smith]

How would you know that a request came from a specific domain? If you try

to do this via source IP header, you run the risk that the client would
spoof this. It isn't a reliable form of authentication.

Thanks for the feedback but for my needs it's ok. I'm going to be opening a
hosted site shortly that will normally be open to all (anonymous) users on
the web. I periodically want to conduct some maintenance however so to
facilitate this, I want to restrict all other users except myself. The
easiest way I've been able to find to do this so far is to add the following
to my "web.config" file:

<authorization>
<!-- Deny all unauthenticated users -->
<deny users="?"/>
</authorization>

This will force all users to a login form where I can then control who can
enter my site. That will only be me for now. During maintenance however, I
want to conduct a test where I click a button on one of my pages which takes
me to another site where a particular transaction is conducted. That site
will then post back to a designated page on my site in a secure manner. When
doing so however, I obviously don't want the page blocked by the above entry
in my "web.config" file. This is why I'm trying to figure out how to allow
that particular domain to bypass the login form. As for intruders, it's
extremely unlikely anyone else will try to access the same page which is
only known to the domain I'm dealing with. Even if it did occur, they won't
get very far since I have an RSA-based security mechanism in place that will
prevent them from doing any harm (it's a shared protocol between me and the
specific domain I'm dealing with).

If you know of a better or more "official" way I can do this then I'd be
interested in knowing. Note BTW that I'd rather not rely on the IIS
configuration panel to do assist since my site is hosted. I therefore don't
want to rely on my web host's personnel to access the IIS configuration
panel for me whenever I have to do maintenance. Thanks in advance for any
help you can provide.

 

[bruce barker]

you should supply a webservice page which you exclude from forms
authentication (see docs for controlling login by path). the use an rsa
key as a parameter to the webservice.

-- bruce (sqlwork.com)

 

[Joe Kaplan]

I think what I would probably try to do is have a piece of code that
basically integrates with the existing forms login system and generates a
forms login ticket/cookie directly based on the source IP server variable.

Perhaps something that runs in BeginRequest or Authenticate like an
HttpModule or Global.asax handler that generates a forms auth cookie via
SetAuthCookie and sets a valid IPrincipal in Context.User would be
sufficient. It should effectively provide SSO for clients presenting the
required source IP and will challenge for forms auth as normal for those
that do not.

I also tend to agree with Bruce's parallel comment that providing a
non-forms auth method for accessing a page designed for programmatic access
like a web service is probably a good idea.

 

[Larry Smith]

I think what I would probably try to do is have a piece of code that

basically integrates with the existing forms login system and generates a
forms login ticket/cookie directly based on the source IP server variable.

Perhaps something that runs in BeginRequest or Authenticate like an
HttpModule or Global.asax handler that generates a forms auth cookie via
SetAuthCookie and sets a valid IPrincipal in Context.User would be
sufficient. It should effectively provide SSO for clients presenting the
required source IP and will challenge for forms auth as normal for those
that do not.

I also tend to agree with Bruce's parallel comment that providing a
non-forms auth method for accessing a page designed for programmatic
access like a web service is probably a good idea.

Thanks for the feedback (to both of you). Do either of you know of a link
with an example I can extrapolate from. I don't need a lot of hand-holding.
Also, how do you get hold of the calling domain in code (or their IP address
at the very least). Thanks.

 

[Joe Kaplan]

Check out this document for the list of IIS server variables:

http://msdn.microsoft.com/en-us/library/ms524602.aspx

REMOTE_ADDR will give you the remote IP address. You could also try
REMOTE_HOST to get the translated DNS name, but that might not be as
reliable. Try it and see if that works for your needs.

I don't have source code for unfortunately. I think the Authenticate event
is likely to be the way to go with this as it will allow forms
authentication to work normally first and then give your code a crack to
handle this condition afterward.

You could either take the approach to generate a fixed authenticated user
context based on a match to your source IP and have this user participate in
authorized access to the site or you could take the approach of allowing
matches to this source IP access the site anonymously from the Context.User
perspective.

To do the former, you should just need to generate a valid IPrincipal object
and set that in Context.User and then potentially generate a forms auth
cookie for that user to handle subsequent requests. So, the first thing to
check in the Authenticate event is whether the forms auth module has already
authenticated a user.

If you want requests that match this source IP to access the site
anonymously, you can just call HttpContext.SkipAuthorization. This will
instruct the UrlAuthorizationModule to skip this request and allow anonymous
access to whatever was requested.

I don't know enough about the details of your system to know which approach
would be preferable.

 

[Larry Smith]

Thanks very much for all your advice. I'll research the ideas you presented
and see if I can leverage them for my needs. Your help was greatly
appreciated (same to the others).