Restriction Module : secure your asp.net application

RestrictionModue makes life easier that secure your asp.net or sharepoint site content, pages or documents when authorization restrictions or standart restrictions are not enough. Its developed in c# 3.5.

What is Restriction Module

Restriction module is an open source project based on a httpmodule that alternatively provide security to your web applications. You can define rules that protect your pages,contents or documents. Use more flexible restrictions using power of regular expression than forms authentication web.config options.You can change security settings in runtime. And no need to recycle application or no extra down time .

Configuration of  Restriction Module

  • Add Module Definition:

Add this key below to your web.config file: configuration/system.web/httpModules

<add name=”RestrictionModule” type=”RestrictionModuleApp.RestrictionModule, RestrictionModuleApp,Version=1.0.0.0, Culture=neutral, PublicKeyToken=be23a05ec1781ff6″  />

  • Add switch key:

Add belowed key to configuration/appSettings
<add key=”RestrictionModuleActive” value=”On” />

İf value is on means module is active off means inactive.

  • Copy  Restriction.xml to your application path

Restriction.xml file definitions

You should define restrictions rules in restriction xml . Here is an example .

<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/_layouts/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences>PostDomain\guest</Audiences>
  </RestrictionRule>
</RestrictionRules>

Restriction Rule:

You can define a restriction rule between <RestrictionRule></RestrictionRule> tags.

Restriction Rule Parameters:

  • Enabled: Boolean. Makes this rule active or inactive
  • Action: Gets two parameters  “Allow” and “Deny”. Default is “Deny”.If you choose “allow” by default  all request redirect to  url which is defined redirectURL parameter except selected user scope (if Audiences parameter is empty means all user is selected . All requests are not redirected) . Otherwise you choose “Deny”  by default all request continue with its normal destination except selected users redirect to  url which is defined RedirectURL parameter
  • Mode: Defines an envoriment variable in httpcontext for restriction
    • RequestURL: Restrict request with using raw url of request.
    • RequestUserHostName: Restrict request by UserHostName
    • RequestContentType: Restrict request by Content Type.
    • RequestUserHostAddress: Restrict request by UserHostAddress
  • ContinueRuleList: Boolean. By default If one rule match with expression and not match any criteria the other rules will not execute. If you set this parameter “true” the other rules will be executed what if an expression matched for one rule.  This feature should be used two different rule with same expression but modes are not equal.

For example:

Rule1: deny select url contains “/pages/” for A and B user. -> Redirect to access denied page

Rule2: deny select ip startwith “192.168” for A and C user  -> Redirect to access denied page

İf user “C” make a request a pagewith url contains “/pages/” rule expression match but identity not .By default expression match is enough and the other rules not executed.For execute rule2 you should set this parameter true in rule1.

Expression:

You can define one or more expression in a rule. There is no expression continue list option.if one expression is match with the pattern or criteria,  the others not execute.Also there is no relation between expressions.

  • Type : Defines an operation on envoriment variable .Available operations
    • Contains : Search given parameter with in variable
    • StartWith : Search given parameter  at start of variable
    • EndWith : Search given parameter at end of variable
    • RegularExpression:Search given patterns and user parameter as variable.
    • CaseSensitive: Boolean . Define case sensitivity feature except Regular Expression.Default is false. İf you want use case sensitivity in regular expression,you have to write in pattern.

RedirectURL:

If any rule’s expression match with the criteria request will redirect to this url. Usually this url is Access Denied page or login page url.

Audiences

Access list for a rule. If its empty means all users.If you want to define more than one user you have to seperate identities  by comma “,”.

Example:

<Audiences>BlogDomain\bugra,BlogDomain\postman</Audiences>

Exampe Restrictions Rules

Other users will restricted.

<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Allow" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">http://blog.bugrapostaci.com/admin</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>BlogDomain\admin</Audiences>
  </RestrictionRule>
</RestrictionRules>
  • Example 2 : Deny “Guest” user to reach pages url which contains /Pages/Forms and /Pages/Admin/
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Admin/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>Guest</Audiences>
  </RestrictionRule>
</RestrictionRules>

  • Example 3 : Deny all users which ip address start with “192.168.10”
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestUserHostAddress" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">192.168.10</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences> </Audiences>
  </RestrictionRule>
</RestrictionRules>
  • Example 4 : Multiple Rules
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="true">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Admin/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>Guest</Audiences>
  </RestrictionRule>
<RestrictionRule Enabled="false" Action="Deny" Mode="RequestUserHostAddress" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">192.168.10</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences></Audiences>
  </RestrictionRule>
</RestrictionRules>

You can visit project page:

http://restrictionmodule.codeplex.com

You can download release version :

http://restrictionmodule.codeplex.com/releases/view/50844#DownloadId=144210

And here is the user manuel

http://restrictionmodule.codeplex.com/releases/view/50844#DownloadId=144633

Happy codding.

How to manage visibility of Site Actions by user in Sharepoint

If you want to show site actions menu by user rights easy way of to do that using SPSecurityTrimmedControl .
Conditionally renders the contents of the control to the current user only if the current user has permissions defined in the PermissionString

<SharePoint:SPSecurityTrimmedControl runat=”server” PermissionsString=”ManageWeb”>
<div class=”ms-siteaction”>
….
</div>
</SharePoint:SPSecurityTrimmedControl>

Parameters and attributes:

  • PermissionString:
EmptyMask Has no permissions on the Web site. Not available through the user interface.
ViewListItems View items in lists, documents in document libraries, and view Web discussion comments.
AddListItems Add items to lists, add documents to document libraries, and add Web discussion comments.
EditListItems Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
DeleteListItems Delete items from a list, documents from a document library, and Web discussion comments in documents.
ApproveItems Approve a minor version of a list item or document.
OpenItems View the source of documents with server-side file handlers.
ViewVersions View past versions of a list item or document.
DeleteVersions Delete past versions of a list item or document.
CancelCheckout Discard or check in a document which is checked out to another user.
ManagePersonalViews Create, change, and delete personal views of lists.
ManageLists Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
ViewFormPages View forms, views, and application pages, and enumerate lists.
Open Allow users to open a Web site, list, or folder to access items inside that container.
ViewPages View pages in a Web site.
AddAndCustomizePages Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a SharePoint Foundation–compatible editor.
ApplyThemeAndBorder Apply a theme or borders to the entire Web site.
ApplyStyleSheets Apply a style sheet (.css file) to the Web site.
ViewUsageData View reports on Web site usage.
CreateSSCSite Create a Web site using Self-Service Site Creation.
ManageSubwebs Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
CreateGroups Create a group of users that can be used anywhere within the site collection.
ManagePermissions Create and change permission levels on the Web site and assign permissions to users and groups.
BrowseDirectories Enumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces.
BrowseUserInfo View information about users of the Web site.
AddDelPrivateWebParts Add or remove personal Web Parts on a Web Part Page.
UpdatePersonalWebParts Update Web Parts to display personalized information.
ManageWeb Grant the ability to perform all administration tasks for the Web site as well as manage content. Activate, deactivate, or edit properties of Web site scoped Features through the object model or through the user interface (UI). When granted on the root Web site of a site collection, activate, deactivate, or edit properties of site collection scoped Features through the object model. To browse to the Site Collection Features page and activate or deactivate site collection scoped Features through the UI, you must be a site collection administrator.
UseClientIntegration Use features that launch client applications; otherwise, users must work on documents locally and upload changes.
UseRemoteAPIs Use SOAP, WebDAV, or Microsoft Office SharePoint Designer 2007 interfaces to access the Web site.
ManageAlerts Manage alerts for all users of the Web site.
CreateAlerts Create e-mail alerts.
EditMyUserInfo Allows a user to change his or her user information, such as adding a picture.
EnumeratePermissions Enumerate permissions on the Web site, list, folder, document, or list item.
FullMask Has all permissions on the Web site. Not available through the user interface.
  • PermissionContext:
CurrentSite Apply a permission mask to the current site.
CurrentList Apply a permission mask to the current list.
CurrentItem Apply a permission mask to the current list or document library item.
RootSite Apply a permission mask to the root site of the site collection.
CurrentFolder Apply a permission mask to the current folder.
  • PermissionMode
All The user must have all of the rights specified in the permission mask to view a link.
Any The user must have only one of the rights specified in the permission mask to view a link.

Happy Codding…

Illegal characters in path when deploying to sharepoint 2010

This strange error occurs when deploying our sharepoint project to sharepoint 2010.This error caused by a character set problem on path of users folder.

My path contains a turkish character of “ı” .

Solution.

First:

Change your tmp path from
c:\Documents and settings\[My illegal charecters in here]\Local settings\Temp
to:
c:\temp folder

You can change temp folders by right click my computer -> properties -> advanced system settings -> Envoriments Variables

Second:

VisualStudio2010 -> tools -> options -> Projects & Solutions
change that paths to another path that not include your user account name which is contain
s illegal characters.

Happy programming…