Restriction Module : secure your asp.net application


RestrictionModue makes life easier that secure your asp.net or sharepoint site content, pages or documents when authorization restrictions or standart restrictions are not enough. Its developed in c# 3.5.

What is Restriction Module

Restriction module is an open source project based on a httpmodule that alternatively provide security to your web applications. You can define rules that protect your pages,contents or documents. Use more flexible restrictions using power of regular expression than forms authentication web.config options.You can change security settings in runtime. And no need to recycle application or no extra down time .

Configuration of  Restriction Module

  • Add Module Definition:

Add this key below to your web.config file: configuration/system.web/httpModules

<add name=”RestrictionModule” type=”RestrictionModuleApp.RestrictionModule, RestrictionModuleApp,Version=1.0.0.0, Culture=neutral, PublicKeyToken=be23a05ec1781ff6″  />

  • Add switch key:

Add belowed key to configuration/appSettings
<add key=”RestrictionModuleActive” value=”On” />

İf value is on means module is active off means inactive.

  • Copy  Restriction.xml to your application path

Restriction.xml file definitions

You should define restrictions rules in restriction xml . Here is an example .

<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/_layouts/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences>PostDomain\guest</Audiences>
  </RestrictionRule>
</RestrictionRules>

Restriction Rule:

You can define a restriction rule between <RestrictionRule></RestrictionRule> tags.

Restriction Rule Parameters:

  • Enabled: Boolean. Makes this rule active or inactive
  • Action: Gets two parameters  “Allow” and “Deny”. Default is “Deny”.If you choose “allow” by default  all request redirect to  url which is defined redirectURL parameter except selected user scope (if Audiences parameter is empty means all user is selected . All requests are not redirected) . Otherwise you choose “Deny”  by default all request continue with its normal destination except selected users redirect to  url which is defined RedirectURL parameter
  • Mode: Defines an envoriment variable in httpcontext for restriction
    • RequestURL: Restrict request with using raw url of request.
    • RequestUserHostName: Restrict request by UserHostName
    • RequestContentType: Restrict request by Content Type.
    • RequestUserHostAddress: Restrict request by UserHostAddress
  • ContinueRuleList: Boolean. By default If one rule match with expression and not match any criteria the other rules will not execute. If you set this parameter “true” the other rules will be executed what if an expression matched for one rule.  This feature should be used two different rule with same expression but modes are not equal.

For example:

Rule1: deny select url contains “/pages/” for A and B user. -> Redirect to access denied page

Rule2: deny select ip startwith “192.168” for A and C user  -> Redirect to access denied page

İf user “C” make a request a pagewith url contains “/pages/” rule expression match but identity not .By default expression match is enough and the other rules not executed.For execute rule2 you should set this parameter true in rule1.

Expression:

You can define one or more expression in a rule. There is no expression continue list option.if one expression is match with the pattern or criteria,  the others not execute.Also there is no relation between expressions.

  • Type : Defines an operation on envoriment variable .Available operations
    • Contains : Search given parameter with in variable
    • StartWith : Search given parameter  at start of variable
    • EndWith : Search given parameter at end of variable
    • RegularExpression:Search given patterns and user parameter as variable.
    • CaseSensitive: Boolean . Define case sensitivity feature except Regular Expression.Default is false. İf you want use case sensitivity in regular expression,you have to write in pattern.

RedirectURL:

If any rule’s expression match with the criteria request will redirect to this url. Usually this url is Access Denied page or login page url.

Audiences

Access list for a rule. If its empty means all users.If you want to define more than one user you have to seperate identities  by comma “,”.

Example:

<Audiences>BlogDomain\bugra,BlogDomain\postman</Audiences>

Exampe Restrictions Rules

Other users will restricted.

<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Allow" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">http://blog.bugrapostaci.com/admin</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>BlogDomain\admin</Audiences>
  </RestrictionRule>
</RestrictionRules>
  • Example 2 : Deny “Guest” user to reach pages url which contains /Pages/Forms and /Pages/Admin/
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="false">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Admin/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>Guest</Audiences>
  </RestrictionRule>
</RestrictionRules>

  • Example 3 : Deny all users which ip address start with “192.168.10”
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestUserHostAddress" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">192.168.10</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences> </Audiences>
  </RestrictionRule>
</RestrictionRules>
  • Example 4 : Multiple Rules
<?xml version="1.0" encoding="utf-8"?>
<RestrictionRules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <RestrictionRule Enabled="false" Action="Deny" Mode="RequestURL" ContinueRuleList="true">
    <Expressions>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Forms/</Expression>
      <Expression Type="Contains" CaseSensitive="false">/Pages/Admin/</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com /ErrorPages/401.aspx
         </RedirectURL>
    <Audiences>Guest</Audiences>
  </RestrictionRule>
<RestrictionRule Enabled="false" Action="Deny" Mode="RequestUserHostAddress" ContinueRuleList="false">
    <Expressions>
      <Expression Type="StartWith" CaseSensitive="false">192.168.10</Expression>
    </Expressions>
    <RedirectURL>http://blog.bugrapostaci.com/ErrorPages/401.aspx</RedirectURL>
    <Audiences></Audiences>
  </RestrictionRule>
</RestrictionRules>

You can visit project page:

http://restrictionmodule.codeplex.com

You can download release version :

http://restrictionmodule.codeplex.com/releases/view/50844#DownloadId=144210

And here is the user manuel

http://restrictionmodule.codeplex.com/releases/view/50844#DownloadId=144633

Happy codding.

Advertisements

About bpostaci
Escalation Engineer in Microsoft.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: