As the title says really - is there a built in c# (or MVC) variable, ie something in httpcontext or something like that, that can tell me if the site has been deployed to the live server (or if it is running locally) or do I need to put something into the web.config?
Also does
#if DEBUG
#endif
Only fire locally or can a deployed site also run in debug mode?
There is nothing built-in that you can use. You need to give your application that capability yourself.
If you know the IP address or domain name of the "live" web server, you can use Request.ServerVariables["LOCAL_ADDR"] or the Request.Url.Host property respectively to determine whether or not it has been deployed.
public bool IsDeployed()
{
return Request.ServerVariables["LOCAL_ADDR"] == "123.123.123.123";
// or for domain name
return Request.Url.Host == "mydomain.com";
}
Related
I looked for a solution to this problem that seems simple to me without success on the internet.
In a sample project I've made for the test :
I have a Controller NotAuthorizedwith a public ActionResult Index() { return View(); }
The Index view only contain the text This page need to be only available in local.
So, my problem is that, I want that the only way to access NotAuthorized/Index is from IIS himself, anybody from LAN or WAN need to get a 403 error.
I think web.config can do the job but is it secured ? and how to implement it ?
It's for a big project, I need to block an API from internet because only the application need to use it.
In the final project, the application use it by local adress like "127.0.0.1/xxx".
Sorry for my english, not my language.
Edit : (following greatbear302 solution)
Tested on a published application with WebDeploy (what I need).
The site bindings are :
192.168.0.5:9999
testmvc on 192.168.0.5:80
On IIS, I click on my site, and in the Views directory, on my 'NotAuthorized' directory who contain the page I don't want users can access.
On the IP Address and Domain Restrictions, I've set All deny and 192.168.0.5 (IIS) authorized.
running tests :
192.168.0.5:9999/NotAuthorized: I see the page.
testmvc/NotAuthorized : I see the page.
I don't know what to do next.
In IIS
Click on your site
Click IP Address and Domain Restrictions (if this feature is missing, install from Add Remove Windows Components in Control Panel)
Click Allow Entry on right most pane
In Specific IP Address field, enter the IP address of the server hosting your API and click OK
Click Edit Feature Settings, in Access for Unspecified Clients, select Deny and click OK
Without any success with IIS, I go on a basic IP filtering on the application.
My IIS execute the application on 192.168.0.5 so here my code :
public ActionResult Index() {
ViewBag.UserIP = Request.UserHostAddress;
if (Request.UserHostAddress != "192.168.0.5")
throw new HttpException((int)System.Net.HttpStatusCode.Forbidden, "Accès non autorisé");
return View();
}
It do the job. I'll see in the future if I can make a better solution for my problem.
I have a single ASMX web service that has a host of methods that can be called. However, I'm wanting to restrict certain methods so that the caller either needs to be authenticated in order to be able to call them, or even better can only be called from the local server in which the service is running from.
Basically those methods needing to be protected will be called by the Microsoft Windows Scheduler on the local server.
Is either option possible, and what is the best and preferred way of achieving this.
At the top of the web services you want to protect, you can do something like:
if (!Request.IsLocal)
{
Response.StatusCode = 401;
Response.StatusDescription = "Unauthorized";
return null;
}
You could also check if they are authenticated with the IsAuthenticated property.
Of the two methods you mention, by far the easiest is to restrict access to just the local server. You can do this through code (as another comment has noted), or by administration of IIS itself.
If you load up the IIS Manager and select the folder that your asmx file is in, you'll see on the right-hand side a section 'IP Address and Domain Restrictions'. Open this up, add a default deny rule, and then an allow rule for 127.0.0.1.
Be aware that using this method will restrict all services in this folder, so you may need to move this into its own folder if this isn't required or desirable.
I am doing some work with OAuth and need to get the URL of the request. To do this I am doing the following:
operationContext.RequestContext.RequestMessage.Properties.Via
This was working great in Visual Studio Development Server because it would return
http://localhost:12345/{myrequest}
However, when pushed to IIS, and setting my project properties to use Custom Web Server with a value of this:
http://www.mydomain.com/
This is now showing a URL like the following in my RequestContext:
http://{machinename}/{myrequest}
Instead of:
http://www.mydomain.com/{myrequest}
Is this an IIS setting? To get around this, I am forced to modify the URI instance to swap out the machine name with the domain name. This is non-ideal.
Anything I am missing here?
I am currently running a WCF service on an AppFabric server and my application needs to load a the web.config file dynamically to retrieve custom configuration sections.
On my development machine I can just load the configuration like this:
WebConfigurationManager.OpenMappedWebConfiguration(webMappedFile, virtualPath);
But on the test machine (AppFabric server) I am getting an exception and it seems that I need to specify a third parameter which is actually the site the web application is running on:
WebConfigurationManager.OpenMappedWebConfiguration(webMappedFile, virtualPath, "MySite");
So I tried to hard code it and it worked. Anyway this is not acceptable, so I need to dynamically provide the site to the WebConfigurationManager because I do not on which site the service will be running in the future. Do anybody knows how to achieve that?
Thanks.
If you are running this code as part of handling a request you could use:
Request.ServerVariables("server_name")
see: http://msdn.microsoft.com/en-us/library/ms525396(VS.90).aspx
Edit based on your comment
The parameter that you need is the Site Name, not the machine name, your code be running on many machines. If the code is running somewhere where it no longer knows that it is on a web site, then it is difficult for it to get the name of the web site that it is running on.
You then have two options:
Send the name as a parameter from a layer that has httpconext
Not sure if this will work: but you could try adding a reference to system.web to your project. It may compile, but you could get a null reference exception when you run it. Probably worth a try.
How about Server.MachineName
I have a fairly complex web app that was built (by a contractor) to use integrated authentication. As part of the authentication process, a GetNetworkID() function is used that looks like this:
private string GetNetworkID()
{
return HttpContext.Current.User.Identity.Name.Split(new char[] { '\\' })[1];
}
When I run this on my development box, the HttpContext.Current.User.Identity.Name value is
myNetwork\\myUserID, so the above funciton returns my User ID, as intended, and the authenticaiton process works just fine.
But when I run this on my web server, I get an Index was outside the bounds of the array error thrown by the return statement in the GetNetworkID() function.
I'm a bit lost on how to troubleshoot this and how to figure out if it's an IIS configuration issue (my web server is a Windows Server 2008 box running IIS 7), or something else.
If I hard-code my User ID as the return value for the GetNetworkID() function, it works on the web server, but I don't have any great ideas about how to debug on the web server to determine what the HttpContext.Current.User.Identity.Name return value is that's causing the array index error.
Any suggestions?
IIS runs as the IIS Service Account, so Current.User.Identity is likely going to be the name of the IIS Account.
For completeness sake, you should check for '\' either with a Find() or by calling split, and checking the length of the resultant array. If the length is 1, that means the id isn't in the form of domain\username.
In general, if you want to debug, you can write any value to the HTTP Response stream like so:
Response.Write(HttpContext.Current.User.Identity.Name)
Another method is to setup an ASP page variable, and set the page variable to the value you'd like to inspect. You can display the variable value either through ASP code, or through Javascript.
You might be missing an IIS setting.
Try in IIS:
Website (right click) | Properties | Directory Security (tab)
Click "Edit..."
Then select "Integrated Windows Authentication"
I think the user that logs into your web applciation on the other server, is not a valid login. And hence a result is not returned on User.Identity.Name.
Like you said, it works when you hardcoded the username.
This means, the user creditials of the PC you are using to login is not permitted on your site. This therefore must be different to the credentials you are hardcoding.
Best bet is to debug on web server (it isn't hard - all you want to return is the User.Identity.Name and you can get the username and deduce logic from there), and verify the contents in your web.config file.
As Alan pointed out (and I upvoted him for it) you probably want to add a check on what form the User.Identity.Name takes. An updated routine could for example look like this:
private string GetNetworkID()
{
var name = HttpContext.Current.User.Identity.Name;
return name.InStr("\\") > -1 ? name.Split("\\")[1] : name;
}
This will return the second part of the login name if a \ is present, and the full string if not.