Lock Down ASP.NET MVC App Administration Site to LocalHost only

by

I have an ASP.NET MVC website that I would like to add a small administration page to. The issue I have is that I will be deploying this all over and I will not have SSL available. I am OK with requiring the administrator to remote desktop and use the local browser to perform the administration.

Can this be done? I would basically like to get the same behavior as <customeErrors mode="RemoteOnly" /> except for my administration pages. Can I do this via web.config some how?

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Request.IsLocal is your friend.

http://msdn.microsoft.com/en-us/library/system.web.httprequest.islocal.aspx

You can use that to check that a request is coming from the local machine.

Custom Attribute

You could then extend this to be a custom attribute, but that might be overkill. If that is the route you choose this is a good example that does something similar:

Custom Attributes on ActionResult

MVC3 onwards allows you to set an attribute at Controller level, rather than Method too, so you could lock access to the entire controller responsible for the admin pages.

Method 2

I did it by writing a custom attribute, like this:

public class IsLocalAttribute : AuthorizeAttribute
{
    public bool ThrowSecurityException { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isLocal = httpContext.Request.IsLocal;
        if (!isLocal && ThrowSecurityException)
            throw new SecurityException();
        return isLocal;
    }
}

Basic usage on an entire controller:

[IsLocal]
public class LocalOnlyController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}

or on a specific method:

public class SomeController : Controller
{
    [IsLocal]
    public ActionResult LocalOnlyMethod()
    {
        return View();
    }
}

If you want to throw a security exception instead of a 302 redirect:

public class SomeController : Controller
{
    [IsLocal(ThrowSecurityException = true)]
    public ActionResult LocalOnlyMethod()
    {
        return View();
    }
}


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x