none
How to do IP restriction with user authentication? RRS feed

  • Question

  • Hi,

    I need to block a client when the validation in ValidateUserNamePasswordCore fails.

    The common problem is that no contexts exist at this early stage in the pipeline, as discussed in below link and many other forums. --> http://stackoverflow.com/questions/3550718/accessing-a-wcf-messageheader-when-operationcontext-current-is-null

    I can get the contexts using  ASP.NET compatibility but then I get other errors in my application like that the Identity is set to Anonymous.

    I've tried extending WCF points in various ways as suggested in below link but all of them are called after validation. --> http://blogs.msdn.com/b/carlosfigueira/archive/2011/03/14/wcf-extensibility.aspx

    What are my options here???

    a.) Should I avoid .net authentication and postpone user validation after I've gathered client's IP?

    b.) Is there a way to fix the ASP.NET IN/compatibility? Another guy ran into same problem with Identity=Anonymous when using ASP.NET compatibility but after a fix he ran into more problems with this setting. --> http://social.msdn.microsoft.com/Forums/vstudio/en-US/30a6c055-b3cb-44d2-ad02-4be2554e3765/geting-ip-address-of-client-when-using-usernamepasswordvalidator?forum=wcf

    c.) How would you try authenticating and on failure, block the client (get his IP)? I can't find much on web. Guys are usually throttling to prevent DoS attacks, can't find any discussion about blocking on authentication failure.

    d.) I would also be able to solve the problem if WCF returned something else in Application_EndRequest's HttpContext.Current.Response.Status than "500 Internal Server Error". Can I modify my FaultException that's thrown on authentication failure somehow so that WCF gives another status? The client will get my FaultException but is there a way to receive anything in Application_EndRequest's param that would indicate something specific happened in WCF?


    Thank you very much!

    Kr, John




    Wednesday, March 26, 2014 9:52 AM

All replies

  • Configuring IP Address Restrictions and Basic Authentication

    Using the cybozu.com store account, you can configure IP address restrictions and Basic authentication at no additional charge.

    IP address restrictions limit access to services by IP address.
    Basic authentication authenticates users who access the services from the restricted IP addresses.
    Basic authentication provides a double authentication: First, Basic authentication requires a valid user name and password to access the login page. Then in the login page, it requires a login name and password for the user.

    For security reasons, set up Basic authentication together with IP address restrictions.

    https://help.cybozu.com/en/general/admin/ip_basic.html

    Friday, March 28, 2014 9:31 AM