Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Disabling the Cassini Explorer on port 7756 for all except http://localhost:7756
Guest
#1 Posted : Wednesday, June 21, 2006 3:08:30 AM(UTC)
Groups:
Joined: 11/1/2005(UTC)
Posts: 278

It is possible to disable the Cassini Explorer. I would like to use Cassini is as a web server, and I don't want all users to have access to the explore configuration.

It would be nice if the explorer were only accessible from http://localhost:7756

Is that possible?
Ultidev Team
#2 Posted : Wednesday, June 21, 2006 6:43:44 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi, Søren.

Do you mean, that accessing from outside, like by http://machinename:7756/, would be disabled? And only access from localhost and 127.0.0.1 would be open?

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Guest
#3 Posted : Friday, June 23, 2006 12:48:24 PM(UTC)
Groups:
Joined: 11/1/2005(UTC)
Posts: 278

Not sure if Soren meant that, but I would like to ask that question. I do not want anyone but local host to be able to access the cassini server. How can this be done?
Ultidev Team
#4 Posted : Saturday, June 24, 2006 7:41:54 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi, All.

If the use case is prohibiting remote access to a given custom (non Cassini Explorer) application, then it would have to be done programmatically because Cassini itself cannot limit incoming request to a range of IP addresses like it's done in IIS. There are probably a million different ways to do this programmatically in your application. The first thing we came up with is to put the following code (C#) in the Global.asax:
Code:
        
// This method determines whether request came from the same IP address as the server
public static bool IsLocalRequest(HttpRequest request)
{
    return request.ServerVariables["LOCAL_ADDR"] == request.ServerVariables["REMOTE_ADDR"];
}

// this is one of existing Global.asax methods
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    HttpApplication app = sender as HttpApplication;
    if(!IsLocalRequest(app.Context.Request))
        throw new HttpException(403, "Remote access is prohibited");
}


Please let us know if this helps.

All the best,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Guest
#5 Posted : Monday, June 26, 2006 10:20:00 AM(UTC)
Groups:
Joined: 11/1/2005(UTC)
Posts: 278

I want to not only lock down my apps, but yours as well. I have ASP gui in a mobile application distributed to 1000s of users. IT guys are very security conscience. In cassini 1.0, I modified the code to ignore anything other than localhost. That seemed to pacify the IT guys. I am not sure they will be tolerant of this one. Do you have any white papers or other documentation describing security concerns?
Guest
#6 Posted : Monday, June 26, 2006 11:31:54 AM(UTC)
Groups:
Joined: 11/1/2005(UTC)
Posts: 278

Message was deleted by a User.
Ultidev Team
#7 Posted : Monday, June 26, 2006 1:37:49 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi!

We do not have a formal document addressing security concerns at this point. But here are a few security-related points to consider:
- Cassini was not designed to be an enterprise-strength web server. It is rather a group-, family- and a personal-level web server intended to be used primarily in intranets and home networks;
- By default UltiDev Cassini runs under powerful "Local System" account. Taking over UltiDev Cassini means taking over entire computer if service's user account left unchanged. To improve security use different, more restricted identity for the Cassini service. (Using different user account for the service will make Cassini Explorer a read-only application as it needs extra privileges to save application configuration information).
- To disable Cassini Explorer you could either modify its Default.aspx and ApplicationDetails.aspx to make them useless, or if you don't need the functionality of the GoToApplication.aspx and CassiniConfigurationService.asmx - just manually remove the Cassini Explorer entry from the CassiniMetabase.xml file altogether. The file is located in "C:\Documents and Settings\All Users\Application Data\UltiDev\Cassini\" folder. Do not disable Cassini Explorer if other Cassini-based applications can be installed on the computer.

Please let us know if there are some other specifics you'd like to know more about.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Guest
#8 Posted : Friday, June 30, 2006 4:21:34 AM(UTC)
Groups:
Joined: 11/1/2005(UTC)
Posts: 278

I was planning on using the cassini web server to deploy a asp.net application on a large intranet. Security is not a big concern. But I would like that it is only me that can configure the server with Cassini Explorer.

Thanks for the answer.
Ultidev Team
#9 Posted : Friday, June 30, 2006 6:54:04 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi, Søren.

If you are using Cassini inside the LAN, then you should be OK security-wise if the threat level from inside is not high. You could disable Cassini Explorer by one of the methods desribed in our previous post if that resolves your concer about limiting access to Cassini Explorer.

All the best,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Ultidev Team
#10 Posted : Tuesday, July 11, 2006 5:37:25 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi all!

A quick update: in the new version released on July 10, it is posiible to uninstall Cassini Explorer if you don't need it. After you have installed the new version, just go to Add/Remove Applications Control Panel applet and find UltiDev Cassini Web Server Explorer.

Regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Rss Feed  Atom Feed
Users browsing this topic
Guest (5)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.