Disabling the Cassini Explorer on port 7756 for all except http://localhost:7756 - Cassini Feedback and Questions

Welcome Guest! To enable all features please Login or Register.

Notification

Error

UltiDev Forum » UltiDev Cassini Web Server for ASP.NET » Cassini Feedback and Questions » Disabling the Cassini Explorer on port 7756 for all except http://localhost:7756

Disabling the Cassini Explorer on port 7756 for all except http://localhost:7756

Options

Previous Topic Next Topic

Guest		#1 Posted : Wednesday, June 21, 2006 3:08:30 AM(UTC)
Groups: Joined: 11/1/2005(UTC) Posts: 278		It is possible to disable the Cassini Explorer. I would like to use Cassini is as a web server, and I don't want all users to have access to the explore configuration. It would be nice if the explorer were only accessible from http://localhost:7756 Is that possible?
Back to top

Ultidev Team		#2 Posted : Wednesday, June 21, 2006 6:43:44 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi, Søren. Do you mean, that accessing from outside, like by http://machinename:7756/, would be disabled? And only access from localhost and 127.0.0.1 would be open? Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW \| Edit by user

User Profile View All Posts by User View Thanks

Guest		#3 Posted : Friday, June 23, 2006 12:48:24 PM(UTC)
Groups: Joined: 11/1/2005(UTC) Posts: 278		Not sure if Soren meant that, but I would like to ask that question. I do not want anyone but local host to be able to access the cassini server. How can this be done?
Back to top

Ultidev Team		#4 Posted : Saturday, June 24, 2006 7:41:54 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi, All. If the use case is prohibiting remote access to a given custom (non Cassini Explorer) application, then it would have to be done programmatically because Cassini itself cannot limit incoming request to a range of IP addresses like it's done in IIS. There are probably a million different ways to do this programmatically in your application. The first thing we came up with is to put the following code (C#) in the Global.asax: Code: // This method determines whether request came from the same IP address as the server public static bool IsLocalRequest(HttpRequest request) { return request.ServerVariables["LOCAL_ADDR"] == request.ServerVariables["REMOTE_ADDR"]; } // this is one of existing Global.asax methods protected void Application_AuthenticateRequest(Object sender, EventArgs e) { HttpApplication app = sender as HttpApplication; if(!IsLocalRequest(app.Context.Request)) throw new HttpException(403, "Remote access is prohibited"); } Please let us know if this helps. All the best, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW \| Edit by user

User Profile View All Posts by User View Thanks

Guest		#5 Posted : Monday, June 26, 2006 10:20:00 AM(UTC)
Groups: Joined: 11/1/2005(UTC) Posts: 278		I want to not only lock down my apps, but yours as well. I have ASP gui in a mobile application distributed to 1000s of users. IT guys are very security conscience. In cassini 1.0, I modified the code to ignore anything other than localhost. That seemed to pacify the IT guys. I am not sure they will be tolerant of this one. Do you have any white papers or other documentation describing security concerns?
Back to top

Guest		#6 Posted : Monday, June 26, 2006 11:31:54 AM(UTC)
Groups: Joined: 11/1/2005(UTC) Posts: 278		Message was deleted by a User.
Back to top		\| Reason

Ultidev Team		#7 Posted : Monday, June 26, 2006 1:37:49 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi! We do not have a formal document addressing security concerns at this point. But here are a few security-related points to consider: - Cassini was not designed to be an enterprise-strength web server. It is rather a group-, family- and a personal-level web server intended to be used primarily in intranets and home networks; - By default UltiDev Cassini runs under powerful "Local System" account. Taking over UltiDev Cassini means taking over entire computer if service's user account left unchanged. To improve security use different, more restricted identity for the Cassini service. (Using different user account for the service will make Cassini Explorer a read-only application as it needs extra privileges to save application configuration information). - To disable Cassini Explorer you could either modify its Default.aspx and ApplicationDetails.aspx to make them useless, or if you don't need the functionality of the GoToApplication.aspx and CassiniConfigurationService.asmx - just manually remove the Cassini Explorer entry from the CassiniMetabase.xml file altogether. The file is located in "C:\Documents and Settings\All Users\Application Data\UltiDev\Cassini\" folder. Do not disable Cassini Explorer if other Cassini-based applications can be installed on the computer. Please let us know if there are some other specifics you'd like to know more about. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

Guest		#8 Posted : Friday, June 30, 2006 4:21:34 AM(UTC)
Groups: Joined: 11/1/2005(UTC) Posts: 278		I was planning on using the cassini web server to deploy a asp.net application on a large intranet. Security is not a big concern. But I would like that it is only me that can configure the server with Cassini Explorer. Thanks for the answer.
Back to top

Ultidev Team		#9 Posted : Friday, June 30, 2006 6:54:04 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi, Søren. If you are using Cassini inside the LAN, then you should be OK security-wise if the threat level from inside is not high. You could disable Cassini Explorer by one of the methods desribed in our previous post if that resolves your concer about limiting access to Cassini Explorer. All the best, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

Ultidev Team		#10 Posted : Tuesday, July 11, 2006 5:37:25 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi all! A quick update: in the new version released on July 10, it is posiible to uninstall Cassini Explorer if you don't need it. After you have installed the new version, just go to Add/Remove Applications Control Panel applet and find UltiDev Cassini Web Server Explorer. Regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

Rss Feed

Atom Feed

Users browsing this topic
Guest

UltiDev Forum » UltiDev Cassini Web Server for ASP.NET » Cassini Feedback and Questions » Disabling the Cassini Explorer on port 7756 for all except http://localhost:7756

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.