0

I have created a generic handler inside an entity framework application that displays data from a table. I want to secure the handler in case anyone tries to access it directly with the url or otherwise. Where and how do I write the username and password that authenticates before processing and bringing up the data when this is called from another application (the calling application will have the username and pwd)

 public class MyDatahandler: IHttpHandler
{


    public void ProcessRequest(HttpContext context)
    {
        context.Response.Clear();
        context.Response.ContentType = "text/plain";

        Mydatalogic a = new dataLogic;
        a.DisplayView();

    }

}

The calling request is using request.Credentials = new NetworkCredential(userName, password); where have mutual agreement of what username and password to use. Where will I map these in my handler?

Southern Coder Chic
  • 71
  • 2
  • 8

1 Answers1

0

What you are looking for is the AuthorizeAttribute. This allows you to use role based permissions to access your classes and methods for

Here are some additional attributes that can help lock down your pages:

[HttpPost] //URL Post method only

[HttpGet] //URL Post method only

[ChildActionOnly] //Not accessible via URL

EDIT

You want to secure the handler in case anyone tries to access it directly with the url, right? To do this, check the server variable HTTP_REFERER from within MyDatahandler_ProcessRequest. If the user isn't coming from where they should be, throw an HTTP 403 error.

In your web.config, try adjusting it to:

<authorization>
    <allow verbs="POST" users="*"/>
    <deny verbs="GET" users="*"/> 
</authorization>

This will prevent any direct URL access using URL parameters.

Ian
  • 738
  • 5
  • 13