Avoiding guests (private blog)

Topics: ASP.NET 2.0, Themes
Sep 4, 2009 at 2:20 PM

Hi,
I would like to deploy BlogEngine.NET only as an engine that:

1. should not be browsed by anonymous on the internet (no public UI)
2. can be used with LiveWriter from internet (only from me, authenticated user, and that's the default)
3. can be used from another web application that read RSS content (using credentials)

To satisfy point 1, I changed the web.config this way:

<authorization>
  <deny users="?" />
 </authorization>

To satisfy point 2, I added these tags to the web.config:

and than given authorization to anonymous (using location element tag) on "themes", "js.axd" and "metaweblog.axd":
<location path=".....">
   <system.web>
 <authorization>
  <allow users="*" />
 </authorization>
   </system.web>
</location>

I also modified the master page in the themes folder using a LoginView control, so that the sidebar does not appear to anonymous.

Now the problem is point 3. The other web application needs the feeds (I use argotic library for this purpose).
When read the feed, the request on "/BlogEngine/syndication.axd" is redirected to the login page and the request fail.
Argotic let me specify the credentials, and I did it, but the redirect obviously occurs before.

Is there any simple solution to satisfy my three points above?

Thanks

Coordinator
Sep 4, 2009 at 6:42 PM

You might take a look here to see if it will work for you. I used little extension to do authorization for private blog instead of denying guest in part for scenarios like yours.

 

Sep 4, 2009 at 7:50 PM

Hi rtur,
nice class, but it's equivalent to the work I did. If anybody tries to access blog pages, asp.net redirect to the login.aspx page (using the selected theme master page).
I had to allow "themes", "js.axd" and "metaweblog.axd" since these resources are used from the login.aspx and master page themselves.
LoginView control templates let you customize very easily the master page for loggedin users or anonymous users.

What I really would like is the ability to use a NetworkCredential instance in the argotic library (they do support authentication to protected feeds) in order to read the feed.

This is actually not possible in BlogEngine since syndication.axd is virtual and AFAIK does not make any security check. In other words if I allow syndication.axd, every user will be able to read the content and no security check will be possible to avoid guests.

Actually I partially solved the problem this way:
1. allowing access to syndacation.axd resource with the above asp.net location element tag

2. add to web.config the IIS7 specific system.webServer element tag:
<!-- In order to make this setting work, run this statement from a command prompt -->
<!-- appcmd.exe unlock config -section:system.webServer/security/ipSecurity -->
<location path="syndication.axd">
  <system.webServer>
   <security>
    <ipSecurity allowUnlisted="false">
     <add ipAddress="127.0.0.1" allowed="true" />
    </ipSecurity>
   </security>
  </system.webServer>
 </location>
This further modification means that asp.net allow syndication.axd to everybody, while the IIS7 specific ipSecurity filter will allow access to syndication.axd only from 127.0.0.1.

I really don't like this solution. If I can express a wish for this beautiful piece of work called blogengine, I would say to split the project in multiple parts:
a. the engine itself without any knowledge of UI
b. syndacation protocol
c. metaweblog protocol
d. ....

each of them should support authentication/authorization stuff. This would probably fit with the multiblog wish I read on past threads.

Anyway my problem is simpler and I want to congratulate with the authors.