[CLOSED] bypassing authentication for EXTJS EXTNET resources

  1. #1

    [CLOSED] bypassing authentication for EXTJS EXTNET resources

    hi,

    i saw in MVC example method of bypassing authentication for EXTJS EXTNET resources:
    protected void Application_AuthenticateRequest(object sender, System.EventArgs e)
            {
                string url = HttpContext.Current.Request.RawUrl.ToLower();
                if(url.Contains("ext.axd"))
                {
                    HttpContext.Current.SkipAuthorization = true;
                }
    ...more unrelated code..
            }
    but i'm not using MVC and i did the following in web.config for all the folders generated by ext.net on runtime:
    <location path="extjs">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
      <location path="extnet">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
      <location path="icons">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
      <location path="ux">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
    it work fine, but i want to know if this good solution or its hack! because extnet have already 2 configs! what is the use of these 2 configs:
    <section name="extnet" type="Ext.Net.GlobalConfig" requirePermission="false"/>
    <httpHandlers>
          <add path="*/ext.axd" verb="*" type="Ext.Net.ResourceHandler" validate="false"/> <!--does validate=false suppose to bypass auth?!-->
    </httpHandlers>
    i'm afraid that allowing full access to all ext resources is bad in which hacker might invoke DirectRequest without authentication! or that's not true! also is global.asax is better than doing it in web.config!!

    please advice,

    thanks,
    Last edited by Daniil; May 02, 2011 at 11:28 AM. Reason: [CLOSED]
  2. #2
    Hi,

    You can use that Application_AuthenticateRequest code in your WebForm application because it is not something specific for MVC

    i'm afraid that allowing full access to all ext resources is bad in which hacker might invoke DirectRequest without authentication! or that's not true! also is global.asax is better than doing it in web.config!!
    Open public access for ext resources is fine (otherwise you cannot use it in login page)
    DirectRequest is simple XMlHttpRequest (which can be initiated without Ext.Net), that request without authentication cookie cannot open page in the secure area
    Vladimir Shcheglov
    Sr. Developer

Similar Threads

  1. [CLOSED] Coolite 0.8.2 and ExtNet 2.0 in the same project?
    By Pablo in forum 2.x Legacy Premium Help
    Replies: 1
    Last Post: Mar 13, 2012, 7:54 PM
  2. Show ExtNet.Msg.Alert on Command Event ?
    By Mohammad in forum 1.x Help
    Replies: 2
    Last Post: Oct 25, 2011, 6:55 AM
  3. updating to ExtNet 1.0 from 0.8.2
    By unaltro2 in forum 1.x Help
    Replies: 6
    Last Post: Jun 03, 2011, 6:14 PM
  4. [CLOSED] Errors in extnet css
    By acrossdev in forum 1.x Legacy Premium Help
    Replies: 1
    Last Post: Oct 07, 2010, 10:00 AM
  5. [CLOSED] [1.0] extnet-core-debug.js
    By Timothy in forum 1.x Legacy Premium Help
    Replies: 3
    Last Post: Feb 11, 2010, 3:08 PM

Tags for this Thread

Posting Permissions