Friday, October 5, 2012

HttpModule and Sharepoint Security

Hello guys,
 
Today I have got a task to block specific users accessing _layouts/settings.aspx page, hence I created an HttpModule as this would be the best implementation to let me examine incoming and outgoing requests and take action based on the request. HTTP Modules Overview
 
1. Create a class library
2. Implement the Interface IHttpModule
3. Implement the required methods (see ApplicationHttpModule.cs)
4. Strong name it and build
5. Copy the DLL into the GAC.
 
Now in the web.config of each sharepoint webapp - add the below entry under  
<modules runAllManagedModulesForAllRequests="true"> and <httpModules>
 
<add name="CustomApplicationHttpModule" type="ApplicationHttpModule.ApplicationMasterModule 
ApplicationHttpModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=1d9c0030627b434f" />
 
Do an IISReset and test it.
 
Enjoy. 
 
[Code]
namespace ApplicationHttpModule
{
    public class ApplicationMasterModule : IHttpModule
    {
        public void Dispose()
        {
        }

        public void Init(HttpApplication context)
        {
            try
            {
                context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);
            }
            catch (Exception ex)
            {
            }
           
        }

        void context_PreRequestHandlerExecute(object sender, EventArgs e)
        {
            try
            {
                Page page = HttpContext.Current.CurrentHandler as Page;
                if (page != null)
                {
                    page.PreInit += new EventHandler(page_PreInit);
                }
            }
            catch (Exception ex)
            {
            }
        }

        void page_PreInit(object sender, EventArgs e)
        {
            try
            {
                Page page = sender as Page;

                if (page != null)
                {
                    if (page.Request.Url != null)
                    {
                        //Get current logged in user and check if he is authhorized
                        string currentUser = page.User.Identity.Name;
                        bool result = IsAuthorized(currentUser);

                        if (result == false)
                        {
                            #region If user access unauthorized layouts pages
                            if (page.Request.RawUrl.Contains("_layouts/settings.aspx") ||
                                page.Request.RawUrl.Contains("_layouts/viewlsts.aspx") ||
                                page.Request.RawUrl.Contains("_layouts/user.aspx")     ||
                                page.Request.RawUrl.Contains("AllItems.aspx")
                                )
                            {
                                page.Response.Redirect("~/_layouts/accessdenied.aspx");
                            }
                            #endregion
                        }
                    }
                }
            }
            catch (Exception ex)
            {
            }
        }

        bool IsAuthorized(string currentUser)
        {
            //List of authorized users
            List<string> AuthorizedList = new List<string>();
            AuthorizedList.Add("admin1");
            AuthorizedList.Add("contributor1");
            AuthorizedList.Add("designer1");
            AuthorizedList.Add("reader1");

            string[] splitted = currentUser.ToLower().Split('\\');
            if (splitted.Length == 2)
            {
                currentUser = splitted[1];
            }

            //Check if the current logged in user is authorized
            foreach (string strUser in AuthorizedList)
            {
                if (strUser == currentUser)
                {
                    return true;
                }
            }
            return false;
        }
    }
}

[Code]
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)