DotNetOpenAuth 白名单和黑名单如何工作?
有人有关于 DotNetOpenAuth 及其处理列表和黑名单的方式的文档吗?
我的配置
<untrustedWebRequest>
<blacklistHosts>
<add name="*" />
</blacklistHosts>
<whitelistHosts>
<add name="www.mysite.ca" />
<add name="mysite.ca" />
<add name="devel.mysite.ca" />
<add name="devel.mysite.com" />
<add name="mysite.com" />
<add name="www.mysite.com" />
</whitelistHosts>
</untrustedWebRequest>
我想要的是让它取消请求,如果它是不在 whilelist 中的任何站点。我当前正在运行版本 2.5.49045,但计划很快更新。
使用
<blacklistHostsRegex>
<add name=".*" />
</blacklistHostsRegex>
被阻止的站点,甚至是白名单中的站点。
Does anyone have any documentation on DotNetOpenAuth and the way it handles while lists and black lists?
My config
<untrustedWebRequest>
<blacklistHosts>
<add name="*" />
</blacklistHosts>
<whitelistHosts>
<add name="www.mysite.ca" />
<add name="mysite.ca" />
<add name="devel.mysite.ca" />
<add name="devel.mysite.com" />
<add name="mysite.com" />
<add name="www.mysite.com" />
</whitelistHosts>
</untrustedWebRequest>
What I want is to have it cancel the request if it's any site not in the whilelist. I'm currently running version 2.5.49045 but plan to update soon.
using
<blacklistHostsRegex>
<add name=".*" />
</blacklistHostsRegex>
blocked ever site even ones in the whitelist.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
处理白名单和黑名单的逻辑是这样的:
DotNetOpenId/DotNetOpenAuth 对于一些安全和不安全的主机名已经有了一些直觉。因此,它会阻止某些内容并允许其他内容,而无需您在这些列表中设置任何内容。这些列表将覆盖此行为。
黑名单上的主机(几乎)永远无法通过(例外情况是它看起来不安全并且它位于白名单上)。
如果您想将除一组特定主机之外的所有内容列入黑名单,我认为最好的选择是仅使用黑名单,然后执行 正则表达式“不”匹配:
这看起来有点复杂。但它可以在当前版本的 DotNetOpenId/DotNetOpenAuth 中工作。展望未来,我将修复此问题,使其变得更加明显。
The logic that processes the whitelist and blacklist is like so:
DotNetOpenId/DotNetOpenAuth already has some intuition about some safe and unsafe host names. So it will block some and allow others without you setting anything in these lists. The lists are to override this behavior.
A host that's on the blacklist will (almost) never get through (the exception being if it looks unsafe anyway AND it's on the whitelist).
If you want to blacklist everything except a specific set of hosts, I think your best bet is to use just the blacklist, and do a regex "not" match:
This seems a bit convoluted. But it will work in present versions of DotNetOpenId/DotNetOpenAuth. And going forward, I'll get this fixed to be something much more obvious.
如果您尝试过滤允许用户登录的提供商,这可能不是最好的方法,因为它会破坏来自其他域的委托标识符,这些域委托给您确实信任的 OP。
要过滤 OP 端点,请将
OpenIdRelyingParty.EndpointFilter属性设置为一个函数,该函数仅针对您喜欢的端点返回 true,针对您不喜欢的端点返回 false。If you're trying to filter the Providers that are allowed to log users in, this may not be the best approach, as it would break delegated identifiers from other domains that delegate to OPs that you do mean to trust.
To filter on OP Endpoint, set the
OpenIdRelyingParty.EndpointFilterproperty to a function that returns true for just those endpoints that you like, and false for those you don't.