DotNetOpenAuth 白名单和黑名单如何工作?

发布于 2024-08-26 07:21:51 字数 785 浏览 12 评论 0原文

有人有关于 DotNetOpenAuth 及其处理列表和黑名单的方式的文档吗?

我的配置

<untrustedWebRequest>
        <blacklistHosts>
            <add name="*" />
        </blacklistHosts>

      <whitelistHosts>
        <add name="www.mysite.ca" />
        <add name="mysite.ca" />
        <add name="devel.mysite.ca" />
        <add name="devel.mysite.com" />
        <add name="mysite.com" />
        <add name="www.mysite.com" />

      </whitelistHosts>


    </untrustedWebRequest>

我想要的是让它取消请求,如果它是不在 whilelist 中的任何站点。我当前正在运行版本 2.5.49045,但计划很快更新。

使用

<blacklistHostsRegex> 
<add name=".*" />  
</blacklistHostsRegex>

被阻止的站点,甚至是白名单中的站点。

Does anyone have any documentation on DotNetOpenAuth and the way it handles while lists and black lists?

My config

<untrustedWebRequest>
        <blacklistHosts>
            <add name="*" />
        </blacklistHosts>

      <whitelistHosts>
        <add name="www.mysite.ca" />
        <add name="mysite.ca" />
        <add name="devel.mysite.ca" />
        <add name="devel.mysite.com" />
        <add name="mysite.com" />
        <add name="www.mysite.com" />

      </whitelistHosts>


    </untrustedWebRequest>

What I want is to have it cancel the request if it's any site not in the whilelist. I'm currently running version 2.5.49045 but plan to update soon.

using

<blacklistHostsRegex> 
<add name=".*" />  
</blacklistHostsRegex>

blocked ever site even ones in the whitelist.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

冧九 2024-09-02 07:21:51

处理白名单和黑名单的逻辑是这样的:

DotNetOpenId/DotNetOpenAuth 对于一些安全和不安全的主机名已经有了一些直觉。因此,它会阻止某些内容并允许其他内容,而无需您在这些列表中设置任何内容。这些列表将覆盖此行为。

  1. DNOA 遇到隐式不允许的主机名。拒绝——除非它在白名单上,在这种情况下立即让它通过。
  2. 主机名在其他方面看起来是安全的,但如果它在黑名单上,则拒绝。

黑名单上的主机(几乎)永远无法通过(例外情况是它看起来不安全并且它位于白名单上)。

如果您想将除一组特定主机之外的所有内容列入黑名单,我认为最好的选择是仅使用黑名单,然后执行 正则表达式“不”匹配

<untrustedWebRequest>
    <blacklistHostsRegex>
        <add name="^(?!www.mysite.ca|www.mysite.com|devel.mysite.com)$" />
    </blacklistHostsRegex>
</untrustedWebRequest>

这看起来有点复杂。但它可以在当前版本的 DotNetOpenId/DotNetOpenAuth 中工作。展望未来,我将修复此问题,使其变得更加明显。

The logic that processes the whitelist and blacklist is like so:

DotNetOpenId/DotNetOpenAuth already has some intuition about some safe and unsafe host names. So it will block some and allow others without you setting anything in these lists. The lists are to override this behavior.

  1. DNOA encounters an implicitly disallowed hostname. Deny -- unless it's on the whitelist in which case let it through immediately.
  2. The hostname otherwise looks safe, but if it is on the blacklist, deny.

A host that's on the blacklist will (almost) never get through (the exception being if it looks unsafe anyway AND it's on the whitelist).

If you want to blacklist everything except a specific set of hosts, I think your best bet is to use just the blacklist, and do a regex "not" match:

<untrustedWebRequest>
    <blacklistHostsRegex>
        <add name="^(?!www.mysite.ca|www.mysite.com|devel.mysite.com)$" />
    </blacklistHostsRegex>
</untrustedWebRequest>

This seems a bit convoluted. But it will work in present versions of DotNetOpenId/DotNetOpenAuth. And going forward, I'll get this fixed to be something much more obvious.

故事还在继续 2024-09-02 07:21:51

如果您尝试过滤允许用户登录的提供商,这可能不是最好的方法,因为它会破坏来自其他域的委托标识符,这些域委托给您确实信任的 OP。

要过滤 OP 端点,请将 OpenIdRelyingParty.EndpointFilter 属性设置为一个函数,该函数仅针对您喜欢的端点返回 true,针对您不喜欢的端点返回 false。

If you're trying to filter the Providers that are allowed to log users in, this may not be the best approach, as it would break delegated identifiers from other domains that delegate to OPs that you do mean to trust.

To filter on OP Endpoint, set the OpenIdRelyingParty.EndpointFilter property to a function that returns true for just those endpoints that you like, and false for those you don't.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文