HangFire Monitor authorization #42
Comments
|
As a workaround, if you are using role-based authorization in your application, you could use the following method of HTTP handler plug-in (but remove the registration of <location path="hangfire.axd" inheritInChildApplications="false">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="HangFire" path="hangfire.axd" verb="*" type="HangFire.Web.HangFirePageFactory, HangFire.Web" />
</handlers>
</system.webServer>
</location> |
|
this is great, i was going to ask to disable it by default. thank you |
|
@odinserj have you pushed a new release with this fix? |
|
Not yet |
|
Is there a way to programatically configure who sees the web ui? |
|
Only via web.config. Do you have ASP.NET RoleProvider integrated in your app to use the given workaround? |
|
no, I do not use the built in role provider. |
|
Is there any way some sort of filter could be applied? That way I can get the current user, check against the database if the user is admin or not...? |
|
right now, the web.config works with Owin Roles Claim as i confirmed here in #59 but it would really be much better, if we can integrate HangFire directly with Owin, as it is the Defacto now for Membership. also i think maybe if we can some how add hangfire monitoring URL to ASP.NET Routing, it would be great, where we can specify authorization Attribute. the reason for all above, is when you ahve large Membership system with many Admins, you need to set up specific permissions for them like, read only, write, etc... and Hangfire in my humble opinion really needs that, cause for example i only want Super Admins to have the ability to cancel jobs, and Admins group to see only Job queue. |
|
I only really have admin and non admin - i.e. everyone else that is using my system. So I dont really have a too complex membership system. |
|
@hahmed i do have :) |
|
You are telling me about two use cases:
This two cases may be solved with flexible authorization system, like in Glimpse. It is really needed, but I have no plans to implement it yet (I'm making HangFire.Core more stable now). But if you need it now, or want to implement more simple authorization rules for the first case only, you can describe what you want to do in a separate issue, and send a pull request. |
|
@devmondo, I don't want to introduce such thing (elmah controller) in a HangFire.Web library, because it looks like a crutch and breaks encapsulation. I have plans to implement HangFire.Web using OWIN, and Glimpse-like authorization policies looks much better. But links are nice, especially if you can not do anything else 😄 |
|
Heh, current rules are simple enough: if (!HangFireConfiguration.EnableRemoteMonitorAccess && !context.Request.IsLocal)
{
return HttpStatusHandler.Process(context, HttpStatusCode.Unauthorized);
}Feel free to modify them! |
|
@odinserj thanks for the input, we are fine with the current security implementation, and i am in no position to just ask and get served, you are the man who is gracing us with his time for free, do what you think is best for all of us, what i am trying to do here is suggesting Ideas to make Hangfire greater :) the best Part is that more features are getting implemented like Cancellation Token, Tutorials, Stabilizing the Core, etc... P.S it is true i can't do what you can do but i did a shameless useless Simple Injector Integration :) i wish i can help more, but your knowledge is beyond me :) hangfire rules :) |
|
hey i love that Rules part, never knew them, you can add them to Docs, this will shed some good light, really :) P.S, from your experience is "context.Request.IsLocal" really secure and really works only if request is local ? |
|
@devmondo, thanks for good words. To make it more clear, I like feature requests. More feature requests -> better understanding what do you need -> more thoughts what other users need -> more thoughts about direction and prioritization -> better project. So, I very appreciate them. P.S. HangFire.SimpleInjector beats HangFire.Ninject and HangFire.Autofac as for now, so you can't call it "shameless and useless" :) internal bool IsLocal()
{
string remoteAddress = this.GetRemoteAddress();
return !string.IsNullOrEmpty(remoteAddress) && (remoteAddress == "127.0.0.1" || remoteAddress == "::1" || remoteAddress == this.GetLocalAddress());
}P.P.P.S. These simple authorization rules will be in 0.8. |
Where would you modify them? Do I create my own build and use that in my application? |
|
If you are planning to create a solution (it may be simple) that will help other users with the same problem, please, create another issue with problem and proposing solution, and make a pull request. But there are breaking changes in current branch, and I will not be able to push the solution before 0.8 release. |
|
@hahmed , you can modify them in Global.asax, in static class, even while application running, I Think hangFire is Static and last through the application life time until recycle, unless i am wrong. @odinserj thank you very much for your kind words, you encouraged me, i was under the impression that you don't want much of those extra ideas, but now i get you, you are trying to balance things up, what is first and what should be done later, based on users requests, this is great of you. you sound like the perfectiones methodical kind of guy, i love that and i look up to be one as this is my personality but my coding skills are still normal, but i am learning. i really think HangFire will solve all background jobs problems and we should not use other libraries, and in my humble opinion you must make it like and that this should be the plan, and more people should know about it. i don't see why i should use FluentScheduler, or Quartz, when a lot of their features intersect with HangFire, but with Hangfire there more simplicity,control and stability not to mention that Hangfire surrvies Application restarts which is a BIG PLUS, again, my dream is to see HangFire completely eliminate the need for anything else, ok maybe not large enterprise stuff, but who cares, how often you have one of those really really big projects, and i would help to make this happen where and when ever i can, you have got a solid foundation here, that by time and Input will be the best out there. regarding Owin the best part is that it is agnostic, so you can use it in Web, Desktop App, Service, etc... and that fits nicely with HangFireCore. may i suggest you add a RoadMap and Change Log to the Git Hub page, this will help a lot. P.S.S.S could you explain to me how SimpleInjector Integration beats other IOC ones :) |
Default HangFire installation allows anyone access to Monitor Web UI. Although everyone can change http handler registration to meet this requirement, it is not good to provide security hole with the default setup.
Elmah library authors made deep investigation about this topic, and we could use their implementation.
Default setup should:
The text was updated successfully, but these errors were encountered: