How do DotNetOpenAuth whitelist and blacklists work?_问答_开发者

How do DotNetOpenAuth whitelist and blacklists work?

开发者 https://www.devze.com 2022-12-23 12:50 出处：网络

Does anyone have any documentation on DotNetOpenAuth and the way it handles while lists and black lists?

My config

<untrustedWebRequest>
        <blacklistHosts>
            <add name="*" />
        </blacklistHosts>

      <whitelistHosts>
        <add name="www.mysite.ca" />
        <add name="mysite.ca" />
        <add name="devel.mysite.ca" />
        <add name="devel.mysite.com" />
        <add name="mysite.com" />
        <add name="www.mysite.com" />

      </whitelistHosts>


    </untrustedWebRequest>

What I want is to have it cancel the request if it's any site not in the whilelist. I'm currently running version 2.5.49045 but plan to update soon.

using

<blacklistHostsRegex> 
<add name=".*" />开发者_Go百科  
</blacklistHostsRegex>

blocked ever site even ones in the whitelist.

The logic that processes the whitelist and blacklist is like so:

DotNetOpenId/DotNetOpenAuth already has some intuition about some safe and unsafe host names. So it will block some and allow others without you setting anything in these lists. The lists are to override this behavior.

DNOA encounters an implicitly disallowed hostname. Deny -- unless it's on the whitelist in which case let it through immediately.
The hostname otherwise looks safe, but if it is on the blacklist, deny.

A host that's on the blacklist will (almost) never get through (the exception being if it looks unsafe anyway AND it's on the whitelist).

If you want to blacklist everything except a specific set of hosts, I think your best bet is to use just the blacklist, and do a regex "not" match:

<untrustedWebRequest>
    <blacklistHostsRegex>
        <add name="^(?!www.mysite.ca|www.mysite.com|devel.mysite.com)$" />
    </blacklistHostsRegex>
</untrustedWebRequest>

This seems a bit convoluted. But it will work in present versions of DotNetOpenId/DotNetOpenAuth. And going forward, I'll get this fixed to be something much more obvious.

If you're trying to filter the Providers that are allowed to log users in, this may not be the best approach, as it would break delegated identifiers from other domains that delegate to OPs that you do mean to trust.

To filter on OP Endpoint, set the OpenIdRelyingParty.EndpointFilter property to a function that returns true for just those endpoints that you like, and false for those you don't.