in

Platinum Bay

Peace, Love and Visual Studio Team System

.NETicated

Restricting Access to Trace.axd

I am currently prepping for the Microsoft 70-528 exam – .NET Framework, Web Application Development. Despite having worked with ASP.NET for several years now, I still find myself learning new things. I scored 80% and 84% on two practice tests before even beginning to study, so I guess I have 16-20% left to learn. Take tracing. I know about tracing, but I was never aware of the Trace.axd handler. I was stoked, here is a way to help remote debug a website. Or so I thought. It seems that Tracing is either on or off. Once it's on, any request to trace.axd will succeed, even from invalid paths. There seems no way to be able to restrict access to, say, just logged in administrators.

For the purists out there, let me add a word of caution. Tracing is not meant to be used in a production environment. There are significant security risks, as well as performance issues. In a production environment, use Health Monitoring, Performance Counters, the Event Log and other such forms of error handling.

But back to my dilemma, my first thought was to set up location authorization rules in Web.config to allow only admins to be able to see the file. But invalid paths serve up the Trace.axd file as well (http://localhost:1215/WebSite1/testhjgeoiheoigheoihgiesub/trace.axd) so there is no way to block it there. Assuming the full 128 character ASCII range, and the full 2083 character range of URLs in IE, ASP.NET would eat up 2.0814538037914702336086584856065e+4389 bytes of memory just trying to load the Web.config file (SWAG number). Talk about a maintenance nightmare. No, there has to be a better way.

The problem I ran into is that the httpHandlers path is essentially "^.*trace.axd". Anywhere in the URL it falls, it is served. On the other hand, the location authorization wanted a virtual path from the root "^/trace.axd$".

For the time being, here's what I ended up doing, and it's not pretty.

<httpHandlers>
<remove path="trace.axd" verb="*" />
<add path="MyVeryHardToFindUrl/trace.axd" verb="*" type="System.Web.Handlers.TraceHandler" validate="True" />
</httpHandlers>

I told you it wasn't pretty, and it's not quite foolproof either. Any path will work, as long as it ends with the handler path. Until a better solution comes along, or I write my own TraceHandler to limit the output to a single path, this'll have to do.

Published Jul 08 2007, 09:15 PM by Steve
Filed under: ,

Comments

No Comments

Leave a Comment

(required )  
(optional )
(required )  
Add

About Steve

Steve Andrews has been working as a developer for more than 8 years. During this time, he has designed and developed applications in such widely varying areas as trust accounting, medical information management, supply chain management, and retail systems. He has firsthand developer experience with a variety of languages, including Java, VB, and .NET. Most recently, he has been immersed in SharePoint. He is currently employed at RDA Corporation in Philadelphia, PA, as a Software Engineer and a team member in the Architectural Guidance evangelism team. Steve is also an MTCS (x2), ICSOO, and .NET fanatic.
Powered by Community Server (Commercial Edition), by Telligent Systems
© Platinum Bay | Some Rights Reserved Creative Commons License

Disclaimer: The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion. Feel free to challenge me, disagree with me, or tell me I'm completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever (abusive, profane, rude, or annonymous comments) - so keep it polite, please.