在GlimpseSecurityPolicy RuntimeEvent.ExecuteResource中检索会话

时间:2015-02-19 16:05:35

标签: glimpse

使用glimpse我可以在使用RuntimeEvent.ExecuteResource时访问会话信息。如果没有这个,则会暴露axd文件,除非特定用户登录,否则我宁愿禁用它。在下面的两个示例中,会话将为null。我也尝试过使用类实现IRequiresSessionState,但这也没有帮助。

namespace Glimpse
{
    public class GlimpseSecurityPolicy:IRuntimePolicy
    {
        public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
        {
            try
            {
                var name = HttpContext.Current.Session["username"];
                var name2 = policyContext.GetHttpContext().Session["username"];
            }
            catch (Exception)
            {
            }

            // You can perform a check like the one below to control Glimpse's permissions within your application.
            // More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
            // var httpContext = policyContext.GetHttpContext();
            // if (!httpContext.User.IsInRole("Administrator"))
            // {
            //     return RuntimePolicy.Off;
            // }

            return RuntimePolicy.On;
        }

        public RuntimeEvent ExecuteOn
        {
            // The RuntimeEvent.ExecuteResource is only needed in case you create a security policy
            // Have a look at http://blog.getglimpse.com/2013/12/09/protect-glimpse-axd-with-your-custom-runtime-policy/ for more details
            get { return RuntimeEvent.EndRequest | RuntimeEvent.ExecuteResource; }
        }
    }
}

1 个答案:

答案 0 :(得分:4)

原因是处理Glimpse.axd请求的Glimpse HttpHandler没有实现IRequireSessionState接口。

HttpHandler最终将执行IRuntimePolicyRuntimeEvent.ExecuteResource属性值的ExecuteOn个实例{/ 1}}。

我认为最简单的解决方案是创建自己的IHttpHandler来实现IRequireSessionState界面,并将所有调用转发给Glimpse HttpHandler,如下所示。

public class SessionAwareGlimpseHttpHandler : IHttpHandler, IRequiresSessionState
{
    private readonly HttpHandler _glimpseHttpHandler = 
        new Glimpse.AspNet.HttpHandler();

    public void ProcessRequest(HttpContext context)
    {
        _glimpseHttpHandler.ProcessRequest(context);
    }

    public bool IsReusable
    {
        get { return _glimpseHttpHandler.IsReusable; }
    }
}

请勿忘记更新您的web.config以使用该处理程序而不是原始处理程序:

...
<system.webServer>
    ...
    <handlers>
        <add name="Glimpse" path="glimpse.axd" verb="GET" type="YourNamespace.SessionAwareGlimpseHttpHandler, YourAssembly" preCondition="integratedMode" />
    </handlers>
    ...
</system.webServer>
...

完成所有这些操作后,您应该能够访问Session内的IRuntimePolicy