0

I am facing problems in order to restrict the access to an action in a controller (let's say wwww.mysite.com/callback/c1). I would like that only an external ERP system will be able to access this controller. The ERP allows me to set up a callback URL to which it will make a POST request each time that an specific event occurs in this ERP system.

Now, I don't want anyone else to be able post anything to this URL. How can I protect this url to be accessed only from the ERP system?

I've been thinking about hardcoding a user and password in the ERP URL, so it would make the post request to www.mysite.com/callback/c1?userName=user&password=pass , this way I could check if the credentials are valid and if so proceed the request, but the credentials would be visible in the ERP system.

Is there any other way to achieve this?

PD: I am using ASP .NET MVC5 PD2: I don't have control over the ERP system for modifications, I only can set the callback URL.

M.Beas
  • 141
  • 1
  • 1
  • 7
  • Assuming you have the IP range...create an Authorize Attribute you can decorate your action with. This should help you: http://stackoverflow.com/questions/473687/restrict-access-to-a-specific-controller-by-ip-address-in-asp-net-mvc-beta. – Ashley Lee Dec 12 '14 at 14:22

1 Answers1

0

You'd need to identify that the request comes from the ERP, so you should look like for soemthing that identifies it in the Request. You should chek if there are: ClientCertificates, Headers, LogonUserIdentity, ServerVariables, Cookies, UserAgent, UserHostAddress, UserHostName... If you find some of this elements that identifies your ERP, then you have the problem solved. But someone can still steal the identity and reproduce it.

The other option is using a firewall, and/or special configuration in IIS. Apart from the usual binding to port 80, you can bind your application to a non-usual port, like 88, and perhaps to a domain name, which only your ERP machine nows.Do you have access to the hosts file on your ERP OS? See this info in wikipedia.

If you set up a firewall you can set the filter so that the request to the new bound port (in the example 88) can only come from the ERP machine.

You can also check that the request is to the domain which only the ERP machine nows how to resolve, because it is defined in its hosts file.

If you can use a firewall you can even go an step forward and add a second IP to your interface (NIC), only known by the ERP, so that you get an incoming request to a domain header/IP/port combination that can be checked.

Wihtout more information is hard to give you a better advice (which is the OS of the ERP, what kind of application, which configurations can you make...)

JotaBe
  • 38,030
  • 8
  • 98
  • 117