CODEWITHSUNDEEP
servicestack
Wayne Brantley
Wayne Brantley

Reputation: 694

How to use Restrict attribute in service stack

Is there any documentation on use of [Restrict] attribute with service stack?

Not finding any documentation, I started trying to figure this out. I discovered you have to enable restrictions in AppHost.cs Configure event with

var endpointHostConfig = new EndpointHostConfig
        {
            EnableAccessRestrictions = true,
        };

Then I added attributes to my request DTO:

[Route("Hello/World", "GET")]
[Restrict(EndpointAttributes.InternalNetworkAccess)]

This does not work...looks like that removes all 'default' restrictions and replaces it with just that one restriction? Using this instead seems to work:

[Restrict(InternalOnly = true)]

When I do a GET from the local lan it works, but from remote it does not. Interesting, the 'detailed stack error' it gives from remote is:

The following restrictions were not met: '\n -[InternalNetworkAccess, Secure, HttpHead, HttpPost, HttpPut, HttpDelete, HttpOther, OneWay, Soap11, Soap12, Xml, Jsv, ProtoBuf, Csv, Html, Yaml, MsgPack, FormatOther, AnyEndpoint]'

Note, it does not even list HttpGet as one of the possiblities - which does work. Also mentions Secure and not InSecure...neither of which I am specifically requiring.

Can we get some clarification on exactly how this is supposed to work? What if I wanted to require SSL - how would I specify that?

What if I wanted to require SSL in production, but not staging on all services for this endpoint? (Realizing this may be a completely different way to configure).

Upvotes: 2

Views: 1297

Answers (1)

mythz
mythz

Reputation: 143369

The [Restrict] attribute feature is in the latest version of ServiceStack. Currently the only documentation for this exists in the Security wiki page.

Here are some EndpointAttributes restrictions tests that test the validation of the restriction attributes, and some different service configurations you can use.

The way it works is that it's restricted to anything that's specified, so if you want to enable SSL and leave everything else as unrestricted, you would only add:

[Restrict(EndpointAttributes.Secure)]
public class SslOnly { }

It also supports specifying multiple combinations of environments that are allowed, e.g. You can enforce HTTP internally, but HTTPS externally with:

[Restrict(EndpointAttributes.Secure   | EndpointAttributes.External,
          EndpointAttributes.InSecure | EndpointAttributes.InternalNetworkAccess)]
public class SslExternalAndInsecureInternal { }

Note: each environment is combined with Enum flags and delimited with a ,.

But it doesn't let you distinguish between debug and release builds, to enable this you would need to use C# conditional compilation symbols.

E.g only allow HTTP for Debug builds and HTTPS for production Release builds:

#if DEBUG
    [Restrict(EndpointAttributes.InSecure)]
#else
    [Restrict(EndpointAttributes.Secure)]
#endif
public class MyRequestDto { ... }

Upvotes: 1

Related Questions