Search code examples
glimpse

Retrieve the Session in the GlimpseSecurityPolicy RuntimeEvent.ExecuteResource

Using glimpse I'm able to access the session information accept when using the RuntimeEvent.ExecuteResource. Without this the axd file is exposed and I'd rather have it disabled unless specific users are logged in. The session will be null in both examples below. Also I've tried having the class implement IRequiresSessionState but that didn't help either.

namespace Glimpse
{
    public class GlimpseSecurityPolicy:IRuntimePolicy
    {
        public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
        {
            try
            {
                var name = HttpContext.Current.Session["username"];
                var name2 = policyContext.GetHttpContext().Session["username"];
            }
            catch (Exception)
            {
            }

            // You can perform a check like the one below to control Glimpse's permissions within your application.
            // More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
            // var httpContext = policyContext.GetHttpContext();
            // if (!httpContext.User.IsInRole("Administrator"))
            // {
            //     return RuntimePolicy.Off;
            // }

            return RuntimePolicy.On;
        }

        public RuntimeEvent ExecuteOn
        {
            // The RuntimeEvent.ExecuteResource is only needed in case you create a security policy
            // Have a look at http://blog.getglimpse.com/2013/12/09/protect-glimpse-axd-with-your-custom-runtime-policy/ for more details
            get { return RuntimeEvent.EndRequest | RuntimeEvent.ExecuteResource; }
        }
    }
}
Solution

  • The reason for this is that the Glimpse HttpHandler which processes the requests for Glimpse.axd does not implement the IRequireSessionState interface.

    It is that HttpHandler that will eventually execute all IRuntimePolicy instances that have RuntimeEvent.ExecuteResource configured as part of the ExecuteOn property value.

    I think the easiest solution for you is to create your own IHttpHandler that implements the IRequireSessionState interface and forwards all calls to the Glimpse HttpHandler as shown below.

    public class SessionAwareGlimpseHttpHandler : IHttpHandler, IRequiresSessionState
{
    private readonly HttpHandler _glimpseHttpHandler = 
        new Glimpse.AspNet.HttpHandler();

    public void ProcessRequest(HttpContext context)
    {
        _glimpseHttpHandler.ProcessRequest(context);
    }

    public bool IsReusable
    {
        get { return _glimpseHttpHandler.IsReusable; }
    }
}

    Don't forget to update your web.config to use that handler instead of the original one:

    ...
<system.webServer>
    ...
    <handlers>
        <add name="Glimpse" path="glimpse.axd" verb="GET" type="YourNamespace.SessionAwareGlimpseHttpHandler, YourAssembly" preCondition="integratedMode" />
    </handlers>
    ...
</system.webServer>
...

    Once all this is in place, you should be able to access the Session inside your IRuntimePolicy.