Application Security Testing: An Integral Part of DevOps
"AuthFilt demonstrates how to write an authentication filter based on an external datasource. Authentication is the process of accepting or denying a request from a client, so AuthFilt will be notified each time an authentication request comes in. This sample uses a file (userdb.txt) to keep track of authorized users, but you might modify this sample to access a database which holds user info.
For each authentication request, AuthFilt first looks in a cache of recently authenticated users, and when that fails, AuthFilt looks in the userdb.txt file. This shows an efficient way to authorize connections: a cache allows the filter to quickly authenticate users, and because each request comes in through the filter, speed is critical."
The filter could be improved in several ways: using a database instead of a file for authentication information (you should consider using stored procedures to search and/or to cache!), load parameters from registry, automatic selection of the number of cached users and the list reorder parameter, etc.
The full source code is provided, you will have to compile it in order to get a working filter. Once you have compiled the project you will need to take the following steps to install:
- Run REGEDT32.EXE and modify the server's registry as follows. Select the Filter DLLs key in HKEY_LOCAL_MACHINE\CurrentControlSet\Services\W3SVC\Parameters. Add a local path to authfilt.dll, usually C:\WinNT\System32\InetSrv\authfilt.dll. The filter entries are separated by commas. The order is important, if you have other authentication filter with the same priority, the first one listed will receive the authentication request.
- Copy the authfilt.dll file to the directory you specified in the registry.
- Make sure the System account have execute rights on the filter dll file.
Edit the userdb.txt file so it contains valid users and passwords. The format of the file is:
- Copy the userdb.txt file to the directory you specified in the authfilt.h header file for the user database.
- Make sure the System account have read rights on the userdb.txt file.
- Restart the WWW service.
Last updated: 31 October 1998