Prevent users from viewing Application Pages

As a part of security measure, we have been asked to restrict the people accessing the default application pages like /Forms/Allitems.aspx,/_layouts/mcontent.aspx, Userdisp.aspx.
I ve heard about viewlockdownfeature but also heard that there are some issues with that. So I thought we can do this task by a custom http handler.
In order to make this handler configurable instead of hardcoding the URL's I made an entry in node of web.config file and redirect those URL's to desired page.
The code for Http Handler goes like this :

******************************************************************
// Description:
// This HTTP handler redirects the Application pages to desired page defined in <AppSettings>node in web.config file
//
// Implementation :
//<httpModules>
//<add name="ReRoutePages" type="muki.ReRouteAppPages, ForceSSL,Version=1.0.0.0, Culture=neutral,PublicKeyToken=XXXXX" />
//</httpModules>
//<appsettings>
//<add key ="ApplicationPages" value="/Forms/AllItems.aspx,/_layouts/settings.aspx"/>
//<add key ="AdminPagesReRoutedURL" value ="http://servername/Pages/DontSeethosePages.aspx"/>
//</appsettings>

*******Code begins***********************
namespace muki
{
class ReRouteAppPages : System.Web.IHttpModule
{
#region IHttpModule Members

public void Dispose()
{
throw new NotImplementedException();
}

public void Init(System.Web.HttpApplication context)
{
context.BeginRequest += new EventHandler(context_BeginRequest);
}

#endregion
void context_BeginRequest(object sender, EventArgs e)
{
ReRoutePages(System.Web.HttpContext.Current.Request.Url.PathAndQuery);
}
public void ReRoutePages(string pageURL)
{
//check for the current page exists in the group of pages requiring ReRouting
//if page is found in ReRoute group then redirect page to desired page as per web.config entry
try
{
bool found = false;
string AppPages = System.Configuration.ConfigurationSettings.AppSettings["ApplicationPages"];
string destURL = System.Configuration.ConfigurationSettings.AppSettings["AdminPagesReRoutedURL"];
char[] separator;
separator = new char[] { ',' };
string[] pages;
pages = AppPages.Split(separator);

for (int i = 0; i < pages.Length; i++)
{
if (pageURL.ToLower().Contains(pages[i].ToLower()))
{
found = true;
break;
}
}
if (found)
{
HttpContext.Current.Response.Redirect(destURL);
}

}
catch (Exception ex)
{

HttpContext.Current.Response.Write("An error has occured in ReRouting Application Pages" + ex.InnerException.ToString());
}

}
}
}

******************************************************************

2.Strong Name the assembly and GAC it.
3.Refer the Implementation
4.Perform IISReset.

We are done right!

Restrict access to MOSS Web Services

As a part of Security measure, we need to block the access to MOSS Web Services.
Every MOSS Developer knows how to access the exposed web services of MOSS.
http://servername/_vti_bin/Lists.asmx ...
This would open up the entire webservice and available methods in that.

In order to restrict that we can add an entry in web.config file of that Site Collections web application.

Add the following block

<location path="_vti_bin">
<system.web>
<authorization>
<allow users="mossserver\Myuser" />
<deny users="*" />
</authorization>
</system.web>
</location>

Its blocked!! Right?

*** But beware, you cannot open the Site in SharePoint designer if you block webservices for all users. So please allow atleast one account for accessing webservices.**

Restrict Access to MOSS Customizations

If we need to make sure that a user is logged in before accessing our customizations in MOSS and then redirected back after login, I found a inbuilt way

Microsoft.SharePoint.Utilities.SPUtility.EnsureAuthentication();
This will redirect unauthenticated users to the login screen and show users access denied screens if applicable.

It's that simple.

Enable SSL for selected Pages in MOSS

An article on automatically switching between HTTP and HTTPS protocols without hard-coding absolute URLs

I came across a change request of my client who wants to enable SSL on selected pages in MOSS site collection. we all know that we can create SSL enabled web application from scratch. But here the requirement is unique and client requirement says he should be able to Enable SSL on pages of his choice. So it should be configurable and at same time we should be able to maintain session state across http and https. Amazingly MOSS has that ability to support session state when switching across HTTP and HTTPS. I followed the steps below and was able to achieve result
1) Wrote a custom HTTP handler which redirects http to https for selected pages.

2) The page list is read from web.config file.
****** Source code for HTTP handler************************
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web.Security;
using System.Diagnostics;

namespace muki.ForceSSL
{
public class ForceSSL : System.Web.IHttpModule
{
#region IHttpModule Members

public void Dispose()
{
throw new NotImplementedException();
}

public void Init(System.Web.HttpApplication context)
{
context.BeginRequest += new EventHandler(context_BeginRequest);

}

#endregion

void context_BeginRequest(object sender, EventArgs e)
{
RedirectSSL(System.Web.HttpContext.Current.Request.Url.PathAndQuery);
}
public void RedirectSSL(string pageURL)
{
//check for the current page exists in the group of pages requiring SSL
//if page is found in ssl group then redirect using https:// otherwise redirect with http://
bool found = false;
string sslPages = System.Configuration.ConfigurationSettings.AppSettings["SSLPages"];
char[] separator;
separator = new char[] { ',' };
string[] pages;
pages = sslPages.Split(separator);
for (int i = 0; i < pages.Length; i++)
{

if( pageURL.ToLower().Contains(pages[i].ToLower()))
{
found = true;
break;
}
}
if (found)
{
if (System.Web.HttpContext.Current.Request.Url.Scheme.ToString() == "http")
{
string sURL = System.Web.HttpContext.Current.Request.Url.ToString();
sURL = sURL.Replace("http://", "https://");
System.Web.HttpContext.Current.Response.Redirect(sURL);

}
}
else
{
if (System.Web.HttpContext.Current.Request.Url.Scheme.ToString() == "https")
{
string sURL = System.Web.HttpContext.Current.Request.Url.ToString();
sURL = sURL.Replace("https://", "http://");
System.Web.HttpContext.Current.Response.Redirect(sURL);
}
}

}
}



}
**********************************Source code for Http handler ends**************
4) Sign this assembly and GAC it.

5) Add this line <httpmodules> section and see that this line is first among all
<add name="ForceSSL" type="muki.ForceSSL.ForceSSL, ForceSSL,Version=1.0.0.0, Culture=neutral,PublicKeyToken=xxxxxxxx" />
Add key in Appsettings of web.config file like this.
<add key="SSLPages" value="/SitesWithSSL/Pages/SSL1.html,/subsite/Pages/SSL1.aspx" />
we can add as many pages we need for this. All these pages would be SSL enabled.

6)Now come to IIS-->WebApplication which needs SSL enabling for selected pages

7)Navigate to Properties--Directory Settings--Secure Communications--Server Certificate-->Assign the existing certificate.
More Details on SSL enabling

8)Assign port 443 for SSL ( we can choose port of our choice, but we should be aware that 443, 80 doesnt require ports to be mentioned in URL, otherwise we have to tweak our code settings to read through those ports)

9)Please be sure that in Directory settings-->SecureCommunications-->Edit-->Require Secure Channel is NOT SELECTED.

10)Now come back to Central Administration-->Operations-->Alternate Access Mappings

11)Add the new URL via internal URL's link.
https://servername//.

12)Perform IISReset-->Now Browse Application..
we can see our selected pages(as specified in web.config) are over SSL mode and the rest are under normal HTTP.

Cheers! we are done