ISAPI Filter for authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ISAPI Filter for authentication

Randy Syring-2
I'm trying to write what I hope is a simple ISAPI filter to require HTTP Auth for a current website but allow Google and other search engines access to the content.  I'm aware of the basics for getting an ISAPI filter registered with IIS:

http://docs.activestate.com/activepython/2.7/pywin32/html/isapi/doc/isapi.html

and I have an example that I think will help in C++:

http://support.zeus.com/zws/examples/2005/12/16/basic_authentication_isapi_filter

My problems are:
  • I am unclear on how the IIS data structures come through in python.  The ISAPI filter examples in the isapi folder indicate a single "fc" parameter, but the C++ example shows three parameters.
  • I don't know where to get the HTTP headers of the current request so that I can examine the user agent
  • I don't know how to trigger basic auth so that IIS handles it and requests auth from the browser

I'll keep digging, but if someone has example code or pointers for me, I'd appreciate the leg up.

Thanks.

---------------------------------------------
Randy Syring
Development & Executive Director
Level 12 Technologies (formerly Intelicom)
Direct: 502-276-0459
Office: 502-212-9913

Intelicom is now Level 12 Technologies, learn more about our name change.
Please update your address book with my new email address.

Principled People, Technology that Works

_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: ISAPI Filter for authentication

Tim Roberts
Randy Syring wrote:
> I'm trying to write what I hope is a simple ISAPI filter to require
> HTTP Auth for a current website but allow Google and other search
> engines access to the content.  I'm aware of the basics for getting an
> ISAPI filter registered with IIS:

Please excuse me for the side trip, but I'm confused by your
requirement.  If you are willing to allow the general public to access
your information via Google, then what's the point of the HTTP Auth?  If
you have some information that is public and some that is available only
after login, then why wouldn't you just put a "login" button on your web
page?  That is equally as secure as HTTP Auth, and you are in full
control of the process.

--
Tim Roberts, [hidden email]
Providenza & Boekelheide, Inc.

_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: ISAPI Filter for authentication

Kris Hardy
Randy Syring wrote:
> I'm trying to write what I hope is a simple ISAPI filter to require
> HTTP Auth for a current website but allow Google and other search
> engines access to the content.  I'm aware of the basics for getting an
> ISAPI filter registered with IIS:

As an additional note from someone that has been doing SEO for quite a
while, doing filtering based on the User-Agent (or most any other
method, for that matter) will severely hurt your search engine
rankings, and can potentially get your pages removed from the index
entirely.  I would recommend *against* doing this, and instead think
about what your objective is and how you can meet your objective while
delivering the same experience to both your users and the search
engines.
_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32
Reply | Threaded
Open this post in threaded view
|

Re: ISAPI Filter for authentication

Randy Syring-2
On 01/26/2012 01:02 PM, Tim Roberts wrote:
Please excuse me for the side trip, but I'm confused by your requirement. If you are willing to allow the general public to access your information via Google, then what's the point of the HTTP Auth? If you have some information that is public and some that is available only after login, then why wouldn't you just put a "login" button on your web page? That is equally as secure as HTTP Auth, and you are in full control of the process.

The customer was only concerned about "most people" needing a password.  If some got access through google cache, that was fine.  Furthermore, the site was mostly static content and I didn't want to rebuild it, hence my attempt to use an ISAPI filter to control access without needing to re-write the app itself.

On 01/26/2012 01:25 PM, Kris Hardy wrote:
As an additional note from someone that has been doing SEO for quite a while, doing filtering based on the User-Agent (or most any other method, for that matter) will severely hurt your search engine rankings, and can potentially get your pages removed from the index entirely.  I would recommend *against* doing this, and instead think about what your objective is and how you can meet your objective while delivering the same experience to both your users and the search engines.
I decided to head a different route for this very reason, thanks.
---------------------------------------------
Randy Syring
Development & Executive Director
Level 12 Technologies (formerly Intelicom)
Direct: 502-276-0459
Office: 502-212-9913

Intelicom is now Level 12 Technologies, learn more about our name change.
Please update your address book with my new email address.

Principled People, Technology that Works


_______________________________________________
python-win32 mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/python-win32