Should I deploy Glimpse to the production site?

前端 未结 3 1604
鱼传尺愫
鱼传尺愫 2021-01-29 21:42

I recently added the Glimpse Debugger package to my project. This added a reference to the Glimpse dll, and modified some Web.Config.

I like my project as much the same

3条回答
  •  被撕碎了的回忆
    2021-01-29 22:25

    I believe if the cookie for Glimpse is not found it doesn't load or do anything so performance should be negligible. Security wise you can just set a user restriction in the web.config for the location of the glimpse path.

    
        
            
                
                
            
        
    
    

    Or if there is an administrator role you could do it by role instead of user name.

    You can also switch it off if you don't want to rely on just the presence of the cookie. This easily achieved through web.config transforms, I haven't tested the markup yet but something like this should work.

    
    
    

    UPDATE: Glimpse has seen some changes recently and (since 1.0 I believe?) the transform would now look as follows. Trying to set the enabled attribute will give a configuration error in the most recent version of Glimpse.

    
    
    

    As the documentation puts it...

    Glimpse will never be allowed to do more with a Http response than is specified in DefaultRuntimePolicy.

    It should be noted that the only purpose this transform serves, is if you want to remove the ability to use Glimpse as part of your deployment process. If you want to conditionally disable it based on other criteria such as remote requests or authorization check, these are better done via policies. Glimpse operates off of a series of policies now (all based off of IRuntimePolicy), designed to help determine when glimpse should be allowed to do it's thing. In fact once Glimpse is installed, if you navigate to glimpse.axd, at the bottom of that page, you'll see a list of policies that are currently enabled. Such as the LocalPolicy that prevents it from being accessed by remote requests (configurably, any policy can be ignored via the web.config to allow remote requests) http://getglimpse.com/Help/Configuration. They also have a sample class called GlimpseSecurityPolicy that is included when you install Glimpse using Nuget, which you can use to add a authorization restrictions.

    public class GlimpseSecurityPolicy:IRuntimePolicy
    {
        public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
        {
            // You can perform a check like the one below to control Glimpse's permissions within your application.
            // More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
            var httpContext = policyContext.GetHttpContext();
            if (httpContext.User != null && !httpContext.User.IsInRole("Glimpse")) //Once glimpse is turned on, you have to be a member of this Role to see the Glimpse Panel.
            {
                return RuntimePolicy.Off;
            }
    
            return RuntimePolicy.On;
        }
    
        public RuntimeEvent ExecuteOn
        {
            get { return RuntimeEvent.EndRequest; }
        }
    }
    

    Now the policies are used to determine when glimpse should run, but they don't prevent the user from being able to bring up the glimpse.axd page. The cookie can still be enabled from what from what I can tell, but the cookie is meaningless if glimpse refuses to run in spite of the cookie being present. That being said It's still advisable to wrap the glimpse.axd page in an authorization check using the location tag in your web.config. Note that this is in addition to the GlimpseSecurityPolicy above.

    
      
        
          
          
        
      
    
    

提交回复
热议问题