diff --git a/aspnetcore/release-notes/aspnetcore-10.0.md b/aspnetcore/release-notes/aspnetcore-10.0.md index b18926db30ad..183dd08b85c5 100644 --- a/aspnetcore/release-notes/aspnetcore-10.0.md +++ b/aspnetcore/release-notes/aspnetcore-10.0.md @@ -13,7 +13,6 @@ This article highlights the most significant changes in ASP.NET Core in .NET 10 This article will be updated as new preview releases are made available. For breaking changes, see [Breaking changes in .NET](/dotnet/core/compatibility/breaking-changes). - ## Blazor @@ -90,8 +89,9 @@ For more information, see [ASP.NET Core Authorization and Authentication metrics This section describes miscellaneous new features in .NET 10. -[!INCLUDE[](~/release-notes/aspnetcore-10/includes/testAppsTopLevel.md)] +[!INCLUDE[](~/release-notes/aspnetcore-10/includes/httpsys.md)] +[!INCLUDE[](~/release-notes/aspnetcore-10/includes/testAppsTopLevel.md)] [!INCLUDE[](~/release-notes/aspnetcore-10/includes/jsonPatch.md)] @@ -116,3 +116,5 @@ if (RedirectHttpResult.IsLocalUrl(url)) Thank you [@martincostello](https://github.com/martincostello) for this contribution! ## Related content + + diff --git a/aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md b/aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md new file mode 100644 index 000000000000..2f684863509a --- /dev/null +++ b/aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md @@ -0,0 +1,17 @@ +### Customizable security descriptors for HTTP.sys + + +You can now specify a custom security descriptor for HTTP.sys request queues. The new [RequestQueueSecurityDescriptor](https://source.dot.net/#Microsoft.AspNetCore.Server.HttpSys/HttpSysOptions.cs,a556950881fd2d87) property on enables more granular control over access rights for the request queue. This granular control lets you tailor security to your application's needs. + +#### What you can do with the new property + +A *request queue* in HTTP.sys is a kernel-level structure that temporarily stores incoming HTTP requests until your application is ready to process them. By customizing the security descriptor, you can allow or deny specific users or groups access to the request queue. This is useful in scenarios where you want to restrict or delegate HTTP.sys request handling at the operating system level. + +#### How to use the new property + +The `RequestQueueSecurityDescriptor` property applies only when creating a new request queue. The property doesn't affect existing request queues. To use this property, set it to a instance when configuring your HTTP.sys server. + +For example, the following code allows all authenticated users but denies guests: +[!code-csharp[](~/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs)] + +For more information, see . diff --git a/aspnetcore/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs b/aspnetcore/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs new file mode 100644 index 000000000000..28cedb07ca94 --- /dev/null +++ b/aspnetcore/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs @@ -0,0 +1,33 @@ +using System.Security.AccessControl; +using System.Security.Principal; +using Microsoft.AspNetCore.Server.HttpSys; + +// Create a new security descriptor +var securityDescriptor = new CommonSecurityDescriptor(isContainer: false, isDS: false, sddlForm: string.Empty); + +// Create a discretionary access control list (DACL) +var dacl = new DiscretionaryAcl(isContainer: false, isDS: false, capacity: 2); +dacl.AddAccess( + AccessControlType.Allow, + new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), + -1, + InheritanceFlags.None, + PropagationFlags.None +); +dacl.AddAccess( + AccessControlType.Deny, + new SecurityIdentifier(WellKnownSidType.BuiltinGuestsSid, null), + -1, + InheritanceFlags.None, + PropagationFlags.None +); + +// Assign the DACL to the security descriptor +securityDescriptor.DiscretionaryAcl = dacl; + +// Configure HTTP.sys options +var builder = WebApplication.CreateBuilder(); +builder.WebHost.UseHttpSys(options => +{ + options.RequestQueueSecurityDescriptor = securityDescriptor; +});