tags:

views:

743

answers:

2
Q: 

Limit access of asmx web service to specific IP addresses

I need to limit access of an .asmx web service to specific IP addresses. I figure I could add a hardcoded check into each method, but that seems like a code maintenance nightmare. Is there a web configuration entry I can make, or a IIS 6 setting I can apply to the .asmx file?

A: 

Add a custom section to your web.config, and then query that section for the whitelist of IP addresses.

Moose  2009-07-02 17:20:41
I have a configuration storage section, but again, I don't want to have to write IP check logic on each method. I'm looking for something more elegant. IIS setting, or something like FormsAuthentication, but just for this one file to be limited to the IPs I want.
 2009-07-02 17:29:45
I added the IIS way in another answer, but I'll stick with this one.. It keeps your whitelist in web.config where more of your site configuration is, and allows you to be more flexible if you want something fancier than whitelist or blacklist. I think this would be the more elegant solution. Also, the IIS metadata route could get lost if someone changes something down the tree and overwrites it.
Moose  2009-07-02 18:49:26
The problem is the code in each of the web service calls that gets bad to maintain and kept in all future additions to the .asmx file by other developers (which, undoubtedly, will forget). The Whitelist in IIS is the best way to keep it simple, so if changes do happen, a whole new codeset doesn't need to be sent thru QA (expensive process in terms of time and resources) and then redeployed (not quite as expensive as QA, but still wastes people's time). So the quickie thing to do is keep them in the IIS 6 whitelist. :)
 2009-07-02 18:58:51
I could argue the other way that the IIS method gets worse to maintain and could be forgotten in a migration to a new machine.It all boils down to if the IIS whitelist works for you and what's easier to maintain. Glad I could help, in any case!
Moose  2009-07-02 23:00:27
+2  A: 

In IIS 6.0 Manager, right click on the .asmx file.

Go to the File Security tab, and Click the Edit button in the IP Address and domain name restrictions.

Click the 'Denied Access' radio button, then add your whitelisted ip addresses to the list.

Moose  2009-07-02 18:43:56

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?