views:

743

answers:

2

I need to limit access of an .asmx web service to specific IP addresses. I figure I could add a hardcoded check into each method, but that seems like a code maintenance nightmare. Is there a web configuration entry I can make, or a IIS 6 setting I can apply to the .asmx file?

A: 

Add a custom section to your web.config, and then query that section for the whitelist of IP addresses.

Moose
I have a configuration storage section, but again, I don't want to have to write IP check logic on each method. I'm looking for something more elegant. IIS setting, or something like FormsAuthentication, but just for this one file to be limited to the IPs I want.
I added the IIS way in another answer, but I'll stick with this one.. It keeps your whitelist in web.config where more of your site configuration is, and allows you to be more flexible if you want something fancier than whitelist or blacklist. I think this would be the more elegant solution. Also, the IIS metadata route could get lost if someone changes something down the tree and overwrites it.
Moose
The problem is the code in each of the web service calls that gets bad to maintain and kept in all future additions to the .asmx file by other developers (which, undoubtedly, will forget). The Whitelist in IIS is the best way to keep it simple, so if changes do happen, a whole new codeset doesn't need to be sent thru QA (expensive process in terms of time and resources) and then redeployed (not quite as expensive as QA, but still wastes people's time). So the quickie thing to do is keep them in the IIS 6 whitelist. :)
I could argue the other way that the IIS method gets worse to maintain and could be forgotten in a migration to a new machine.It all boils down to if the IIS whitelist works for you and what's easier to maintain. Glad I could help, in any case!
Moose
+2  A: 

In IIS 6.0 Manager, right click on the .asmx file.

Go to the File Security tab, and Click the Edit button in the IP Address and domain name restrictions.

Click the 'Denied Access' radio button, then add your whitelisted ip addresses to the list.

Moose