Web Services | Improving Web Application Security: Threats and Countermeasures

Code that calls Web services must be granted the WebPermission by code access security policy. The WebPermission actually constrains access to any HTTP Internet-based resources.

Constraining Web Service Connections

To restrict the Web services to which your code can access, use the WebPermissionAttribute together with SecurityAction.PermitOnly . For example, the following code ensures that the PlaceOrder method and any methods it calls can only invoke Web services on the http:// somehost site.

 [WebPermissionAttribute(SecurityAction.PermitOnly,                         ConnectPattern=@"http://somehost/.*")] [EnvironmentPermissionAttribute(SecurityAction.PermitOnly, Read="USERNAME")] public static void PlaceOrder(XmlDocument order) {   PurchaseService.Order svc = new PurchaseService.Order();   // Web service uses Windows authentication   svc.Credentials = System.Net.CredentialCache.DefaultCredentials;   svc.PlaceOrder(order); }

In the prior example, the ConnectPattern property of the WebPermissionAttribute class is used. This allows you to supply a regular expression that matches the range of addresses to which a connection can be established. The EnvironmentPermissionAttribute shown previously is required because the code uses Windows authentication and default credentials.

The following example shows how to use the Connect attribute to restrict connections to a specific Web service.

 [WebPermissionAttribute(SecurityAction.PermitOnly,                         Connect=@"http://somehost/order.asmx")]