Code Access Security Considerations

Code access security can limit the resources that can be accessed and the operations that can be performed by your Web service code. An ASP.NET Web service is subject to ASP.NET code access security policy, configured by the Web service's <trust> element.

.NET Framework consumer code that calls a Web service must be granted the WebPermission by code access security policy. The precise state of the WebPermission determines the range of Web services that can be called. For example, it can constrain your code so that it can only call local Web services or services on a specified server.

If the consumer code has full trust, it is granted the unrestricted WebPermission which allows it to call any Web service. Partial trust consumer code is subject to the following limitations:

• If you call a Web service from a Medium trust Web application, by default you can only access local Web services.

• Consumer code that uses the WSE classes must be granted full trust. For example, if your Web service proxy classes derive from Microsoft.Web.Services.WebServicesClientProtocol , which is provided by the WSE, full trust is required. To use WSE from a partial trust Web application, you must sandbox calls to the Web service.

For more information about calling Web services from partial trust Web applications, see Chapter 9, "Using Code Access Security with ASP.NET." For more information about WebPermission , see the "Web Services" section in Chapter 8, "Code Access Security in Practice."