Restricting access to a ASMX Web Service

Question

I have a single ASMX web service that has a host of methods that can be called. However, I'm wanting to restrict certain methods so that the caller either needs to be authenticated in order to be able to call them, or even better can only be called from the local server in which the service is running from.

Basically those methods needing to be protected will be called by the Microsoft Windows Scheduler on the local server.

Is either option possible, and what is the best and preferred way of achieving this.

I have used a password parameter for this and set the password to something static/ hard-coded that only you will know. Something like `842398KJHFGHKlkj4389&^HJKK` — user1477388, Aug 01 '13 at 12:40
possible duplicate of [How to get the client IP address from the request made to webservice](http://stackoverflow.com/questions/6981899/how-to-get-the-client-ip-address-from-the-request-made-to-webservice) — Sergio, Aug 01 '13 at 12:41
Are the methods you want to restrict to locahost going to be accessed by a different process on the server? — Jason P, Aug 01 '13 at 17:30

score 1 · Accepted Answer · answered Aug 01 '13 at 17:18

1

At the top of the web services you want to protect, you can do something like:

if (!Request.IsLocal)
{
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    return null;
}

You could also check if they are authenticated with the IsAuthenticated property.

answered Aug 01 '13 at 17:18

bmm6o

6,187
3
28
55

I assume I could use the logic above for each method that I want to restrict access to. – neildt Aug 02 '13 at 08:00

score 0 · Answer 2 · answered Aug 01 '13 at 12:42

0

Of the two methods you mention, by far the easiest is to restrict access to just the local server. You can do this through code (as another comment has noted), or by administration of IIS itself.

If you load up the IIS Manager and select the folder that your asmx file is in, you'll see on the right-hand side a section 'IP Address and Domain Restrictions'. Open this up, add a default deny rule, and then an allow rule for 127.0.0.1.

Be aware that using this method will restrict all services in this folder, so you may need to move this into its own folder if this isn't required or desirable.

answered Aug 01 '13 at 12:42

Adrian Wragg

7,311
3
26
50

At the moment the web service a single file has 20 methods. Of these 20, we need to protect 10 that can only be accessed by 127.0.0.1 for example. I don't think I can restrict methods ? just the actual file ? – neildt Aug 01 '13 at 12:45
@Tommo1977 This way of restricting access isn't equivalent in your circumstances, then. You need a solution based around looking up the IP address from Request.UserHostAddress, as Sergio noted in his comment (which I'll leave to him to expand into an answer rather than hijack his idea, if he wishes). – Adrian Wragg Aug 01 '13 at 12:51

Restricting access to a ASMX Web Service

2 Answers2