1) What's the security best practice for sharepoint web services (under
_vti_bin)...specially for public sites?
Thanks in advance
Which .asmx pages under _vti_bin can be secured (using windows
authentication) on a public facing site without breaking the site.Any
recommendation ?
Thanks
http://msdn.microsoft.com/en-us/library/9hdd3w8c%28VS.80%29.aspx
http://msdn.microsoft.com/en-us/library/2tyf2t8t%28VS.80%29.aspx
http://msdn.microsoft.com/en-us/library/aa302435.aspx
My Goal is to disable all the built in sharepoint webservices and disable
the default webservices page.
1) I made all the changes in the documents to machine.config (even though it
is for the whole machine) -nothing happens.
2) There is no <webservices> node in the web.config for the web app,so I
created one at the end just above the </configuration> node.It brought down
the whole site along with .asmx pages.
Any suggestions?
Thanks in advance.
As for the <webServices> configuration node, they are not at the top level
(under <configuration> element) but under the <system.web> config section.
So you need to add the <webServices> node with the following node hierarchy:
<configuration>
<system.web>
<webServices>
....
http://msdn.microsoft.com/en-us/library/cs8x2624(VS.71).aspx
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
--------------------
From: =?Utf-8?B?TWFycw==?= <msne...@nospam.nospam>
References: <38F9B5B8-3849-4F26...@microsoft.com>
<784048D3-E934-4DBA...@microsoft.com>
Subject: RE: webservice
Date: Fri, 25 Sep 2009 13:08:03 -0700
Something like this
<location path="_vti_bin">
<system.web>
<authorization>
<allow users="mypermittedusergroup" />
<deny users="?,*" />
</authorization>
</system.web>
</location>
Regards
John Timney (MVP)
http://www.johntimney.com
http://www.johntimney.com/blog
"Mars" <msne...@nospam.nospam> wrote in message
news:38F9B5B8-3849-4F26...@microsoft.com...
When I disable WSDL generation it shows and error when you try to browse any
.asmx file , which is expected.I want to redirect users to page saying "You
are not allowed".THere is a MS document on this,it says i need to place the
desired page under the docs directory beneth the root of the web
application.I dont have a doc directory under any web applications root
directory.Can you explain the steps or give me an alternative please.Thanks
in advance.
""Steven Cheng"" wrote:
> Hi Mars,
>
> As for the <webServices> configuration node, they are not at the top level
> (under <configuration> element) but under the <system.web> config section.
> So you need to add the <webServices> node with the following node hierarchy:
>
> <configuration>
> <system.web>
> <webServices>
> .....
Thanks in advance.
""Steven Cheng"" wrote:
> Hi Mars,
>
> As for the <webServices> configuration node, they are not at the top level
> (under <configuration> element) but under the <system.web> config section.
> So you need to add the <webServices> node with the following node hierarchy:
>
> <configuration>
> <system.web>
> <webServices>
> .....
As for the requirement you provided, it sounds like add authorization for
the web service. Based on my experience, the IIS or ASP.NET system provide
some URL or role based authorizaiton, you can have a look to see whether
that can help protect your asmx endpoint:
#URL Authorization in IIS 6.0 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3
f20bedc-67a4-4bdd-a435-ea7d2363c3b9.mspx?mfr=true
#Understanding IIS 7.0 URL Authorization
http://learn.iis.net/page.aspx/142/understanding-iis-70-url-authorization/
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.
--------------------
From: =?Utf-8?B?TWFycw==?= <msne...@nospam.nospam>
Subject: RE: webservice
Date: Wed, 30 Sep 2009 09:07:02 -0700
If i secure the asmx endpoints with windows authentication but httppost and
httpget protocols are still enabled,is my webservice secured?
*In other words, how may endpoints are there that I have to block to protect
the web services (othar than asmx pages)?
*How do I block all the endpoints (from IIS , web.config, or others) for all
webservices and give a user access to the one they actually need access to.?
How many set of the webservice functions will you need in your application?
If the secured part (which need access control) is only small part of them,
you can consider manually build a custom webservice(using sharepoint object
model) and put them under _layouts application folder. And then you can
apply own access control over your custom asmx webservice.
#Walkthrough: Creating a Custom Web Service
http://msdn.microsoft.com/en-us/library/ms464040.aspx
#Adding own custom web service to SharePoint
http://blogs.msdn.com/jannemattila/archive/2007/09/26/adding-own-custom-web-
service-to-sharepoint.aspx
--------------------
From: =?Utf-8?B?TWFycw==?= <msne...@nospam.nospam>
References: <38F9B5B8-3849-4F26...@microsoft.com>
<784048D3-E934-4DBA...@microsoft.com>
<82DB1883-87C8-4116...@microsoft.com>
<4n4qNr#PKHA...@TK2MSFTNGHUB02.phx.gbl>
<BEFE6691-6E0C-4216...@microsoft.com>
<OuYCT4mQ...@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: webservice
Date: Mon, 5 Oct 2009 10:07:09 -0700