Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

webservice

1 view
Skip to first unread message

Mars

unread,
Sep 24, 2009, 9:33:01 AM9/24/09
to
Hi -

1) What's the security best practice for sharepoint web services (under
_vti_bin)...specially for public sites?

Thanks in advance

Mars

unread,
Sep 24, 2009, 12:52:03 PM9/24/09
to
also wanted to add...

Which .asmx pages under _vti_bin can be secured (using windows
authentication) on a public facing site without breaking the site.Any
recommendation ?

Thanks

Mars

unread,
Sep 25, 2009, 4:08:03 PM9/25/09
to
Hi I have tried to follow the instructions of theses documents.

http://msdn.microsoft.com/en-us/library/9hdd3w8c%28VS.80%29.aspx
http://msdn.microsoft.com/en-us/library/2tyf2t8t%28VS.80%29.aspx
http://msdn.microsoft.com/en-us/library/aa302435.aspx

My Goal is to disable all the built in sharepoint webservices and disable
the default webservices page.

1) I made all the changes in the documents to machine.config (even though it
is for the whole machine) -nothing happens.
2) There is no <webservices> node in the web.config for the web app,so I
created one at the end just above the </configuration> node.It brought down
the whole site along with .asmx pages.

Any suggestions?

Thanks in advance.

Steven Cheng

unread,
Sep 27, 2009, 11:21:33 PM9/27/09
to
Hi Mars,

As for the <webServices> configuration node, they are not at the top level
(under <configuration> element) but under the <system.web> config section.
So you need to add the <webServices> node with the following node hierarchy:

<configuration>
<system.web>
<webServices>
....

http://msdn.microsoft.com/en-us/library/cs8x2624(VS.71).aspx


Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------
From: =?Utf-8?B?TWFycw==?= <msne...@nospam.nospam>
References: <38F9B5B8-3849-4F26...@microsoft.com>
<784048D3-E934-4DBA...@microsoft.com>
Subject: RE: webservice
Date: Fri, 25 Sep 2009 13:08:03 -0700

John Timney (MVP)

unread,
Sep 28, 2009, 5:01:07 PM9/28/09
to
The typical approach would be to restrict access to the directory using the
location tag in web.config

Something like this


<location path="_vti_bin">
<system.web>
<authorization>
<allow users="mypermittedusergroup" />
<deny users="?,*" />
</authorization>
</system.web>
</location>

Regards

John Timney (MVP)
http://www.johntimney.com
http://www.johntimney.com/blog


"Mars" <msne...@nospam.nospam> wrote in message
news:38F9B5B8-3849-4F26...@microsoft.com...

Mars

unread,
Sep 29, 2009, 12:27:02 PM9/29/09
to
Hi Steven.Thanks for the answers,things working out.

When I disable WSDL generation it shows and error when you try to browse any
.asmx file , which is expected.I want to redirect users to page saying "You
are not allowed".THere is a MS document on this,it says i need to place the
desired page under the docs directory beneth the root of the web
application.I dont have a doc directory under any web applications root
directory.Can you explain the steps or give me an alternative please.Thanks
in advance.

""Steven Cheng"" wrote:

> Hi Mars,
>
> As for the <webServices> configuration node, they are not at the top level
> (under <configuration> element) but under the <system.web> config section.
> So you need to add the <webServices> node with the following node hierarchy:
>
> <configuration>
> <system.web>
> <webServices>

> .....

Mars

unread,
Sep 30, 2009, 12:07:02 PM9/30/09
to
Hi Steven- Is it possible to keep the webservices enabled and allow a outside
partner to use selected webservices (say,search.asmx and lists.asmx) and lock
down the others?

Thanks in advance.

""Steven Cheng"" wrote:

> Hi Mars,
>
> As for the <webServices> configuration node, they are not at the top level
> (under <configuration> element) but under the <system.web> config section.
> So you need to add the <webServices> node with the following node hierarchy:
>
> <configuration>
> <system.web>
> <webServices>

> .....

Steven Cheng

unread,
Oct 1, 2009, 4:06:17 AM10/1/09
to
Hi Mars,

As for the requirement you provided, it sounds like add authorization for
the web service. Based on my experience, the IIS or ASP.NET system provide
some URL or role based authorizaiton, you can have a look to see whether
that can help protect your asmx endpoint:

#URL Authorization in IIS 6.0 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3
f20bedc-67a4-4bdd-a435-ea7d2363c3b9.mspx?mfr=true

#Understanding IIS 7.0 URL Authorization
http://learn.iis.net/page.aspx/142/understanding-iis-70-url-authorization/

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.


--------------------
From: =?Utf-8?B?TWFycw==?= <msne...@nospam.nospam>
Subject: RE: webservice
Date: Wed, 30 Sep 2009 09:07:02 -0700

Mars

unread,
Oct 5, 2009, 1:07:09 PM10/5/09
to
Hi Steven.
The documents are focused on _vti_bin and the site itself.The site that i'm
working on is a public site, so the site has to stay anonymous access
enabled.If i block _vti_bin folder the site breaks..so that has to stay as it
is.I just want the webservices secured.

If i secure the asmx endpoints with windows authentication but httppost and
httpget protocols are still enabled,is my webservice secured?

*In other words, how may endpoints are there that I have to block to protect
the web services (othar than asmx pages)?

*How do I block all the endpoints (from IIS , web.config, or others) for all
webservices and give a user access to the one they actually need access to.?

Steven Cheng

unread,
Oct 22, 2009, 6:09:28 AM10/22/09
to
Hi Mars,

How many set of the webservice functions will you need in your application?
If the secured part (which need access control) is only small part of them,
you can consider manually build a custom webservice(using sharepoint object
model) and put them under _layouts application folder. And then you can
apply own access control over your custom asmx webservice.

#Walkthrough: Creating a Custom Web Service
http://msdn.microsoft.com/en-us/library/ms464040.aspx

#Adding own custom web service to SharePoint
http://blogs.msdn.com/jannemattila/archive/2007/09/26/adding-own-custom-web-
service-to-sharepoint.aspx


--------------------
From: =?Utf-8?B?TWFycw==?= <msne...@nospam.nospam>
References: <38F9B5B8-3849-4F26...@microsoft.com>
<784048D3-E934-4DBA...@microsoft.com>

<82DB1883-87C8-4116...@microsoft.com>
<4n4qNr#PKHA...@TK2MSFTNGHUB02.phx.gbl>
<BEFE6691-6E0C-4216...@microsoft.com>
<OuYCT4mQ...@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: webservice
Date: Mon, 5 Oct 2009 10:07:09 -0700

0 new messages