Restrict Web Service Access to host only

Posted By: m1keread | May 2nd, 2007 @ 3:21 PM
page 1 of 1
Comments: 6 | Views: 3742
#May 2nd, 2007 @ 3:21 PM
m1keread
m1keread
Hi Guys,

I have a web service that sends emails when given the correct inputs (From, To, Subject & Body). This is callable from standard HTML code via Javascript gubbins.  

 We also have a number of HTML websites hosted on the same Web Server (static IP).

What I need to be able to do is restrict the access to the Web Service to just sites that are hosted on our Web Server.

My current (incorrect) code is as follows;

[WebMethod]

public void SendMail(string From, string To, string Subject, string Body)

{

        try

        {

        string strHostName = Dns.GetHostName();

        IPHostEntry ipEntry = Dns.GetHostEntry(strHostName);

        IPAddress[] addr = ipEntry.AddressList;

        string HostAddress =  addr[0].ToString();

        //

        //  Only send from site in our Servers

        //

        if (HttpContext.Current.Request.UserHostAddress == HostAddress)

        {

            MailMessage m = new MailMessage(From, To, Subject, Body);

            SmtpClient Client = new SmtpClient();

            Client.Send(m);

        }

        }

        catch

    {

        //  Do Nothing

    }

    return;

}



Excuse the poor formatting, but you get the idea. 

So, I need a check so that I can check the host address of my Webserver (I know this and it can be stored in Web.config or obtained programatically).

But against this value, I need to check the host that is serving out the HTML pages.  Using the

HttpContext.Current.Request.UserHostAddress

I think gives me the IP of the Client computer accessing the web page, not the Web host serving the web page.

Any ideas anyone (or any other ways of resticting access to the Web Service to only sites on our web server)

Thanks in advance

Mike

#May 3rd, 2007 @ 5:58 AM
PerfectPhase
PerfectPhase

Why not move the webMethod into it's own asmx file and set IP restriction on the file via IIS admin tool?

 

#May 3rd, 2007 @ 7:36 AM
m1keread
m1keread

Thanks buddy,

 

The Web Services is a properly defined Web service and lives already in a .asmx file. 

So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

 

Thanks

 

Mike

#May 3rd, 2007 @ 1:35 PM
Minh
Minh
m1keread wrote:
So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

That should work.

Also, if I understood you correctly,

HttpContext.Current.Request.UserHostAddress

should be the IP of the web site, not the client's browser -- because it is the website that is making the web service request to your web service.
#May 4th, 2007 @ 2:00 AM
m1keread
m1keread
Minh wrote:

m1keread wrote: So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

That should work.

Also, if I understood you correctly,

HttpContext.Current.Request.UserHostAddress

should be the IP of the web site, not the client's browser -- because it is the website that is making the web service request to your web service.


Thanks Minh,

What you said is what I understood also, however the IP address being returned was not the IP address of the physical Server hosting the website.  I assumed that it was the IP address of my client PC on the internet.  The Web server physical machine had a static IP address and yet the above line was returning different addresses at varying times.  (I should have done some more research into it, but did not).

regards

Mike
#May 4th, 2007 @ 11:35 AM
ScanIAm
ScanIAm
If you have 2 NIC cards or if the request comes through a firewall/NAT you'll get weird IP addresses.
#May 4th, 2007 @ 1:33 PM
Minh
Minh
m1keread wrote:

Minh wrote:
m1keread wrote: So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

That should work.

Also, if I understood you correctly,

HttpContext.Current.Request.UserHostAddress

should be the IP of the web site, not the client's browser -- because it is the website that is making the web service request to your web service.


Thanks Minh,

What you said is what I understood also, however the IP address being returned was not the IP address of the physical Server hosting the website.  I assumed that it was the IP address of my client PC on the internet.  The Web server physical machine had a static IP address and yet the above line was returning different addresses at varying times.  (I should have done some more research into it, but did not).

regards

Mike

Weird.... Just so I'm clear, you're querying the UserHostAddress from within the Web Service's code & not the Web site's code.

As ScanIam said, multiple NIC's could produce a differnt IP address, but it should be consistent, shouldn't it?

Well, maybe that's where the Firewall / router plays a role.

page 1 of 1
Comments: 6 | Views: 3742