Tech Off Thread

7 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Restrict Web Service Access to host only

Back to Forum: Tech Off
  • User profile image
    m1keread

    Hi Guys,

    I have a web service that sends emails when given the correct inputs (From, To, Subject & Body). This is callable from standard HTML code via Javascript gubbins.  

     We also have a number of HTML websites hosted on the same Web Server (static IP).

    What I need to be able to do is restrict the access to the Web Service to just sites that are hosted on our Web Server.

    My current (incorrect) code is as follows;

    [WebMethod]

    public void SendMail(string From, string To, string Subject, string Body)

    {

            try

            {

            string strHostName = Dns.GetHostName();

            IPHostEntry ipEntry = Dns.GetHostEntry(strHostName);

            IPAddress[] addr = ipEntry.AddressList;

            string HostAddress =  addr[0].ToString();

            //

            //  Only send from site in our Servers

            //

            if (HttpContext.Current.Request.UserHostAddress == HostAddress)

            {

                MailMessage m = new MailMessage(From, To, Subject, Body);

                SmtpClient Client = new SmtpClient();

                Client.Send(m);

            }

            }

            catch

        {

            //  Do Nothing

        }

        return;

    }



    Excuse the poor formatting, but you get the idea. 

    So, I need a check so that I can check the host address of my Webserver (I know this and it can be stored in Web.config or obtained programatically).

    But against this value, I need to check the host that is serving out the HTML pages.  Using the

    HttpContext.Current.Request.UserHostAddress

    I think gives me the IP of the Client computer accessing the web page, not the Web host serving the web page.

    Any ideas anyone (or any other ways of resticting access to the Web Service to only sites on our web server)

    Thanks in advance

    Mike

  • User profile image
    PerfectPhase

    Why not move the webMethod into it's own asmx file and set IP restriction on the file via IIS admin tool?

     

  • User profile image
    m1keread

    Thanks buddy,

     

    The Web Services is a properly defined Web service and lives already in a .asmx file. 

    So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

     

    Thanks

     

    Mike

  • User profile image
    Minh

    m1keread wrote:
    So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

    That should work.

    Also, if I understood you correctly,

    HttpContext.Current.Request.UserHostAddress

    should be the IP of the web site, not the client's browser -- because it is the website that is making the web service request to your web service.

  • User profile image
    m1keread

    Minh wrote:
    
    m1keread wrote: So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

    That should work.

    Also, if I understood you correctly,

    HttpContext.Current.Request.UserHostAddress

    should be the IP of the web site, not the client's browser -- because it is the website that is making the web service request to your web service.


    Thanks Minh,

    What you said is what I understood also, however the IP address being returned was not the IP address of the physical Server hosting the website.  I assumed that it was the IP address of my client PC on the internet.  The Web server physical machine had a static IP address and yet the above line was returning different addresses at varying times.  (I should have done some more research into it, but did not).

    regards

    Mike

  • User profile image
    ScanIAm

    If you have 2 NIC cards or if the request comes through a firewall/NAT you'll get weird IP addresses.

  • User profile image
    Minh

    m1keread wrote:
    
    Minh wrote:
    m1keread wrote: So if I read you correctly, I can go into IIS Manager and restrict the sites that can call the web service.  If this is correct, it is a much more elegant way of doing what I need to do.

    That should work.

    Also, if I understood you correctly,

    HttpContext.Current.Request.UserHostAddress

    should be the IP of the web site, not the client's browser -- because it is the website that is making the web service request to your web service.


    Thanks Minh,

    What you said is what I understood also, however the IP address being returned was not the IP address of the physical Server hosting the website.  I assumed that it was the IP address of my client PC on the internet.  The Web server physical machine had a static IP address and yet the above line was returning different addresses at varying times.  (I should have done some more research into it, but did not).

    regards

    Mike

    Weird.... Just so I'm clear, you're querying the UserHostAddress from within the Web Service's code & not the Web site's code.

    As ScanIam said, multiple NIC's could produce a differnt IP address, but it should be consistent, shouldn't it?

    Well, maybe that's where the Firewall / router plays a role.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.