locked
How to "disable" certain webmethod calls without touching existing code/DLL? RRS feed

  • Question

  • User-760876411 posted

    I have a web application that exposes many ASMX web service methods: each method is decorated with [WebMethod] attribute. Now I would like to disable certain webmethod calls so that clients wouldn't be able to run those web methods. A requirement of the task is that the existing code cannot be changed since the software has been deployed on a production system already. It's ok to make configuration changes (e.g. web.config) or create/deploy new DLLs on the production system though.

    I've looked into SoapExtension which seems to be an ideal solution: I could develop a new DLL that contains a class derived from SoapExtension, and modify the web.config file to intercept all web method calls. But all examples I found are related to logging web method calls, not rejecting or filtering those calls. I am wondering if anyone could give me more details on how to achieve the goal of disabling certain web method calls without recompiling existing code? How to extract the class name & method name from the soap messages anyway? Or maybe I should consider using IHttpModule instead?

    Thanks for your kind help in advance!

    Saturday, May 24, 2014 12:02 AM

Answers

  • User-417640953 posted

    Hi lakeeast,

    Thank you post the issue to asp.net forum.

    According to your description, I see you want to limit users' request to the web service methods. And just allowed change the web.config

    and add new assemble. Donot allowed to modify the exists code. For this issue, I suggest you try to use the asp.net HttpHandler to complete it.

    You can create a custom httphandler which used to handle the web service request. Then you can get the request path and web method name from it.

    So you can abort the request directly from handler if the web service method not allow request.

     public class WebServiceHandler : IHttpHandler
        {
    
            public bool IsReusable
            {
                // Return false in case your Managed Handler cannot be reused for another request.
                // Usually this would be false in case you have some state information preserved per request.
                get { return true; }
            }
    
            public void ProcessRequest(HttpContext context)
            {
                //write your handler implementation here.
                string path = context.Request.Path;
                //get the web service method name from the path url
                //your code here............
            }
    
        }

    In web.config file you can add this handler like below.

    <handlers>
           <add name="WebServiceHandler" verb="*" path="*.asmx" type="WebApplicationCsharp.App_code.WebServiceHandler"/> 
    </handlers>

    Hope that helps, thanks.

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 27, 2014 1:31 AM

All replies

  • User724169276 posted

    Hello,

    Try disabling the HTTPGetPost in webmethod.Include below line above the method you dont want to access in you web page or whatever.

    [ScriptMethod(UseHttpGet = false)]

    Saturday, May 24, 2014 12:08 AM
  • User-760876411 posted

    Maybe I didn't describe it clearly: the requirement is NOT to change the existing source code nor the deployed DLL. Your solution will modify the existing code (ScriptMethod(UseHttpGet= false)], thus is not feasible in my scenario. Removing the selected webmethod would not work for me too.

    Any thoughts?

    Saturday, May 24, 2014 10:02 AM
  • User-417640953 posted

    Hi lakeeast,

    Thank you post the issue to asp.net forum.

    According to your description, I see you want to limit users' request to the web service methods. And just allowed change the web.config

    and add new assemble. Donot allowed to modify the exists code. For this issue, I suggest you try to use the asp.net HttpHandler to complete it.

    You can create a custom httphandler which used to handle the web service request. Then you can get the request path and web method name from it.

    So you can abort the request directly from handler if the web service method not allow request.

     public class WebServiceHandler : IHttpHandler
        {
    
            public bool IsReusable
            {
                // Return false in case your Managed Handler cannot be reused for another request.
                // Usually this would be false in case you have some state information preserved per request.
                get { return true; }
            }
    
            public void ProcessRequest(HttpContext context)
            {
                //write your handler implementation here.
                string path = context.Request.Path;
                //get the web service method name from the path url
                //your code here............
            }
    
        }

    In web.config file you can add this handler like below.

    <handlers>
           <add name="WebServiceHandler" verb="*" path="*.asmx" type="WebApplicationCsharp.App_code.WebServiceHandler"/> 
    </handlers>

    Hope that helps, thanks.

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 27, 2014 1:31 AM