SharePoint web services not protected?
Posted
by Philipp Schmid
on Server Fault
See other posts from Server Fault
or by Philipp Schmid
Published on 2010-05-13T17:44:00Z
Indexed on
2010/05/13
17:55 UTC
Read the original article
Hit count: 299
Using WSS 3.0, we have noticed that while users can be restricted to access only certain sub-sites of a site collection through permission settings, the same doesn't seem to be true for web services, such as /_vti_bin/Lists.asmx!
Here's our experimental setup:
http://formal/test : 'test' site collection
- site1 : first site in test site collection, user1 is member
- site2 : second site in test site collection, user2 is member
With this setup, using a web browser user2 can:
- access http://formal/test/site2/Default.aspx
- cannot access http://formal/test/site1/Default.aspx
That's what is expected.
To our surprise however, using the code below, user2 can retrieve the names of the lists in site1, something he should not have access to!
Is that by (unfortunate) design, or is there a configuration setting we've missed that would prevent user2 from retrieving the names of lists in site1? Is this going to be different in SharePoint 2010?
Here's the web service code used in the experiment:
class Program
{
static readonly string _url ="http://formal/sites/research/site2/_vti_bin/Lists.asmx";
static readonly string _user = "user2";
static readonly string _password = "password";
static readonly string _domain = "DOMAIN";
static void Main(string[] args)
{
try
{
ListsSoapClient service = GetServiceClient(_url, _user, _password, _domain);
var result = service.GetListCollection();
Console.WriteLine(result.Value);
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}
private static ListsSoapClient GetServiceClient(string url, string userName, string password, string domain)
{
BasicHttpBinding binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
ListsSoapClient service = new ListsSoapClient(binding, new System.ServiceModel.EndpointAddress(url));
service.ClientCredentials.UserName.Password = password;
service.ClientCredentials.UserName.UserName = (!string.IsNullOrEmpty(domain)) ? domain + "\\" + userName : userName;
return service;
}
}
© Server Fault or respective owner