SharePoint web services not protected?

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Philipp Schmid on Server Fault See other posts from Server Fault or by Philipp Schmid
Published on 2010-05-13T17:44:00Z Indexed on 2010/05/13 17:55 UTC
Read the original article Hit count: 265

Filed under:
|
|
|

Using WSS 3.0, we have noticed that while users can be restricted to access only certain sub-sites of a site collection through permission settings, the same doesn't seem to be true for web services, such as /_vti_bin/Lists.asmx!

Here's our experimental setup:

http://formal/test   : 'test' site collection

  - site1           : first site in test site collection, user1 is member
  - site2           : second site in test site collection, user2 is member

With this setup, using a web browser user2 can:

  - access            http://formal/test/site2/Default.aspx
  - cannot access     http://formal/test/site1/Default.aspx

That's what is expected.

To our surprise however, using the code below, user2 can retrieve the names of the lists in site1, something he should not have access to!

Is that by (unfortunate) design, or is there a configuration setting we've missed that would prevent user2 from retrieving the names of lists in site1? Is this going to be different in SharePoint 2010?

Here's the web service code used in the experiment:

class Program
{
    static readonly string _url ="http://formal/sites/research/site2/_vti_bin/Lists.asmx";
    static readonly string _user = "user2";
    static readonly string _password = "password";
    static readonly string _domain = "DOMAIN";

static void Main(string[] args)
{
    try
    {
        ListsSoapClient service = GetServiceClient(_url, _user, _password, _domain);

        var result = service.GetListCollection();
        Console.WriteLine(result.Value);
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex.ToString());
    }
}

private static ListsSoapClient  GetServiceClient(string url, string userName, string password, string domain)
{
    BasicHttpBinding binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

    ListsSoapClient service = new ListsSoapClient(binding, new System.ServiceModel.EndpointAddress(url));

    service.ClientCredentials.UserName.Password = password;
    service.ClientCredentials.UserName.UserName = (!string.IsNullOrEmpty(domain)) ? domain + "\\" + userName : userName;
    return service;
    }
}

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about sharepoint

Related posts about wss-3.0

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle