Mental Jetsam

By Peter Finch

Simple IP/Hostname based security for C# web services.

Posted by pcfinch on November 10, 2008

The following code implements a simple IP / Hostname based security for a web service. If you need to restrict access to a C# web services there are a number of methods and the common one is to pass a username and password in the request. This works great until the username and password get “out in the wild” and then you have to change everything. Another common method is to use the web server serurity, but then the application does not have control.

The method described here just gets the incoming IP address of the client, for the web service, and then looks the IP address and / or the hostname up in the <appSettings> section on the web.config file. If the IP address or hostname is defined in the file, then the client is allowed access the service otherwise an error message can be returned.

using System.Configuration;
using System.Net; 

[WebMethod(Description = "Get the server date and time")]
public string GetDateTime()
  String sResponse = CheckClientAccess(HttpContext.Current.Request.UserHostAddress) ;
  if (String.IsNullOrEmpty(sResponse))
    sResponse = DateTime.Now.ToString();
  return (sResponse);

/// <summary>
/// Return empty string if access is granted otherwise return a error message.
/// </summary>
public String CheckClientAccess(String sClientIpAddress)
  String sResult = String.Empty;
  String sAccess = ConfigurationManager.AppSettings["ACCESS-" + sClientIpAddress];
  if (String.IsNullOrEmpty(sAccess) || (!sAccess.Equals("allow", StringComparison.OrdinalIgnoreCase)))
    IPHostEntry host = Dns.GetHostEntry(sClientIpAddress);
    if ((host != null) && (!String.IsNullOrEmpty(host.HostName)))
      String sHostname = host.HostName.ToLower();
      sAccess = ConfigurationManager.AppSettings["ACCESS-" + sHostname];
      if (String.IsNullOrEmpty(sAccess) || (!sAccess.Equals("allow", StringComparison.OrdinalIgnoreCase)))
        sResult = String.Format("Access from {0} \"{1}\"  denied", sClientIpAddress, sHostname) ;
      sResult  = String.Format("Access from {0} denied", sClientIpAddress) ;
  return (sResult);

The settings in the web.config file are as follows.

  <add key="ACCESS-" value="allow"/>
  <add key="" value="allow"/>

This is not a perfect solution, and is not recommend for high security systems, but it’s simple to implement and pretty safe if you trust the incoming computers IP addresses and host names.


2 Responses to “Simple IP/Hostname based security for C# web services.”

  1. Arvind said

    this is really very useful article. but there is some problem when i have uploaded web service on server and calling web method through application.
    i m getting the error msg. “SoapException was unhandeled by user code”

  2. Rahul said

    First of all. Thanks very much for your useful post.

    I just came across your blog and wanted to drop you a note telling you how impressed I was with the

    information you have posted here.

    Please let me introduce you some info related to this post and I hope that it is useful for community.

    There is a good C# resource site, Have alook

    Thanks again

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: