XmlSecureResolver Class
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Caution
XmlSecureResolver is obsolete. Use XmlResolver.ThrowingResolver instead when attempting to forbid XML external entity resolution.
Helps to secure another implementation of XmlResolver by wrapping the XmlResolver object and restricting the resources that the underlying XmlResolver has access to.
public ref class XmlSecureResolver : System::Xml::XmlResolverpublic class XmlSecureResolver : System.Xml.XmlResolver[System.Obsolete("XmlSecureResolver is obsolete. Use XmlResolver.ThrowingResolver instead when attempting to forbid XML external entity resolution.", DiagnosticId="SYSLIB0047", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
public class XmlSecureResolver : System.Xml.XmlResolvertype XmlSecureResolver = class
inherit XmlResolver[<System.Obsolete("XmlSecureResolver is obsolete. Use XmlResolver.ThrowingResolver instead when attempting to forbid XML external entity resolution.", DiagnosticId="SYSLIB0047", UrlFormat="https://aka.ms/dotnet-warnings/{0}")>]
type XmlSecureResolver = class
inherit XmlResolverPublic Class XmlSecureResolver
Inherits XmlResolver- Inheritance
- Attributes
Remarks
The XmlUrlResolver class is the default resolver for all classes in the System.Xml namespace. It's used to load XML documents and to resolve external resources such as entities, DTDs or schemas, and import or include directives.
You can override this default by specifying the XmlResolver object to use. For example, if you want to restrict the resources that the underlying XmlResolver can access, you can use an XmlSecureResolver object.
XmlSecureResolver wraps around a concrete implementation of XmlResolver and restricts the resources that the underlying XmlResolver has access to. For example, XmlSecureResolver has the ability to prohibit cross-domain redirection, which occurs from an embedded Uniform Resource Identifier (URI) reference.
When you construct an XmlSecureResolver object, you provide a valid XmlResolver implementation along with a URL, an instance of an evidence object, or a permission set, which is used by the XmlSecureResolver to determine security. Either a System.Security.PermissionSet is generated or the existing one is used and PermissionSet.PermitOnly is called on it to help secure the underlying XmlResolver.
Important
XmlSecureResolver objects can contain sensitive information such as user credentials. Be careful when caching XmlSecureResolver objects and should not pass the XmlSecureResolver object to an untrusted component.
Important
There are differences in the security infrastructure for code running on the .NET Framework common language runtime (CLR) and for code running on the CLR that is integrated within Microsoft SQL Server 2005. This can lead to cases where code developed for the .NET Framework CLR operates differently when used on the SQL Server integrated CLR. One of these differences affects the XmlSecureResolver class when you have evidence that is based on a URL (that is, when you use the CreateEvidenceForUrl(String) method or the XmlSecureResolver constructor). The policy resolution mechanism of the SQL Server integrated CLR does not use the Url or Zone information. Instead, it grants permissions based on the GUID that the server adds when assemblies are loaded. When you use the XmlSecureResolver in the SQL Server integrated CLR, provide any required evidence directly by using a specified PermissionSet.
To use a secure resolver
Create an XmlSecureResolver with the correct permission set.
Create an XmlReaderSettings object that uses the XmlSecureResolver object.
XmlReaderSettings settings = new XmlReaderSettings(); settings.XmlResolver = myResolver;Dim settings As New XmlReaderSettings() settings.XmlResolver = myResolverPass the XmlReaderSettings object to the Create method when you're creating the XmlReader object.
XmlReader reader = XmlReader.Create("books.xml", settings);Dim reader As XmlReader = XmlReader.Create("books.xml", settings)
To restrict access by using a URL
Use the XmlSecureResolver(XmlResolver, String) constructor to create an XmlSecureResolver object that is allowed to access your local intranet site only.
XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), "http://myLocalSite/");
Dim myResolver As New XmlSecureResolver(New XmlUrlResolver(), "http://myLocalSite/")
To restrict access by using a permission set
Create a WebPermission object.
WebPermission myWebPermission = new WebPermission(PermissionState.None);Dim myWebPermission As New WebPermission(PermissionState.None)Specify the URLs that you want to allow access to.
myWebPermission.AddPermission(NetworkAccess.Connect,"http://www.contoso.com/"); myWebPermission.AddPermission(NetworkAccess.Connect,"http://litwareinc.com/data/");myWebPermission.AddPermission(NetworkAccess.Connect, "http://www.contoso.com/") myWebPermission.AddPermission(NetworkAccess.Connect, "http://litwareinc.com/data/")Add the web permissions to the PermissionSet object.
PermissionSet myPermissions = new PermissionSet(PermissionState.None); myPermissions.AddPermission(myWebPermission);Dim myPermissions As New PermissionSet(PermissionState.None) myPermissions.AddPermission(myWebPermission)Use the XmlSecureResolver(XmlResolver, PermissionSet) constructor to create an XmlSecureResolver object by using the permission set.
XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), myPermissions);Dim myResolver As New XmlSecureResolver(New XmlUrlResolver(), myPermissions)See the XmlSecureResolver reference page for another example.
To restrict access by using evidence
You can restrict access by using the XmlSecureResolver(XmlResolver, Evidence) constructor and specifying Evidence. The Evidence is used to create the PermissionSet that is applied to the underlying XmlResolver. The XmlSecureResolver calls PermitOnly on the created PermissionSet before opening any resources.
Here are some common scenarios and the type of evidence to provide for each:
If you are working in a fully trusted environment, use your assembly to create the evidence:
Evidence myEvidence = this.GetType().Assembly.Evidence; XmlSecureResolver myResolver; myResolver = new XmlSecureResolver(new XmlUrlResolver(), myEvidence);Dim myEvidence As Evidence = Me.GetType().Assembly.Evidence Dim myResolver As XmlSecureResolver myResolver = New XmlSecureResolver(New XmlUrlResolver(), myEvidence)If you are working in a semi-trusted environment, you have code or data coming from an outside source, and you know the origin of the outside source and have a verifiable URI, use the URI to create the evidence:
Evidence myEvidence = XmlSecureResolver.CreateEvidenceForUrl(sourceURI); XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), myEvidence);Dim myEvidence As Evidence = XmlSecureResolver.CreateEvidenceForUrl(sourceURI) Dim myResolver As New XmlSecureResolver(New XmlUrlResolver(), myEvidence)If you are working in a semi-trusted environment and you have code or data coming from an outside source, but you don't know the origin of the outside source, either:
Set the
evidenceparameter tonull. This allows no access to resources.-or-
If your application requires some access to resources, request evidence from the caller.
To use the secure resolver to load an XSLT style sheet
Create an XmlSecureResolver with the correct permission set.
Pass the XmlSecureResolver to the Load method.
XslCompiledTransform xslt = new XslCompiledTransform(); xslt.Load("http://serverName/data/xsl/sort.xsl", null, myResolver);Dim xslt As New XslCompiledTransform() xslt.Load("http://serverName/data/xsl/sort.xsl", Nothing, myResolver)
Notes to Inheritors
This class has an inheritance demand. Full trust is required to inherit from the XmlSecureResolver class.
Constructors
| XmlSecureResolver(XmlResolver, Evidence) |
Initializes a new instance of the XmlSecureResolver class with the XmlResolver and Evidence specified. |
| XmlSecureResolver(XmlResolver, PermissionSet) |
Initializes a new instance of the XmlSecureResolver class with the XmlResolver and PermissionSet specified. |
| XmlSecureResolver(XmlResolver, String) |
Initializes a new instance of the XmlSecureResolver class with the XmlResolver and URL provided. |
Properties
| Credentials |
Sets credentials used to authenticate web requests. |
Methods
| CreateEvidenceForUrl(String) |
Creates evidence using the supplied URL. |
| Equals(Object) |
Determines whether the specified object is equal to the current object. (Inherited from Object) |
| GetEntity(Uri, String, Type) |
Maps a URI to an object that contains the actual resource. This method temporarily sets the PermissionSet created in the constructor by calling PermitOnly() before calling |
| GetEntityAsync(Uri, String, Type) |
Asynchronously maps a URI to an object that contains the actual resource. |
| GetEntityAsync(Uri, String, Type) |
Asynchronously maps a URI to an object that contains the actual resource. (Inherited from XmlResolver) |
| GetHashCode() |
Serves as the default hash function. (Inherited from Object) |
| GetType() |
Gets the Type of the current instance. (Inherited from Object) |
| MemberwiseClone() |
Creates a shallow copy of the current Object. (Inherited from Object) |
| ResolveUri(Uri, String) |
Resolves the absolute URI from the base and relative URIs by calling |
| SupportsType(Uri, Type) |
Enables the resolver to return types other than Stream. (Inherited from XmlResolver) |
| ToString() |
Returns a string that represents the current object. (Inherited from Object) |