xref:System.Xml.XmlResolver> class

This article provides supplementary remarks to the reference documentation for this API.

The XmlResolver type is used to resolve external XML resources, such as entities, document type definitions (DTDs), or schemas. It is also used to process include and import elements found in Extensible Stylesheet Language (XSL) style sheets or XML Schema definition language (XSD) schemas.

XmlResolver handles all aspects of negotiating the connection to the resources, including handling security credentials, opening the connection to the data source, and returning the resource in the form of a stream or other object type. The object that calls XmlResolver has the task of interpreting the stream.

The System.Xml namespace includes two concrete implementations of the XmlResolver class:

You can create and specify your own resolver. If you don't specify a resolver, the reader uses a default XmlUrlResolver with no user credentials.

You specify the XmlResolver to use by setting the XmlReaderSettings.XmlResolver property and passing the XmlReaderSettings object to the Create method.

If the resource is stored on a system that requires authentication, you use the XmlResolver.Credentials property to specify the necessary credentials.

Supply authentication credentials

The file that contains the XML data to read may have a restricted access policy. If authentication is required to access a network resource, use the Credentials property to specify the necessary credentials. If the Credentials property is not set, credentials are set to null.

For example, assume that credentials are needed when requesting data from the web for authentication purposes. Unless the web virtual directory allows anonymous access, you must set the Credentials property to supply credentials. The following example creates an XmlReader object that uses an XmlUrlResolver with default credentials to access the http://localhost/bookstore/inventory.xml site.

// Create a resolver with default credentials.
XmlUrlResolver resolver = new XmlUrlResolver();
resolver.Credentials = System.Net.CredentialCache.DefaultCredentials;

// Set the reader settings object to use the resolver.
settings.XmlResolver = resolver;

// Create the XmlReader object.
XmlReader reader = XmlReader.Create("http://ServerName/data/books.xml", settings);
' Create a resolver with default credentials.
Dim resolver as XmlUrlResolver = new XmlUrlResolver()
resolver.Credentials = System.Net.CredentialCache.DefaultCredentials

' Set the reader settings object to use the resolver.
settings.XmlResolver = resolver

' Create the XmlReader object.
Dim reader as XmlReader = XmlReader.Create("http://ServerName/data/books.xml", settings)

You can supply different credentials for different URIs and add them to a cache. These credentials are used to check authentication for the different URIs regardless of the original source of the XML. The following example shows how to add credentials to a cache.

// Create the credentials.
NetworkCredential myCred = new NetworkCredential(UserName,SecurelyStoredPassword,Domain);
CredentialCache myCache = new CredentialCache();
myCache.Add(new Uri("http://www.contoso.com/"), "Basic", myCred);
myCache.Add(new Uri("http://app.contoso.com/"), "Basic", myCred);

// Set the credentials on the XmlUrlResolver object.
XmlUrlResolver resolver = new XmlUrlResolver();
resolver.Credentials = myCache;

// Compile the style sheet.
XslCompiledTransform xslt = new XslCompiledTransform();
xslt.Load("http://serverName/data/xsl/order.xsl",XsltSettings.Default, resolver);
' Create the credentials.
Dim myCred As NetworkCredential = New NetworkCredential(UserName,SecurelyStoredPassword,Domain)
Dim myCache As CredentialCache = New CredentialCache()
myCache.Add(new Uri("http://www.contoso.com/"), "Basic", myCred)
myCache.Add(new Uri("http://app.contoso.com/"), "Basic", myCred)

' Set the credentials on the XmlUrlResolver object.
Dim resolver As XmlUrlResolver = New XmlUrlResolver()
resolver.Credentials = myCache

' Compile the style sheet.
Dim xslt As XslCompiledTransform = New XslCompiledTransform()
xslt.Load("http://serverName/data/xsl/order.xsl", XsltSettings.Default, resolver)

Security considerations

Consider the following items when working with the XmlResolver class.

  • XmlResolver objects can contain sensitive information such as user credentials. You should be careful when caching XmlResolver objects and should not pass the XmlResolver object to an untrusted component.

  • If you are designing a class property that uses the XmlResolver class, the property should be defined as a write-only property. The property can be used to specify the XmlResolver to use, but it cannot be used to return an XmlResolver object.

  • If your application accepts XmlResolver objects from untrusted code, you cannot assume that the URI passed into the GetEntity method will be the same as that returned by the ResolveUri method. Classes derived from the XmlResolver class can override the GetEntity method and return data that is different than what was contained in the original URI.

  • Your application can mitigate memory denial of service threats to the GetEntity method by implementing an IStream that limits the number of bytes read. This helps guard against situations where malicious code attempts to pass an infinite stream of bytes to the GetEntity method.