How to: Use the XmlSecureResolver Class
The XmlSecureResolver class helps to secure another XmlResolver object by wrapping the XmlResolver object and restricting the resources that the underlying XmlResolver has access to. For example, the XmlSecureResolver class can prohibit access to particular Internet sites or zones.
To restrict access using a URL
Create an XmlSecureResolver object that is only allowed to access your local intranet site.
Dim myResolver As New XmlSecureResolver(New XmlUrlResolver(), "http://myLocalSite/")XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), "http://myLocalSite/");
To restrict access using a permission set
Create a WebPermission object.
Dim myWebPermission As New WebPermission(PermissionState.None)WebPermission myWebPermission = new WebPermission(PermissionState.None);Allow access only to the following two URLs.
myWebPermission.AddPermission(NetworkAccess.Connect, "https://www.contoso.com/") myWebPermission.AddPermission(NetworkAccess.Connect, "http://litwareinc.com/data/")myWebPermission.AddPermission(NetworkAccess.Connect,"https://www.contoso.com/"); myWebPermission.AddPermission(NetworkAccess.Connect,"http://litwareinc.com/data/");Add the web permissions to the PermissionSet object.
Dim myPermissions As New PermissionSet(PermissionState.None) myPermissions.AddPermission(myWebPermission)PermissionSet myPermissions = new PermissionSet(PermissionState.None); myPermissions.AddPermission(myWebPermission);Create an XmlSecureResolver object using the permission set.
Dim myResolver As New XmlSecureResolver(New XmlUrlResolver(), myPermissions)XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), myPermissions);
To restrict access using evidence
You can restrict access using Evidence. The Evidence is used to create the PermissionSet that is applied to the underlying XmlResolver. The XmlSecureResolver calls PermitOnly on the created PermissionSet before opening any resources.
The following list summarizes some possible scenarios and the type of evidence to provide for each scenario.
You are working in a fully-trusted environment:
Use your assembly to create the evidence.
Dim myEvidence As Evidence = Me.GetType().Assembly.Evidence Dim myResolver As XmlSecureResolver myResolver = New XmlSecureResolver(New XmlUrlResolver(), myEvidence)Evidence myEvidence = this.GetType().Assembly.Evidence; XmlSecureResolver myResolver; myResolver = new XmlSecureResolver(new XmlUrlResolver(), myEvidence);You are working in a semi-trusted environment and you have code or data coming from an outside source. You know the origin of the outside source and have a verifiable URI:
Use the URI to create the evidence.
Dim myEvidence As Evidence = XmlSecureResolver.CreateEvidenceForUrl(sourceURI) Dim myResolver As New XmlSecureResolver(New XmlUrlResolver(), myEvidence)Evidence myEvidence = XmlSecureResolver.CreateEvidenceForUrl(sourceURI); XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), myEvidence);You are working in a semi-trusted environment and you have code or data coming from an outside source and you do not know the origin of the outside source:
Set the evidence parameter to null. This allows no access to resources.
-or-
If your application requires some access to resources, request evidence from the caller.
Use the XmlSecureResolver to Resolve XML Resources
The XmlUrlResolver class is the default resolver for all classes in the System.Xml namespace. It is used to load XML documents, and to resolve external resources such as entities, DTDs or schemas, and import or include directives.
You can override this by specifying the XmlResolver object to use. By specifying an XmlSecureResolver, you can restrict the resources that the underlying XmlResolver can access.
To create an XmlReader object that uses an XmlSecureResolver
Create an XmlSecureResolver with the correct permission set.
Create an XmlReaderSettings object that uses the XmlSecureResolver object.
Dim settings As New XmlReaderSettings() settings.XmlResolver = myResolverXmlReaderSettings settings = new XmlReaderSettings(); settings.XmlResolver = myResolver;Use the XmlReaderSettings object to create the XmlReader object.
Dim reader As XmlReader = XmlReader.Create("books.xml", settings)XmlReader reader = XmlReader.Create("books.xml", settings);
To use the XmlSecureResolver to load an XSLT style sheet
Create an XmlSecureResolver with the correct permission set.
Pass the XmlSecureResolver to the Load method.
Dim xslt As New XslCompiledTransform() xslt.Load("https://serverName/data/xsl/sort.xsl", Nothing, myResolver)XslCompiledTransform xslt = new XslCompiledTransform(); xslt.Load("https://serverName/data/xsl/sort.xsl", null, myResolver);