This documentation is archived and is not being maintained.

How to: Use the XmlSecureResolver Class

The XmlSecureResolver class helps to secure another XmlResolver object by wrapping the XmlResolver object and restricting the resources that the underlying XmlResolver has access to. For example, the XmlSecureResolver class can prohibit access to particular Internet sites or zones.

To restrict access using a URL

  • Create an XmlSecureResolver object that is only allowed to access your local intranet site.

    
    XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), "http://myLocalSite/");
    
    
    

To restrict access using a permission set

  1. Create a WebPermission object.

    
    WebPermission myWebPermission = new WebPermission(PermissionState.None);
    
    
    
  2. Allow access only to the following two URLs.

    
    myWebPermission.AddPermission(NetworkAccess.Connect,"http://www.contoso.com/");
    myWebPermission.AddPermission(NetworkAccess.Connect,"http://litwareinc.com/data/");
    
    
    
  3. Add the web permissions to the PermissionSet object.

    
    PermissionSet myPermissions = new PermissionSet(PermissionState.None);
    myPermissions.AddPermission(myWebPermission);
    
    
    
  4. Create an XmlSecureResolver object using the permission set.

    
    XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), myPermissions);
    
    
    

To restrict access using evidence

  • You can restrict access using Evidence. The Evidence is used to create the PermissionSet that is applied to the underlying XmlResolver. The XmlSecureResolver calls PermitOnly on the created PermissionSet before opening any resources.

    The following list summarizes some possible scenarios and the type of evidence to provide for each scenario.

    • You are working in a fully-trusted environment:

      Use your assembly to create the evidence.

      
      Evidence myEvidence = this.GetType().Assembly.Evidence;
      XmlSecureResolver myResolver;
      myResolver = new XmlSecureResolver(new XmlUrlResolver(), myEvidence);
      
      
      
    • You are working in a semi-trusted environment and you have code or data coming from an outside source. You know the origin of the outside source and have a verifiable URI:

      Use the URI to create the evidence.

      
      
      Evidence myEvidence = XmlSecureResolver.CreateEvidenceForUrl(sourceURI);
      XmlSecureResolver myResolver = new XmlSecureResolver(new XmlUrlResolver(), myEvidence);
      
      
      
    • You are working in a semi-trusted environment and you have code or data coming from an outside source and you do not know the origin of the outside source:

      Set the evidence parameter to null. This allows no access to resources.

      -or-

      If your application requires some access to resources, request evidence from the caller.

The XmlUrlResolver class is the default resolver for all classes in the System.Xml namespace. It is used to load XML documents, and to resolve external resources such as entities, DTDs or schemas, and import or include directives.

You can override this by specifying the XmlResolver object to use. By specifying an XmlSecureResolver, you can restrict the resources that the underlying XmlResolver can access.

To create an XmlReader object that uses an XmlSecureResolver

  1. Create an XmlSecureResolver with the correct permission set.

  2. Create an XmlReaderSettings object that uses the XmlSecureResolver object.

    
    XmlReaderSettings settings = new XmlReaderSettings();
    settings.XmlResolver = myResolver;
    
    
    
  3. Use the XmlReaderSettings object to create the XmlReader object.

    
    XmlReader reader = XmlReader.Create("books.xml", settings);
    
    
    

To use the XmlSecureResolver to load an XSLT style sheet

  1. Create an XmlSecureResolver with the correct permission set.

  2. Pass the XmlSecureResolver to the Load method.

    
    XslCompiledTransform xslt = new XslCompiledTransform();
    xslt.Load("http://serverName/data/xsl/sort.xsl", null, myResolver);
    
    
    
Show: