XmlResolver Class


The .NET API Reference documentation has a new home. Visit the .NET API Browser on docs.microsoft.com to see the new experience.

Resolves external XML resources named by a Uniform Resource Identifier (URI).

Namespace:   System.Xml
Assembly:  System.Xml (in System.Xml.dll)

public abstract class XmlResolver


Initializes a new instance of the XmlResolver class.


When overridden in a derived class, sets the credentials used to authenticate web requests.


Determines whether the specified object is equal to the current object.(Inherited from Object.)


Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection.(Inherited from Object.)

System_CAPS_pubmethodGetEntity(Uri, String, Type)

When overridden in a derived class, maps a URI to an object that contains the actual resource.

System_CAPS_pubmethodGetEntityAsync(Uri, String, Type)

Asynchronously maps a URI to an object that contains the actual resource.


Serves as the default hash function. (Inherited from Object.)


Gets the Type of the current instance.(Inherited from Object.)


Creates a shallow copy of the current Object.(Inherited from Object.)

System_CAPS_pubmethodResolveUri(Uri, String)

When overridden in a derived class, resolves the absolute URI from the base and relative URIs.

System_CAPS_pubmethodSupportsType(Uri, Type)

Enables the resolver to return types other than System.IO.Stream.


Returns a string that represents the current object.(Inherited from Object.)

The XmlResolver type is used to resolve external XML resources, such as entities, document type definitions (DTDs), or schemas. It is also used to process include and import elements found in Extensible Stylesheet Language (XSL) style sheets or XML Schema definition language (XSD) schemas.

XmlResolver handles all aspects of negotiating the connection to the resources, including handling security credentials, opening the connection to the data source, and returning the resource in the form of a stream or other object type. The object that calls XmlResolver has the task of interpreting the stream.

The System.Xml namespace includes two concrete implementations of the XmlResolver class:

  • XmlUrlResolver is the default resolver for all classes in the System.Xml namespace. It supports the file:// and http:// protocols and requests from the System.Net.WebRequest class. For examples of extending the class to improve performance, see the XmlUrlResolver reference page.

  • XmlSecureResolver helps secure another XmlResolver object by wrapping the object object and restricting the resources that it can access. For example, the XmlSecureResolver can prohibit access to specific Internet sites or zones.

You can create and specify your own resolver. If you don't specify a resolver, the reader uses a default XmlUrlResolver with no user credentials.

You specify the XmlResolver to use by setting the XmlReaderSettings.XmlResolver property and passing the XmlReaderSettings object to the Create method.

If the resource is stored on a system that requires authentication, you use the XmlResolver.Credentials property to specify the necessary credentials.

The file that contains the XML data to read may have a restricted access policy. If authentication is required to access a network resource, use the Credentials property to specify the necessary credentials. If the Credentials property is not set, credentials are set to null.

For example, assume that credentials are needed when requesting data from the web for authentication purposes. Unless the web virtual directory allows anonymous access, you must set the Credentials property to supply credentials. The following example creates an XmlReader object that uses an XmlUrlResolver with default credentials to access the http://localhost/bookstore/inventory.xml site.

// Create a resolver with default credentials.
XmlUrlResolver resolver = new XmlUrlResolver();
resolver.Credentials = System.Net.CredentialCache.DefaultCredentials;

// Set the reader settings object to use the resolver.
settings.XmlResolver = resolver;

// Create the XmlReader object.
XmlReader reader = XmlReader.Create("http://ServerName/data/books.xml", settings);

You can supply different credentials for different URIs and add them to a cache. These credentials are used to check authentication for the different URIs regardless of the original source of the XML. The following example shows how to add credentials to a cache.

// Create the credentials.
NetworkCredential myCred = new NetworkCredential(UserName,SecurelyStoredPassword,Domain); 
CredentialCache myCache = new CredentialCache(); 
myCache.Add(new Uri("http://www.contoso.com/"), "Basic", myCred); 
myCache.Add(new Uri("http://app.contoso.com/"), "Basic", myCred);

// Set the credentials on the XmlUrlResolver object.
XmlUrlResolver resolver = new XmlUrlResolver();
resolver.Credentials = myCache;

// Compile the style sheet.
XslCompiledTransform xslt = new XslCompiledTransform();
xslt.Load("http://serverName/data/xsl/order.xsl",XsltSettings.Default, resolver);	

Consider the following items when working with the XmlResolver class.

  • XmlResolver objects can contain sensitive information such as user credentials. You should be careful when caching XmlResolver objects and should not pass the XmlResolver object to an untrusted component.

  • If you are designing a class property that uses the XmlResolver class, the property should be defined as a write-only property. The property can be used to specify the XmlResolver to use, but it cannot be used to return an XmlResolver object.

  • If your application accepts XmlResolver objects from untrusted code, you cannot assume that the URI passed into the GetEntity method will be the same as that returned by the ResolveUri method. Classes derived from the XmlResolver class can override the GetEntity method and return data that is different than what was contained in the original URI.

  • Your application can mitigate memory denial of service threats to the GetEntity method by implementing an IStream that limits the number of bytes read. This helps guard against situations where malicious code attempts to pass an infinite stream of bytes to the GetEntity method.

The following example creates an XmlUrlResolver with default credentials. A XmlReader is used to read and display the resulting data stream.

using System;
using System.Xml;
using System.IO;

class Example
    static void Main()
        // Create an XmlUrlResolver with default credentials.
        XmlUrlResolver resolver = new XmlUrlResolver();
        resolver.Credentials = System.Net.CredentialCache.DefaultCredentials;

        // Point the resolver at the desired resource and resolve as a stream.
        Uri baseUri = new Uri("http://serverName/");
        Uri fulluri = resolver.ResolveUri(baseUri, "fileName.xml");
        Stream s = (Stream)resolver.GetEntity(fulluri, null, typeof(Stream));

        // Create the reader with the resolved stream and display the data.
        XmlReader reader = XmlReader.Create(s);
        while (reader.Read())

.NET Framework
Available since 1.1
Available since 2.0
Windows Phone Silverlight
Available since 7.0

Any public static ( Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Return to top