SharePoint Events
  5/13/2013 - Conference: SharePoint Summit 2013
  5/21/2013 - Webcast: SharePoint 2013 and ECM: Content Migration and Storage
  5/22/2013 - Webcast: Managing CAD in SharePoint
  5/23/2013 - Webcast: SharePoint Document Automation and E-Forms for Financial Services
  5/24/2013 - Webcast: What's New in Search for SharePoint 2013

 SharePoint Videos
  Why SharePoint 2013
  SharePoint 2013 Launch
  SharePoint 2013 Migration and Governance
  SharePoint 2013 and Enterprise Content Management
  Top Benefits of SharePoint 2013
  What's New in Business Intelligence in Office and SharePoint 2013
  SharePoint and Office 2013 Integration
  SharePoint 2013 Infrastructure Preview
  SharePoint, Lync, and, Exchange in the Cloud with Office 365
  Advanced Reporting in SharePoint with Microsoft Power View

 Archives
Opening SharePoint Links in a new windowUse SHIFT+ENTER to open the menu (new window).
Mail Enabled Lists vs. The Missing Windows 2008 POP3/IMAP Server Use SHIFT+ENTER to open the menu (new window).
7 Tools for SharePoint DevelopersUse SHIFT+ENTER to open the menu (new window).
Public Facing Masterpage TechniquesUse SHIFT+ENTER to open the menu (new window).
How to Quickly Deploy and Activate a Timer Service to Your Site CollectionUse SHIFT+ENTER to open the menu (new window).
Custom SharePoint Master Page Feature with WSP BuilderUse SHIFT+ENTER to open the menu (new window).
Date Math with InfoPathUse SHIFT+ENTER to open the menu (new window).
Enterprise Search Tricks and Tips Part 1Use SHIFT+ENTER to open the menu (new window).
Populating Word Documents With SharePoint Data. Try The DIP!Use SHIFT+ENTER to open the menu (new window).
Programmatic Deep Dive into Blank SharePoint Lookup ColumnsUse SHIFT+ENTER to open the menu (new window).
1 - 10 Next
Blogroll
Microsoft SharePoint Team Blog
MS SharePoint End User Team
Joel Oleson
Bob Fox
Jason Medero
Scot Hillier
Natalya Voskresenskaya
Heather Solomon
Paul Galvin
Andrew Connell
Liam Cleary
Ben Curry
Chandima
Amanda Murphy
EndUserSharePoint
Becky Isserman's Blog
Links
Gig Werks
Microsoft
InformationWeek
CIO
CTO Edge
Digg Technology
ChannelWeb
Slashdot
BlogCatalog
Informative Graphics

12/2/2011

Securely Deploying ASP.NET Web Services in SharePoint 2010 (Part 1 of 2)

By Christian Holslin

Part 1: The Business Case and Step-by-Step Summary

Introduction

If you have ever found yourself the caretaker of a SharePoint farm you have probably pondered an appropriate strategy for governance.  SharePoint offers excellent governance options for its own content, but what happens when you introduce customizations into the environment?

Event Receivers and Workflows are bound to the same security constraints as the items they operate against, with programmable exceptions, but cannot be explicitly invoked without the user possessing the appropriate rights to the item itself in the first place.

Web Services and Governance

Classic ASP.NET Web Services, on the other hand, are a bit more lax in their security policy.  Deploying a Web Service to SharePoint provides many valuable options:

  • Automate repetitive and/or labor-intensive operations
  • Provide data to web parts and forms
  • Interoperate with .NET or 3rd party applications
  • Feed data to SharePoint

The list goes on and on.  When you deploy a classic MyService.asmx Web Service to the “Layouts” folder, it can be accessed and invoked from any Web Application in your entire farm.  Doing so may introduce a security risk by exposing privileged operations to an unintentionally wide audience, especially if your farm has extranet users.

In order to solve this issue so that we can all continue using these types of Web Services, I have devised a methodology for securely packaging and deploying ASP.NET Web Services (those ASMX files we all know about), to a SharePoint farm, without exposing their operations (or the ability to invoke them) to the farm’s entire user community.

And, best of all, you can do this with a regular Visual Studio 2010 SharePoint project (no funny business!).

Business Case

Applicability

This deployment technique applies to single-server and multi-server SharePoint farms.  Both types of farms are subject to the same exposure of privileged operations with a Web Service deployed to the “Layouts” folder.

Web Services

Why do we care?  We, as in Gig Werks, you, .NET applications, vendors, developers, many COTS software titles, all consume Web Services (if you aren’t in this list, I can recommend many other interesting blog posts).  We use them because they are easy to develop, easy to deploy, easy to consume, and allow (basically) any .NET application to perform server-side SharePoint operations.

Open Visual Studio, add a web reference, and you’re off to the races.

While interoperating with SharePoint, for example with InfoPath or a custom Web Part, you may create a Web Service to function as a data source or proxy into another line-of-business system.  You may create a Web Service to perform operations on SharePoint list items.  You may create a Web Service to automate provisioning SharePoint content (e.g. sites).  You may create a Web Service which performs a CPU- or I/O-intensive operation.  If your Web Service falls into any of these categories, you will benefit from this deployment method by providing a secure, discrete access point.

Governance

There’s always a business case for governance, but specifically with Web Services, assuming that you’ve already decided to use Web Services with SharePoint, here are some key benefits to this particular deployment approach:

·     Guard privileged operations from unauthorized access with multiple techniques

o   Use SharePoint’s security infrastructure to protect your Web Services

o   Firewalls

o   Non-standard ports

o   Non-routable URLs

·     Off-load intensive operations to other servers

·     Update Web Service code during business hours without affecting other SharePoint sites

But most importantly, if you’re looking to heavily secure your SharePoint Farm’s custom Web Services infrastructure, this post is for you.

Deployment Technique

To successfully implement this practice, use the following techniques when deploying your Web Service.

Dedicated Web Application

The whole topology starts with a dedicated web application running on a non-standard port accessible via a non-routable URL.  Example:

  • http://myserver:32837/_layouts/MyWebServiceProject/Service.asmx

This URL can only be accessed from within the private network perimeter of the same top-level domain (TLD) as the SharePoint server itself, as opposed to the Internet.  This means a user outside the network cannot access this web application at all.  This is what I mean by “non-routable URL.”

I am assuming:

  1. Your server hostname is not registered on an Internet-facing DNS server
  2. The port is blocked from access by a firewall at the network perimeter, if your server has an Internet-routable address

Most of the time, both of those assumptions are true, but regardless it’s important we understand they are assumptions.

Dedicated IPv4/v6 Address

Additionally, if your server is in a DMZ, or directly Internet-routable for whatever reason, you can always bind the dedicated Web Application to a private IP address on a private subnet (you might have to give your server one first):

Securely_Deploying_ASP.NET_Web_Services_in_SharePoint_2010

Above is the dialog box for the IIS 7 web site bindings editor where you can specify on what IP addresses and ports your Web Services SharePoint web application should respond.  Remember, SharePoint sites don’t have to respond on every subnet.

Assembly Deployment Target: Web Application

The Web Service itself is deployed using a standard Visual Studio 2010 SharePoint project which targets the Web Application, not the Global Assembly Cache, for its .NET assembly DLL.

Securely_Deploying_ASP.NET_Web_Services_in_SharePoint_2010

This one setting is crucial for the entire operation to work successfully.

If you’ve ever thought twice about deploying your code to the GAC, this is at least one reason not to.  The screen shot above is the Property Window for the Visual Studio 2010 SharePoint Project itself, not the Package (or the Feature, because there is no Feature).

Our Visual Studio 2010 SharePoint Project does not require a Feature because once it’s deployed to a specific Web Application via Central Administration or PowerShell, the MyService.asmx file and .NET assembly DLL are immediately available for consumption.  And that’s all our Web Service really is.

Part 1 Summary

So, using those techniques you can setup a private custom Web Service in your SharePoint Farm.  In Part 2, coming out soon, I will show you how to actually create a Web Service from scratch, deploy it to SharePoint using these techniques, and consume it from another custom application.

Please look for part two in the next couple weeks!

By Christian Holslin

Posted at 10:41 AM by WDC812\richardm | Permalink | Email this Post | Comments (0)
        

Comments

There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Your Name *


e-mail address *


Website (optional)


Comment *


Attachments

 Subscribe

  GigWerks RSS  Gig Werks Mailing List 

 Contact Us

 Connect

 Resources
  On Demand SharePoint Webcast Recordings
  Upcoming Webinars
  SharePoint Resources
  Business Intelligence Resources
  Gig Werks Website



©2009 Gig Werks. All rights reserved. Privacy Policy