"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote:
Actually, you should have permissions to call a web service (or open
a connection) to the machine that the client was downloaded from.
"MaSTeR" <so***@nospam.com> replied:
This is really awkward. I went at Microsoft for a smart client
demonstration
and they told me you don't need to change any setting to call a web
service.
In my experience I reckon this is false, but I might be doing something
wrong.
This does work, but there are a couple of gotchas:
First, you can connect to a web service, but you cannot open any arbitrary
connection back. If you evaluate the permission set granted to an executable
in the Internet zone with the standard .NET Framework security settings in
place, you'll see that it has the Web Access permission but it does *not*
have the Socket Access permission.
So Nicholas isn't quite right - while he's correct to say that you will have
permissions to call a web service, he is wrong to suggest that you will have
permission to open a connection. It's more restrictive than that - you
won't be able to use a socket to connect back to the home machine, you'll
only be able to open an HTTP or HTTPS connection. (Of course that uses a
socket under the covers, but you won't be able to use the Socket class
directly.)
Second, you need to get the URL exactly right when connecting back. The way
the Web Access permission gets set up is that you have permission to connect
using HTTP or HTTPS back to your home server but *only* if you use the same
name for that server that you were downloaded from.
For example, I've got a little test harness running on my machine right now.
The smart client is written to use the fully qualified server name when
invoking the web service. If I launch the client using a URL with the fully
qualified server name, it is able to access the web service on the server.
But if I just use the local name, it doesn't work. In other words, because
the client is accessing the web service with:
http://mymachine.mydomain/App/Service.asmx
it only works if I launch the EXE like so:
http://mymachine.mydomain/App/SmartClient.exe
This works because when launched like this, the app's Web Access permission
looks like this:
(https|http)://mymachine\.mydomain/.*
If I try this:
http://mymachine/App/SmartClient.exe
then although it's pointing at the exact same machine, the attempt to use
the web service fails. That's because the Web Access permission now looks
like this:
(https|http)://mymachine/.*
but the client is still trying to use this:
http://mymachine.mydomain/App/Service.asmx
So in summary, you definitely can connect back to your home web server via
HTTP (but not using raw sockets), but you have to make sure you do so using
a URL that is consistent with the one used to launch your application in the
first place.
--
Ian Griffiths -
http://www.interact-sw.co.uk/iangblog/
DevelopMentor -
http://www.develop.com/