WebRequest from localhost to localhost : why is it being denied?

StackOverflow https://stackoverflow.com/questions/158257

Question

My app uses a WebRequest at certain points to get pages from itself.

This shouldn't be a problem. It actually works fine on the server, which is a "shared" hosting package with Medium trust. Locally, I use a custom security policy based on Medium trust, which includes the following — copied straight from the default Medium trust policy:

<IPermission
  class="WebPermission"
  version="1">
    <ConnectAccess>
        <URI uri="$OriginHost$"/>
    </ConnectAccess>
</IPermission>

The offending line is in a custom XmlRelativeUrlResolver:

public override object GetEntity( System.Uri puriAbsolute, string psRole, System.Type pReturnType )
{
    return _baseResolver.GetEntity( puriAbsolute, psRole, pReturnType );
}

The url being requested is on localhost, in the same application as the requester. Here's the top of the stack trace.

 at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
   at System.Security.CodeAccessPermission.Demand()
   at System.Net.HttpWebRequest..ctor(Uri uri, ServicePoint servicePoint)
   at System.Net.HttpRequestCreator.Create(Uri Uri)
   at System.Net.WebRequest.Create(Uri requestUri, Boolean useUriBase)
   at System.Net.WebRequest.Create(Uri requestUri)
   at System.Xml.XmlDownloadManager.GetNonFileStream(Uri uri, ICredentials credentials)
   at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials)
   at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
   at flow.controls.XmlRelativeUrlResolver.GetEntity(Uri puriAbsolute, String psRole, Type pReturnType) in c:\flow\source\controls\DataTransform.cs:line 105
   at System.Xml.Xsl.Xslt.XsltLoader.CreateReader(Uri uri, XmlResolver xmlResolver)

Anyone see the problem here?

@Sijin: Thanks for the suggestion. The url that gets sent to the resolver is based on the request URL, and I confirmed in the debugger that accessing the site at 127.0.0.1 yields the same result.

Was it helpful?

Solution 2

My ignorance. I didn't know that the $OriginHost$ token was replaced using the originUrl attribute of the trust level — I thought it just came from the url of the app. I had originally left this attribute blank.

<trust level="CustomMedium" originUrl="http://localhost/" />

OTHER TIPS

Does it work if you put 127.0.0.1 instead of localhost?

This might not be the solution but when I saw your post I remembered this issue that I ran into about a year ago:

http://support.microsoft.com/default.aspx/kb/896861

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

We were creating a WebRequest to screen scrape a page and it worked in our production environment because we were not using a loopback host name but on development machines we ended up with access denied (after applying Windows Server 2003 SP2). The one difference here is that this was under integrated authentication which caused it to fail... it worked when the request was anonymous (so that is why I am not sure this is the answer for you).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top