tags:

views:

281

answers:

2
Q: 

How to prevent others from adding the service reference of the hosted wcf service?

If i am hosting a WCF service so that someone(i.e someone whom i know) can consume my service, but what if someone else(i.e someone whom i don't know) consumes it then would do i? How do i prevent that?How can this be achieved?

Can it be done through service throttling or what are the other ways of achieving this?

A: 

No, there's no mechanism in WCF to allow certain clients from using your service while prohibiting others. You'll need to approach this from a different angle.

One way is to not automatically publish your metadata from your service - e.g. make it almost "invisible" - and then distribute the necessary metadata information in the form of one or several WSDL and one or several XSD files to those clients you want to connect to your service. If your metadata is not available, someone just browsing to your service address will not get any information about what to call.

The metadata exchange is controlled by the <serviceMetadata> behavior, and by having a "mex" endpoint on your service. Remove both and your service is invisible.

The other way would be to prohibit any external users to access your WCF server based on firewalls and network rules. This cannot be done by WCF, but your network administrator could limit which IP's have physical access to the machine where your WCF service runs.

Marc

UPDATE:
In order to ship metadata to those users who should be able to call your service, you can do one of two things:

1) Using svcutil.exe /t:metadata (path+name of your service assembly), you can extract the metadata from your service assembly (e.g. MyServiceLibrary.dll). This will give you one or several WSDL and one or several XSD files, which you need to ship to your intended users. They can put these files somewhere on their harddisk and then in the "Add Service Reference", instead of entering the URL to discover the service, they can type in the name of the main WSDL (which imports all other files) and they'll get their client proxy.

Or:

2) With the service up and running, you could "Add New Project" to your solution, choose a Class Library (MyService.Client), then do a "Add Service Reference" and enter your service URL. This will create all the necessary files and everything in your new class library. Compile this class library and ship that assembly MyService.Client.dll to the users you want to allow access to your service.

With both solutions, you don't need to have metadata exchange enabled, and someone else cannot just walk up to your service and get all the information needed in order to call it.

marc_s  2009-08-07 06:15:31
But the Metadata Exchange endpoint is used by the service to describe itself to clients right? if i remove the endpoint and make the <serviceMetadata httpGetEnabled="False"/> ,so without mex u cant publish it,and how do i add a service reference on the client?
 2009-08-07 08:06:19
I thought that was exactly what you wanted - not allowing everyone to add a service reference, right? In this case, you will need to ship the WSDL and XSD to the client who are supposed to use your service, and they need to add the service reference based on the FILES they get (instead of the URL). Or you could write your own proxy client class and put that in an assembly and ship that pre-built client proxy to those users who should be able to call your service.
marc_s  2009-08-07 08:14:43
Thanks marc :D i knew it could be achieved through proxy,but i was thinking we could have both i.e add service using url and as well allow only the privileged clients,so that they can just update service just as easy ,instead of again compiling it to dll and deploy it at the client end
 2009-08-07 08:56:06
+2  A: 
Tuzo  2009-08-07 06:24:05
This disallows certain users from calling your service - but it doesn't do anything to prevent them from adding a service reference in the first place.
marc_s  2009-08-07 08:15:20
The default binding for mex is mexHttpBinding which is anonymous. You can change that binding to use a secure binding like wsHttpBinding. Given a choice between securing the WSDL and the actual service I would always prefer to secure the service. If the service is on the internet, even if you don't expose WSDL, someone could still determine your service interface by sniffing on the wire.
Tuzo  2009-08-08 02:44:02

related questions

Best Hosted Calendar?
Hosting control panel with JEE Application Server support?
Free hosting for C CGI
Reliable and performant cheap (ish) hosting for ASP.NET 3.5 and mysql
Usable JSP/Servlet Hosting
How can I limit execution time for a Perl script in IIS?
Windows Server 2008 Virtual Hosting?
SVN hosting (and defect tracking)
How would I host an external application in WPF?
Technical issues when switching to an unmanaged Virtual Private Server (VPS) hosting provider?
Do I need to leave gaps in a standard server rack?
Free hosting providers for ASP.Net and SQL server apps
Redirect from domain name to a dotted quad hosted box
Trouble using JRun to Host Java Servlets
Where can I get ASP MVC hosting?
Directory Sizes on Remote Host
What is the best solution for maintaining backup and revision control on live websites?
Favorite web host.
Cleanest & Fastest server setup for Django
Linq 2 SQL on shared host
I'm looking for a Windows hosting provider that supports custom os images (like AMZN EC2)
How to affordably release a Web App
Grid Hosting for Windows
ASP.NET Hosting Options
What Hosting Service is best for Django applications?