tags:

views:

34

answers:

3
Q: 

Restricting WCF configuration in code

We would like to keep the WCF in the configuration file.

At the same time we would like the code to refuse a request if the data will be sent over the net unencrypted. Something like: if the request is basichttpbinding without https, throw exception.

Is there any way for the service code to know how it is being called?

EDIT

From the comments it looks like the question was not that clear.

What I am trying to do is "fix" the following situtaion: We install a service with basichttpBinding and https. Then a administrator changes it to not use https. The effect is that data is sent unencrypted over the net.

+3  A: 

I'm not sure I understand what you want... are you talking about validating, on the service itself, how it is being called and reject some requests if they don't meet certain criteria?

I'm sure that can probably be done (at least certain things, like checking for SSL are more or less simple), but first I'd ask why, if you only want your service called over secure bindings, why you're exposing the service using unsecured ones in the first place. Doesn't it make more sense to ensure the service configuration is correct?

tomasr  2010-02-04 00:36:17
+1  A: 

I don't have an example for you, but keep in mind that anything you can do through configuration with WCF, you can do in code. You don't even need to have a configuration file.

John Saunders  2010-02-04 09:48:22
+1  A: 

Are you self-hosting?? The most simplistic approach would be:

ServiceHost serviceHost = new ServiceHost(typeof(Service1), "http://localhost:1234/MyService/xml");

foreach (ServiceEndpoint sep in serviceHost.Description.Endpoints)
{
    if(sep.Binding.Scheme != "https")
    {
       // either just remove that endpoint, or signal an error
    }
}

Of course, when you host in IIS, this gets a bit trickier... you might have to create your own custom ServiceHost descendant to do this check, and make sure your IIS based *.svc files use that custom host. Of course, a smart admin might be able to trick that by using the base ServiceHost instead of your own custom host class......

marc_s  2010-02-04 22:17:04

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security