views:

49

answers:

1

Hi everyone.

I'm building a WCF Service that uses Custom Username/Password validation on netTcpBinding with message level security. I've been researching MaxReceivedMessageSize settings and I've got a query of a rather technical nature. I've noticed that when you specify a custom username validator that it gets called deep inside the plumbing of WCF (during handshaking I suppose).

If I have a relatively large MaxReceivedMessageSize of 1MB, will WCF read the entire message off the line and then do authentication, or will it first do the authentication and somehow discard the rest of the message?

The reason for my query is DoS attacks. I am hoping that due to the authentication the service would be immune to large message DoS attacks.

A: 

I believe that full message is loaded. The message is first processed by transport channel which doesn't have any information about message security. So the channel reads the whole message with using selected encoder and creates Message instance. This instance is passed to futher processing including message security checking. The only exception is when you use Streamed transfer mode. In that case only message headers are read in receiving channel and placed to buffer.

To prove this you can also turn message logging which is able to log messages on transport level and at service level. Transport level is message received from transport, service level is message received at service (after all security processing). So the message is already read at transport level.

Ladislav Mrnka
Damn :)! Thanks for that clarification. What would you reckon would happen if I had transport level security enabled then?
Andre Luus