tags:

views:

49

answers:

1
+1  Q: 

WCF netTcpBinding MaxReceivedMessageSize and Custom UsernamePasswordValidation

Hi everyone.

I'm building a WCF Service that uses Custom Username/Password validation on netTcpBinding with message level security. I've been researching MaxReceivedMessageSize settings and I've got a query of a rather technical nature. I've noticed that when you specify a custom username validator that it gets called deep inside the plumbing of WCF (during handshaking I suppose).

If I have a relatively large MaxReceivedMessageSize of 1MB, will WCF read the entire message off the line and then do authentication, or will it first do the authentication and somehow discard the rest of the message?

The reason for my query is DoS attacks. I am hoping that due to the authentication the service would be immune to large message DoS attacks.

A: 

I believe that full message is loaded. The message is first processed by transport channel which doesn't have any information about message security. So the channel reads the whole message with using selected encoder and creates Message instance. This instance is passed to futher processing including message security checking. The only exception is when you use Streamed transfer mode. In that case only message headers are read in receiving channel and placed to buffer.

To prove this you can also turn message logging which is able to log messages on transport level and at service level. Transport level is message received from transport, service level is message received at service (after all security processing). So the message is already read at transport level.

Ladislav Mrnka  2010-09-21 09:14:56
Damn :)! Thanks for that clarification. What would you reckon would happen if I had transport level security enabled then?
Andre Luus  2010-09-22 10:11:45

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability