Hi everyone.
I'm building a WCF Service that uses Custom Username/Password validation on netTcpBinding with message level security. I've been researching MaxReceivedMessageSize settings and I've got a query of a rather technical nature. I've noticed that when you specify a custom username validator that it gets called deep inside the plumbing of WCF (during handshaking I suppose).
If I have a relatively large MaxReceivedMessageSize of 1MB, will WCF read the entire message off the line and then do authentication, or will it first do the authentication and somehow discard the rest of the message?
The reason for my query is DoS attacks. I am hoping that due to the authentication the service would be immune to large message DoS attacks.