Strip off XMLDSIG elements from incoming XML POST to WCF RESTful Service

Question

Folks, I am building a RESTful service that is secured by providing an XMLDSIG XML signature at the bottom of the XML document. When I send this document to the server, the WCF service is doing the XML de-serialization method on the HTTP payload to give me a C# class. Unfortunately for this de-serialization to occur properly, the C# class definition needs to have all the properties required to define the XML signature, even though I only need that for security.

So, what I would like to do is this:

• build a WCF service behavior that, pre-call, examines the XML signature, validates it and then strips it off the XML before the de-serialization for the regular method call.

Is this possible? If so, where can I start looking for how to do this? I feel like I'm close I just haven't found the right WCF injection point.

p.s. Everything is .NET 4.0, Visual Studio 2010, IIS 7+.

Answer 1

Figured it out. I created an XmlSignatureVerificationConfigurationSection class that allows me to drop an XML element called directly into my WCF behavior configuration. This config section then points WCF to the data type of my behavior extension, SignatureVerificationBehavior. This behavior then points to a custom Message Inspector I wrote, SignatureVerificationInspector. This inspector pops open the message, removes the signature node from the payload, verifies the signature, and then sends the new (signature removed) message back on down the pipeline where the service definitions remain blissfully ignorant of the presence of signatures.