Security restriction in WCF (To expose specific binding and end point in client config when service is consumed by any client.)

Question

0.00/5 (No votes)

See more:

Dear Team...
1) I have created a WCF Service using VS 2010 with multiple binding and multiple end points.
2) WCF service is deployed in IIS 5.1 with Windows XP OS.
When I try to consume the service in client .config multiple Binding and end point are exposed which is a security concern to me.
So how can I restrict this thing? If Customer wants basicHttpBinding then only basicHttpBinding endpoint should be available in client .config not all .
These things also apply for other like wsHttpBinding, wsFederationHttpBinding, wsDualHttpBinding or netTcpBinding.

Can anyone give me idea or any useful url how to resolve the problem.

Client Config Sample Code:-

XML

<system.serviceModel>
    <bindings>
      <basicHttpBinding>

        <binding name="XX1" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
          maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
          messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
          useDefaultWebProxy="true">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="None">
            <transport clientCredentialType="None" proxyCredentialType="None"            realm="" />
            <message clientCredentialType="UserName" algorithmSuite="Default" />
          </security>
        </binding>
      </basicHttpBinding>

      <wsDualHttpBinding>
        <binding name="XX2" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
          textEncoding="utf-8" useDefaultWebProxy="true">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00" />
          <security mode="None">
            <message clientCredentialType="Windows" negotiateServiceCredential="true" />
          </security>
        </binding>
      </wsDualHttpBinding>

      <wsHttpBinding>
        <binding name="XX" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
          textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="None">
            <transport clientCredentialType="Windows" proxyCredentialType="None"
              realm="" />
            <message clientCredentialType="Windows" negotiateServiceCredential="true" />
          </security>
        </binding>

        <binding name="XX3" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
          textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="None">
            <transport clientCredentialType="Windows" proxyCredentialType="None"
              realm="" />
            <message clientCredentialType="Windows" negotiateServiceCredential="true" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

    <client>
      <endpoint address="http://YYY/ZZZ/AAA.svc"
        binding="wsHttpBinding" bindingConfiguration="AAA"
        contract="SVC_AAA.IAAA"
        name="AAA" />
      <endpoint address=" http://YYY/ZZZ/AAA.svc /secure"
        binding="basicHttpBinding" bindingConfiguration="AAA1"
        contract="SVC_AAA.IAAA"
        name="AAA1" />
      <endpoint address=" http://YYY/ZZZ/AAA.svc /wsDual"
        binding="wsDualHttpBinding" bindingConfiguration="FujiFilmBusinessAccess2"
        contract="SVC_AAA.IAAA"
        name="AAA2" />
      <endpoint address="http://YYY/ZZZ/AAA.svc /wsFeder"
        binding="wsHttpBinding" bindingConfiguration="AAA3"
        contract="SVC_AAA.IAAA"
        name="AAA3" />
    </client>
  </system.serviceModel>

Your support/suggestions is highly appreciated and welcome.
Thank's
Prasanta Kumar Pradhan
http://www.acuvate.com

Posted 7-Nov-11 1:39am

prasanta kumar pradhan

Updated 7-Nov-11 3:15am

Mehdi Gholam

v2

Add a Solution

Comments

Mehdi Gholam 7-Nov-11 9:16am

EDIT-> fixed formatting

Mark Salsbery 7-Nov-11 15:26pm

Can you just include what you need in the client side configuration?

prasanta kumar pradhan 9-Nov-11 1:05am

Thank's
If 3rd party want to go for basicHttpBinding and consume the wcf service the only basicHttpBinding <endpoint...> should available not other, like wsHttpBinding/wsDualHttpBinding/Federal.../TCP.

As the service has multiple binding and end point so when 3rd party consume the service all end point is available to their client config.

To Achieve this what I need to do.
Thank's
Prasanta Kumar Pradhan

Mark Salsbery 9-Nov-11 11:09am

All service endpoints on a running service are available no matter what.

On the client end either remove the endpoint configurations you don't want the client to have from the configuration file or handle the connections programmatically instead of through configuration.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)