Welcome to MSDN Blogs Sign in | Join | Help

Securing Custom Headers, Version 2

Last time we were looking at the problem of securing a dynamically generated message header. We saw one solution to that problem, which was to add a behavior that updated the protection level for the desired message part. That solution is quite simple but it isn't perfect. The execution of this behavior comes rather late. Anyone that inspects the service description in the meantime, such as for metadata generation, won't see the protection level that we want to use.

How early can we make the update to the security settings? Well, potentially very early. We could subclass ServiceHost and override ApplyConfiguration to make the changes during creation of the host. That may even be too early as it prevents us from working with anything that is added to the service description through code rather than configuration. However, we could similarly make the changes some time after we get the service host object back but before it was opened. This would let us plug in before any behaviors started execution. The choice is yours.

The downside of this method is that it is a more treacherous route to get to the message header. Starting from the service host we need to get the endpoint that we're going to modify (usually by contract or address). From the endpoint we can get the operation by action name. From the operation we can get the right message by name. The default names are canonically derived from the operation action and direction. Unlike before, separating incoming and outgoing messages here is a lot murkier. From the message though, we can refer to the message header in the same way and set its protection level. Here's all of that in code using some example values. 

ServiceEndpoint endpoint = host.Description.Endpoints.Find(typeof(IService));
OperationDescription operation = endpoint.Contract.Operations.Find("Action");
MessageDescription message = operation.Messages.Find("http://tempuri.org/IService/ActionResponse");
MessageHeaderDescription header = message.Headers[new XmlQualifiedName("aheader", "http://tempuri.org/")];
header.ProtectionLevel = ProtectionLevel.Sign;

Next time: Keeping Traces Up to Date

Published Friday, January 19, 2007 5:00 AM by Nicholas Allen

Comments

Friday, January 19, 2007 11:06 AM by Nicholas Allen's Indigo Blog : Securing Custom Headers, Version 1

# Nicholas Allen's Indigo Blog : Securing Custom Headers, Version 1

PingBack from http://blogs.msdn.com/drnick/archive/2007/01/18/securing-custom-headers-version-1.aspx

Monday, January 22, 2007 10:28 PM by Nicholas Allen's Indigo Blog

# Are Your Message Headers Still Unsecure?

Due to some server problems, the MSDN RSS and Atom feeds weren't getting updated Thursday or Friday.

Monday, February 19, 2007 1:46 PM by Nicholas Allen's Indigo Blog

# Table of Contents Scratch Work

I haven't forgotten about the goal to put together a table of contents for all of these articles. The

Monday, July 30, 2007 11:50 AM by James Zhou

# WCF security 学习指南

Brent Sheets 整理了一系列关于 WCF security的资源并做了分类

New Comments to this post are disabled
 
Page view tracker