Recently, I was working on a project where I used WCF for distributed development and involved message routers. Fortunately, with WCF, I provided powerful basic support. Of course, I also made a lot of extensions, actually, I am most concerned about the security of WCF. many friends on the Internet have introduced the poor security of WCF. the WCF Security guid published by Microsoft seems to be an entry-level tutorial, there is still a lot of distance from the real application to the project, which also gave me the idea of sharing. Let's take a place first today. If you have a friend who is opposed to it, let's take it lightly, oh ~, I can tell you that there are a lot of secrets in the security of WCF. Of course, I still want to tell you, and I want to know this secret only after I experience it myself. In terms of blog layout, li huijun (Jun Ge) is the most comfortable person. In terms of explanation, Jun Ge is also known for its conciseness. I also want to learn about it here and make it concise together. I hope that in the future WCF security discussions, only one small content at a time ~
Overview
Windows Communication Foundation (WCF) is a unified programming model provided by Microsoft to build service-oriented applications (from msdn). Security Issues in distributed environments are particularly important, if you think that using the default security measures of WCF can leave you carefree, you will be able to go home tomorrow. Of course, it is enough for learning ~, However, we are talking about real project applications. The security provision and guarantee of WCF under various protocols are different.
Background
One day, Manager Lao Chen said to programmer Xiao Li: Xiao Li, our company outsourced to a project, but the customer requested to adopt distributed deployment. Now the project is coming to an end. Because we use WCF, so there was a problem during deployment. It seems that everyone can access our services. Why?
Problem presentation
Xiao Li's first thing was to check the service configuration file. I really didn't know it. I was shocked at the first glance. The default configuration was used during the development of WCF, all of the Code is automatically generated. Without any changes, Xiao Li really sweated at the thought that the project will be delivered in this way.
Code
<Services>
<Service name = "wcfservicelibrary2.service1" behaviorconfiguration = "wcfservicelibrary2.service1behavior">
<Host>
<Baseaddresses>
<Add baseaddress = "http: // localhost: 8731/design_time_addresses/wcfservicelibrary2/service1/"/>
</Baseaddresses>
</Host>
<Endpoint address = "" binding = "wshttpbinding" Contract = "wcfservicelibrary2.iservice1">
<Identity>
<DNS value = "localhost"/>
</Identity>
</Endpoint>
<Endpoint address = "mex" binding = "mexhttpbinding" Contract = "imetadataexchange"/>
</Service>
</Services>
<Behaviors>
<Servicebehaviors>
<Behavior name = "wcfservicelibrary2.service1behavior">
<Servicemetadata httpgetenabled = "true"/>
<Servicedebug includeexceptiondetailinfaults = "false"/>
</Behavior>
</Servicebehaviors>
</Behaviors>
Solution
The first thing Mr. Li did was to modify the configuration file and solve the problem that had plagued Chen for a long time.
1. Delete metadata exchange endpoint Information
<Endpoint address = "mex" binding = "mexhttpbinding" Contract = "imetadataexchange"/>
2. Reset the metadata obtained by HTTP to false.
<Servicemetadata httpgetenabled = "false"/>
3. We usually configure metadata for data discovery during development, but remember to delete it before releasing your service. Currently, the service is protected to a certain extent.
4. The final configuration is as follows:
<Services>
<Service name = "wcfservicelibrary2.service1" behaviorconfiguration = "wcfservicelibrary2.service1behavior">
<Host>
<Baseaddresses>
<Add baseaddress = "http: // localhost: 8731/design_time_addresses/wcfservicelibrary2/service1/"/>
</Baseaddresses>
</Host>
<Endpoint address = "" binding = "wshttpbinding" Contract = "wcfservicelibrary2.iservice1">
<Identity>
<DNS value = "localhost"/>
</Identity>
</Endpoint>
</Service>
</Services>
<Behaviors>
<Servicebehaviors>
<Behavior name = "wcfservicelibrary2.service1behavior">
<Servicedebug includeexceptiondetailinfaults = "false"/>
<Servicedebug includeexceptiondetailinfaults = "false"/> </behavior> </servicebehaviors> </behaviors>
Remarks
1. Careless programmers are not welcome.
2, the next article is more exciting, welcome to reprint, but please indicate the source-lsotcode blog (http://www.cnblogs.com/viter )!
You are welcome to make a brick!