security - Modifing CheckAccessCore(ctx) to permit WCF Help pages w/o authentication -

- May 15, 2012

i need apply different set of security policies "help" urls on wcf service. how can full url of wcf service.. namely session or session.svc?

http://localhost:62302/session.svc/help http://localhost:62302/session.svc/help/operations/getsession http://localhost:62302/session/help http://localhost:62302/session/help/operations/getsession

since security-related, need vet come against community. the author here suggests check if string ends in "help" , blindly permit query (which incorrect)

code snip

public class apikeyauthorization : serviceauthorizationmanager {      protected override bool checkaccesscore(operationcontext operationcontext)     {         if (this.ishelppage(operationcontext.requestcontext.requestmessage) || isvalidapikey(operationcontext))         {             return true;         }         else         {             string key = getapikey(operationcontext);              // send html reply             createerrorreply(operationcontext, key);             return false;         }     }      private bool ishelppage(message requestmessage)     {         return requestmessage.headers.to.absolutepath.tolower().endswith("help");     }  }

full source

this may over-simplifying original question why not put section in own unprotected area? can create controller who's sole purpose serve pages. need configure web.config allow users access section no authentication. again may over-simplifying it's worth shot.

Search This Blog

OSX

security - Modifing CheckAccessCore(ctx) to permit WCF Help pages w/o authentication -

Comments

Post a Comment

Popular posts from this blog

jasper reports - Fixed header in Excel using JasperReports -

media player - Android: mediaplayer went away with unhandled events -

python - ('The SQL contains 0 parameter markers, but 50 parameters were supplied', 'HY000') or TypeError: 'tuple' object is not callable -