How to disallow WCF metadata / wsdl - wcf

Is there a way to block the WSDL information on a WCF service. Looking for ways to improve security, blocking access to the WSDL seems like a great way to start.
Any other recommendations also welcome :)

You can use this Configuration to disable WCF metadata:
<serviceBehaviors>
<behavior name="Service1Behavior">
<serviceMetadata httpGetEnabled="false"/>
</behavior>
</serviceBehaviors>

Related

Metadata exposed but WSDL not found

I am having trouble with my WCF service which somehow fails to expose/publish a WSDL definition. I have already gone through the MSDN tutorial on exporting Metadata. Also have I searched at least for some hours but the majority of people have different/simpler problems than me.
I am pretty sure my config file is correct so I would be thankful for anybody who could suggest other places I can look for?
My service is generally running and I can access it on localhost, where I get the standard page for the WCF services (message displaying "To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:" etc.).
When I try to access the *?wsdl extension my browser tells me that the page couldn't be found.
When I try to test the service in soapUI it tells me that there is something wrong with the WSDL.
So, I hope this gives anybody an idea of what my problem is and I would be really thankful for any help.
Cheers
Have you specified httpGetEnabled in your serviceBehavior?
<behaviors>
<serviceBehaviors>
<behavior name="SubscriberOperationsBehavior">
<serviceMetadata httpGetEnabled="true"
httpsGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
You can also create a mex endpoint.
Add the following endpoint to your service configuration:
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />

WCF Replace "Metadata publishing for this service is currently disabled." page with a custom one

I am writing a system where we do not want to expose the metadata on a WCF service. When setting up the service we get our clients to browse the .svc files in order to determine if they have hosted the service correctly.
Where does his page come from, is it an IIS contsruct? Is it generated by WCF?
Is it possible to replace the html page that comes up with our own custom html page?
httpHelpPageUrl lets you move the default WCF help page to another location from serviceDebug element. Make sure you turn off httpGetEnabled.
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="false"/>
<serviceDebug includeExceptionDetailInFaults="false"
httpsHelpPageEnabled="true"
httpHelpPageEnabled="true"
httpHelpPageUrl="myhelpPage.html"
httpsHelpPageUrl="myhelpPage.html"/>
</behavior>
</serviceBehaviors>
</behaviors>
More information SO How can I change an html output of wcf service with my own content?

WCF - How to attach serviceBehaviors to WCF endpoint (no <service> tag)

I am consuming a third party WCF service and its config is below (a portion of it). I wanted to assign serviceBehaviors to endpoint, but there is no <service> tag here. In this case, how do you assign 'serviceBehaviors'?
<client>
<endpoint address="https://something/someservice.asmx" binding="customBinding" bindingConfiguration="ABCBinding" contract="Democlient.Soap" name="Soap" behaviorConfiguration="SoapEndpointB" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="SoapEndpointB">
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="SoapServiceB">
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
You assign serviceBehaviors to WCF server endpoints, not to client endpoints. You would have to request the 3rd party WCF service host add the service behaviors you seek if you need them changed.
It looks like the configuration you're showing is your client side configuration. That just indicates how you're going to be communicating with the service. It doesn't tell the service anything about your client.
Remember that the service has no knowledge of the client, and the only knowledge that the client has of the service is via metadata exchange.
Unless the service offers some method for doing so (not via any .Net or WCF mechanism), your client can not specify how the service should behave, nor should it. A given service may be handling requests from many different clients, each with their own desires. There's just no good way to handle that kind of situation.

Is it bad to have 'You have created a service' page for published wcf service on the internet?

I have created wcf service and planning to make it accessible from the internet. The page 'You have created a service' seems to be some stub which should be replaced before putting service on production. Is it a bad practice to have this welcome page on production? What do you do with that welcome page when you publish wcf services on the internet?
Thanks
On production you can turn off this page by adding:
<behaviors>
<serviceBehaviors>
<behavior name="ProductionService">
<serviceDebug includeExceptionsInDetail="false" httpHelpPageEnabled="false" />
</behavior>
<serviceBehaviors>
</behavirs>
Also think about publishing WSDL / Metadata. If you don't want to publish WSDL but you want to use mex endpoint use following configuration:
<behaviors>
<serviceBehaviors>
<behavior name="ProductionService">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionsInDetail="false" httpHelpPageEnabled="false" />
</behavior>
<serviceBehaviors>
</behavirs>
Your services must use those behavior in their behaviorConfiguration attribute.
Yes, it's bad. It says potential attackers that the system is non-configured completely, so they would try to attack it. Also, it's not very professional.
Well, print something useful there or hide it:-)

Can I setup an IP filter for a WCF Service?

I'm modifying my WCF API to include a new service that should be exposed to internal IP addresses only. All of the services in my API are available in SOAP, POX and JSON. What I'm looking for is a behavior or something that allows me to implement a simple IP address filter, to process requests from internal IP's and deny everything else. I'd like it to work in configuration, because all the other services in the API should remain available to the Internet. I did some googling but can't find anything like this built into WCF. Am I missing something?
Ok, I figured it out, and its kind of slick, in my opinion.
I implemented an IP Filter system as a service behavior, then added it to my service in the web.config. Here's my new web config behaviors section:
<serviceBehaviors>
<behavior name="ServiceBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="RestrictedServiceBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<IPFilter filter="172.*.*.* 127.0.0.1" />
</behavior>
</serviceBehaviors>
The IPFilter class implements IDispatchMessageInspector to catch the request as soon as possible, inspect the client IP and throw an exception if it doesn't match the filter. If anyone's interested I can post my code.
If your service is hosted in IIS, then you can do this with IIS, on a per-website basis (maybe per-application, but I don't know).