Guys / Gals we are having terrible performance with our website that uses WCF as the application later. We are using message level security and certificates (mutual authentication). We are caching the channel factory in the application object:
Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
Dim loChannelFactor As New ChannelFactory(Of OurReference.IWCFChannel)("ClientEndpoint")
loChannelFactor.Open()
Application.Add("ChannelFactory", loChannelFactor)
End Sub
In every page that we need data we do the following:
Dim Proxy = DirectCast(voWebApp("ChannelFactory"), ChannelFactory(Of OurInfoReference.IOurInfoChannel)).CreateChannel
Proxy.DataCall()
If roWCFService IsNot Nothing Then
CType(roWCFService, ICommunicationObject).Close()
roWCFService = Nothing
End If
Also i have set establishsecuritycontext = true.
We are not wanting to cache the proxy because of having to mess with a faulted proxy state. As far as i know caching the channel stack should be enough anyways. When i turn on tracking i'm seeing a bunch of SCT commands instead of just for the first call like i would expect. Does anyone know whats going on. Are we caching the channel factory incorrectly?
thanks,
Ncage
Looks like you could solve it using a certificate from a ceritificate authority:
"MakeCert is a tool provided by Microsoft to create test certificates that can be used during the development of a product (For developing and testing purposes only). These certificates have also performance problems, certain cryptographic operations may perform slowly when they are used. Certificates issued from a true Certificate Authority do not have this problem, and it is a know issue."
http://weblogs.asp.net/cibrax/archive/2006/08/08/Creating-X509-Certificates-for-WSE-or-WCF.aspx
Edit: May be the extra activity is due to initial handshake when creating of a session. WCF default is per call, that is a new session is created for each call. You could try marking your contract with:
[ServiceContract(Session = true)]
That may maintain the session and avoid the initial handshake.
I remember a similar issue however it was a good 18 months ago. I found this whilst having a quick look for how i resolved the issue. It may help, I will edit my response when I find what I was looking for!
The additional SCT/RST calls are establishing the security context. If you recreate the proxy on each call, a security context is unneccesary overhead. Turn it off.
The way you use the factory is fine. However, your error handling and closing of the proxy is not. Make sure that you close or abort the proxy in any case. Check msdn for the recommended pattern.
Also can you provide some figures about how bad performance is?
Related
ClientSide Sending Key Example: tabc-xkaf-gaga-gtax to the Server
Server Checks if Key Exists in Database if YES then return TRUE as Response
ClientSide IF RESPONSE = TRUE THEN
OPEN FORM1
But thats not a Secure way to do it cause they can change the Response of the ServerSide check and then get the Product for free cause it will open Form1 anyone has a better way to do it?
Signed server side response and verify server response at client side to check whether response was altered or not.
Refer this article for how to digitally signed and verify
Moreover this will be a typical solution and suit for very complex security .
For simple solution, You can send hash of response along with server response and convert response to hash at client side. compare both hash , if they match it means response was not changed.
As you indicated, professional attackers can see and decode VB.Net applications, and hence, as an initial conclusion, you cannot reliably protect your code. In the first step, you must encrypt your code by using several encryption techniques such as the one mentioned by #Always_a_learner. However, this will not 100% protect your code from reverse-engineering (A good discussion could be found here).
A good trick in such cases is to make some intentional dependencies. For example, some core calculations should be done by the server (if possible) and only the result should be returned to the client. More explanation, for core calculations, the client should send a request to the server, and the server first verifies the requester (the sender) validity state, and if she is a valid user, then runs calculations and returns results to the user.
This solution is fine only if you can trade-off between speed and security.
My client will access my company's site to retrieve data information, using a sub I am working on. This has to be done using a secured proxy, since his company blocks access to some sites. I can't test my sub on his computer and obviously he cannot send the proxy information (ie.:Username, passoword, ip, port...)
Sub login_sub()
url = "http://localhost/php004/loginExcelAddin.php?username=" + username + "&password=" + password
Dim httpObject As Object
Dim response As String
Set httpObject = CreateObject("WinHttp.WinHttpRequest.5.1")
httpObject.Open "GET", url, False
httpObject.SetProxy HTTPREQUEST_PROXYSETTING_PROXY, proxyIP + ":" + proxyPortNumber
httpObject.send
response = httpObject.responseText
On Error GoTo errorHandler
If response = True Then
loggedIn = True
MsgBox "You are logged in"
End If
Application.Calculate
Exit Sub
errorHandler:
MsgBox "Login has failed"
End Sub
(Username, password, proxyPortNumber, proxyIP are public variables filled in a form)
I am struggled with this issue for a while. Anyone could tell me if I am going to the right direction, can I send this code for the client?
Thanks
Ah, I've been through this before many times in my career. From a test strategy perspective (rather than a review of your code above), there are several possible combinations of ways to test all this out:
The client's IT department should be able to provide you with specifications on how their proxy expects client identification information to be included in the outbound request. Some proxies may use alternative authentication information data in the request headers; you need to know exactly how the client's proxy requires the authentication data to be passed (this can get troublesome on Enterprise proxies that may use Active Directory/LDAP as intermediaries).
The ideal first stage of testing is to setup inside your own company a test authenticating proxy in as close as possible the same make, version, and configuration as the client's. Put your Excel code onto a laptop, and connect the laptop to the "outside" of this test proxy. This will allow you to test the code to work out bugs with accessing a similar proxy under your control.
Of course, its quite possible that the client's proxy may not behave quite like your test proxy, so even after doing step 2, there may still be problems once you give it to the client. If the client is allowed to use window sharing services like WebEx, you could then set up a WebEx session with the client, and have them share their screen with you while they are using your code for the first time. If it fails, you can talk them though a debugging session with Excel's debugger while you are watching the debugging results.
3a. If the client's IT Dept will allow a more comprehensive sharing tool that allows YOU to remotely control the client's desktop (while they are watching) that would even be more ideal. But if the client's IT Dept is already doing outbound proxying, they are likely too paranoid to allow this.
If a WebEx-like session is not allowed, then you could add diagnostic outputs into a log file which they could then send you, or verbally tell you in a telecon. This is not an optimal way to accomplish the debugging.
4a. Again if WebEx-like method is not allowed, but if the client has an Excel expert and an IT expert, you can get them to do the testing with you on a telecon. Again not optimal but is better than 3 because you are not talking with a clueless client.
Finally and worst-case, you may have to travel to the client's site to do final testing on their own computers (under of course the supervision of the client).
I am looking for the best way to setup communication between user who uses my application and my own server.
The thing is that I am creating application with licensing and I have to receive information by third-User when he connected and IP addresses he connected from.
But, I don't know should I use one more connection string and send those information to my MS SQL Server I have in my company from his workplace or I should upload .txt files on my web server? What is the best way to make this communication possible?
While the requirements are a bit vague, based on what seem to need I would approach this with a web service. This WS would provide the means to communicate with your SQL server without exposing SQL itself to the internet.
Your web service could, for example, have a call which accepts the following information:
Product being requested
Information needed from the local client (machine name, etc.)
Existing authentication ticket previously issued (if required)
Your method could then take this information, process it in SQL, and then return whether or not a license is available along with an authentication ticket (if needed).
On the client side, if your application only needs to hit this service once then you can just call it on connection/load. Otherwise if you need to periodically hit the licensing WS you could use a Timer.
Dim licenseCheck As New Timer
licenseCheck.Interval = 60000 ' Check every minute.
AddHandler licenseCheck.Tick AddressOf CheckLicense
Private Sub CheckLicense(sender As Object, e As EventArgs)
' Call license web service and act accordingly.
End Sub
I am using this plugin to help my web-app communicate with Atlassian JIRA.
So my question -> Is there a proper way to close net.rcarz.jiraclient.JiraClient instance when I'm done with it?
I'm guessing leaving it be and creating a client = new JiraClient(uri,creds) when next user logs in is not a good idea...
JiraClient doesn't keeps a connection open, it just uses the supplied credentials for each request. You don't have to close it. As far as I can tell, you a free to use multiple JiraClient concurrently.
I have created a small web service method using an asmx file. Here'a simplified version of it.
<WebMethod()> _
Public function DeleteFile(Byval fileID As String) as boolean
DeleteFileByID(fileID)
return true
End Sub
It's working very well but I would like to make sure the data sent back to the client doesn't get lost in the process.
I know this could be done by setting a second web service method that would be call by the client to confirm he received some data. However, I would like to know if this could be done in a single web service method.
Here's an example of what I might be looking for:
<WebMethod()> _
Public function DeleteFile(Byval fileID As String) as boolean
return true
clientAcknowledgement = 'This is what I'm loking for... How to make sure the client received the confiormation before deleting the file
if clientAcknowledgement then
DeleteFileByID(fileID)
end if
End Sub
I would solve this by adding a parameter to the web method call that the caller can set.
<WebMethod()> _
Public Function DeleteFile(ByVal fileID As String, clientAcknowledgement As Boolean) As Boolean
If clientAcknowledgement Then
DeleteFileByID(fileID)
End If
End Function
If the developer that calls this method is lazy and just sets it to true all of the time without prompting the end user, then it is their responsibility to answer to their users.
You could get pretty complex with scenarios to call one method then another, but at the end of the day, the developer consuming the web services can circumvent just about anything you put into place and you have no real guarantee that the end user has been asked unless you implement the code yourself.
UPDATE
After clarification that the desire is to know that the caller received the response prior to actually deleting the file, I have some additional ideas.
There is no easy way that I am aware of to ensure the web services response has been successfully delivered to the client before performing the actual deletion.
However, there are a couple of alternatives:
Option A: Add a DeleteRequested method that sends a token to the caller that they then have to return to the DeleteFile method. You would only perform the deletion if the token is valid. There are still timing issues here, but it is slightly better than the current implementation.
Option B: Implement an IHttpHandler that is exposed through an ASHX page. Because you are responsible for sending the response in this scenario, you will know if it completed transferring successfully or not (i.e. the client disconnected), so you could wait to perform your delete until the response completes. This does change how the client calls and responds to your service, but does give you the validation you are after.
Trying to read between the lines a little, it occurs to me that the poster's problem may really be that if something goes wrong in between any of a series of actions (invoked using web service calls), the database or a set of files (or both) might be left in an inconsistent state.
In which case, I would suggest the use of a transaction.
A good starting point on transactions is the MSDN article Distributed Transactions in Visual Basic .NET.
All sorts of things could go wrong with - to use the poster's example - deleting a file, not just the lack of a SOAP confirmation. The idea of a transaction is that if anything goes wrong, all changes made within the transaction are reversed. HTH