2

I have a wcf .svc service installed on IIS at Windows 2003 server and clients in asp.net apps, installed on different Windows 2003 servers in the same domain. AFAIK only http transport can be used on IIS host.

I need to specify configuration settings, that

  1. maximize performance and

  2. only my clients(located on my domain) should be allowed to use my service. The service shouldn't be discoverable and shouldn't be usable from unauthorized clients.

UPDATE: I've concidered message certificate encryption to satisfy 2nd requirement, but it is not good from performance point of view.

The service consists of a number operations with strings or List of strings parameters

[OperationContract]
List<string> TranslateList(List<string> textList);

Strings are short and number in the list is usually small as well. Clients are calling the service synchronously and expect to receive response quickly.

Please suggest which configuration settings to use?

Would settings would be changed for other configurations like

configuration B:clients and service are located on the same Windows 2003 server

configuration C:clients and service are located on the same Windows 2008 server( I expect I could use Named Pipe Transport)

configuration D:clients and service are located on the different Windows 2008 servers.(I expect I could use TCP transport)

Michael Freidgeim
  • 26,542
  • 16
  • 152
  • 170
  • _"AFAIK only http transport can be used on IIS host"_ - not quite. If you install _Windows Server AppFabric_ then your IIS-hosted WCF service can expose **TCP, MSMQ** and **named pipe** protocols however latter is localhost only. [AppFabric - Features and Capabilities](http://msdn.microsoft.com/en-us/library/ee677368.aspx) –  Aug 08 '14 at 13:38

1 Answers1

0
  1. Performance: You can Compress your request and response. You can achieve this by using gZip.
  2. My Clients Only
    • Remove mex binding from your web.config and secondly set httpGetEnabled to false. This way no one can create proxy of your service.
    • You can use Http Headers to check if the request is coming from your client only. Read more about this here.

For choosing the bindings here is a good article

Configuration B: WSHttpBinding
Configuration C: NetNamedPipeBinding
Configuration D: NetTcpBinding

You can also check performance of NetTcpBinding here

Hope this helps you.

Community
  • 1
  • 1
Amar Palsapure
  • 9,590
  • 1
  • 27
  • 46
  • By Removing mex and disabling httpGetEnabled  have you meant, that  no one can AUTOMATICALLY GENERATE proxy of the service? – Michael Freidgeim Feb 02 '12 at 19:46
  • Adding Http headers will not work. Hacker can add the same headers too. – Michael Freidgeim Feb 02 '12 at 19:57
  • Yes. No-one can create proxy of your class. And you can put dynamic headers like session id. You can put restriction on calls per min, so that no one can play with service. And as your service client is ASP.Net, the endpoint of service will not be visible to end user (assuming all AJAX calls are going through ASP.Net). – Amar Palsapure Feb 03 '12 at 04:18
  • @MichaelFreidgeim I don't think it's the end of the world if you expose a WSDL. There's no guarantee that an infinite number of monkeys could not recreate the WSDL anyway. It's better to focus on placing as much security on the wire to the service (in this case you should be using SSL if you don't want to use host authentication via certs) and performing authorisation via custom service behaviours or extensions. Don't do it in the method. [Lowy, Programming WCF Services: Mastering WCF and the Azure AppFabric Service Bus](http://tinyurl.com/m98xnsg) –  Aug 08 '14 at 13:52