Client Validation
Services frequently publish metadata to enable automatic generation and configuration of client proxy types. When the service is not trusted, client applications should validate that the metadata conforms to the client application's policy regarding security, transactions, the type of service contract and so on. The following sample demonstrates how to write a client endpoint behavior that validates the service endpoint to ensure that service endpoint is safe to use.
The service exposes four service endpoints. The first endpoint uses the WSDualHttpBinding, the second endpoint uses NTLM authentication, the third endpoint enables transaction flow, and the fourth endpoint uses certificate-based authentication.
The client uses the MetadataResolver class to retrieve the metadata for the service. The client enforces a policy of prohibiting duplex bindings, NTLM authentication, and transaction flow using a validating behavior. For each ServiceEndpoint instance imported from the service's metadata, the client application adds an instance of the InternetClientValidatorBehavior endpoint behavior to the ServiceEndpoint before attempting to use a Windows Communication Foundation (WCF) client to connect to the endpoint. The behavior's Validate method runs before any operations on the service are called and enforces the client's policy by throwing InvalidOperationExceptions.
To build the sample
- To build the solution, follow the instructions in Building the Windows Communication Foundation Samples.
To run the sample on the same machine
Run Setup.bat from the sample install folder. This installs all the certificates required for running the sample.
Run the service application from \service\bin\Debug.
Run the client application from \client\bin\Debug. Client activity is displayed on the client console application.
If the client and service are not able to communicate, see Troubleshooting Tips.
Remove the certificates by running Cleanup.bat when you have finished with the sample. Other security samples use the same certificates.
To run the sample across machines
On the server, type setup.bat service. Running setup.bat
On the server, edit App.config to reflect the new certificate name. That is, change the findValue attribute in the <serviceCertificate> of <serviceCredentials> Element element to the fully-qualified domain name of the machine.
Copy the Service.cer file from the service directory to the client directory on the client machine.
On the client, type setup.bat client. Running setup.bat
In the client.cs file change the address value of the MEX endpoint and the findValue for setting the default server certificate to match the new address of your service. You do this by replacing localhost with the fully-qualified domain name of the server. Rebuild.
Copy the Client.cer file from the client directory to the service directory on the server.
On the client, run ImportServiceCert.bat. This imports the service certificate from the Service.cer file into the CurrentUser - TrustedPeople store.
On the server, run ImportClientCert.bat. This imports the client certificate from the Client.cer file into the LocalMachine - TrustedPeople store.
On the service machine, build the service project in Visual Studio and run service.exe.
On the client machine, run client.exe.
- If the client and service are not able to communicate, see Troubleshooting Tips.
To clean up after the sample
Run Cleanup.bat in the samples folder once you have finished running the sample.
Note: This script does not remove service certificates on a client when running this sample across machines. If you have run WCF samples that use certificates across machines, be sure to clear the service certificates that have been installed in the CurrentUser - TrustedPeople store. To do this, use the following command: certmgr -del -r CurrentUser -s TrustedPeople -c -n <Fully Qualified Server Machine Name>. For example: certmgr -del -r CurrentUser -s TrustedPeople -c -n server1.contoso.com.
See Also
Other Resources
Send comments about this topic to Microsoft.
© Microsoft Corporation. All rights reserved.