Hiding my WCF service?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-01-28 06:28 出处：网络

I have a WCF service hosted on IIS6 and I am using .net framework 3.5. The site I have is on public domain I mean anybody can access from anywhere.

My question is, is开发者_JS百科 there a way to hide my WCF service? I can easily view source my page or know exactly the the path of my service behind the page...

http://hostname.MyServiceName.svc?wsdl, how can I hide it?

Agreeing with David that just "obscuring" your service is less than half the solution, you can of course turn off

service metadata
http availability of your WSDL file

Do to do, make sure your <service> tag isn't referencing a <serviceBehavior> that includes the <serviceMetadata> tag.

So this will expose service metadata (including WSDL over HTTP):

<behaviors>
   <serviceBehaviors>
      <behavior name="default">
         <serviceMetadata httpGetEnabled="True" />
         <serviceDebug includeExceptionDetailInFaults="True" />
      </behavior>
</serviceBehaviors>
<behaviors>
<services>
   <service name="IYourService" behaviorConfiguration="default">
      ...
   </service>
</services>

while this will not expose any service metadata (observe the removal of the <serviceMetadata> tag):

<behaviors>
   <serviceBehaviors>
      <behavior name="nometadata">
         <serviceDebug includeExceptionDetailInFaults="True" />
      </behavior>
</serviceBehaviors>
<behaviors>
<services>
   <service name="IYourService" behaviorConfiguration="nometadata">
      ...
   </service>
</services>

When removing any service metadata, you won't be able to do Add Service Reference from within Visual Studio (or the equivalent thereof for any of the other development systems) anymore - the service just won't tell you what is available - you have to know some other way.

This goes back to the old "security through obscurity" debate. Hiding your service isn't a good or effective way to secure it. Look into using SSL and a real authentication method rather than just attempting to "hide" it.

Also, to answer your question more directly: if the browser knows your service address (and it must in order for your pages to call it via JavaScript or what have you), it's an easy task for anyone to find it. No matter how much you try to hide the URL in your page source, it's a simple matter of monitoring the HTTP transactions in Fiddler or Firebug to see both the service address and the format/contents of the request.

Why do you want to hide your service? is someone finding it a real problem, or are you just trying to protect yourself?

There are lots of strategies for protecting yourself... but if it's just a casual 'don't want people to use my service' then just change the API every now and then. Nothing says 'stop it' like a randomly changing API.