I host a service called MyService.svc in a private subfolder of my
webapplication like so

/
/private
/private/myservice.svc
/private/privatepage.aspx

i use a location tag to secure the private folder to deny anonymous users.
i test this succesfully by using internet explorer to go to the
/private/privatepage.aspx and noting that i get the redirection back to my
loginpage.aspx with the rewturn url of /private/privatepage.aspx duly noted
on the querystring.

however - as you can guess by the post title - anyone is free to call my
"private" myservice.svc despite being not logged in.

the service is not protected.

what gives?

Cheers

By default - WCF completely bypasses the ASP.NET security pipeline.

You can change this by going into ASP.NET compatibility mode.

Have a look here:
http://www.leastprivilege.com/Hostin...ivalGuide.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

By default - WCF completely bypasses the ASP.NET security pipeline.

You can change this by going into ASP.NET compatibility mode.

Have a look here:
http://www.leastprivilege.com/Hostin...ivalGuide.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Dominick

Thanks for the info. Out of interest, how do you know this? Where did you
read this up? There is scant information on any of this which i can find.
In general, security for requests are hooked up by modules. Modules handle
pipeline events despite the handler. when it is the handlers turn to
execute it will, and then subsequent pipeline events will be handled by the
modules. The fact that .svc has a
System.ServiceModel.Activation.HttpHandler shouldn't affect the handling of
the pipeline events by httpmodules which would take place regardless.

The only way to do that is to unhook the other modules - and given these are
copied and hooked up each time a new pipeline thread is created would be
folly.

Please explain more.

Cheers






"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a141748c9990ca28ad490 (AT) news (DOT) microsoft.com...

Hi Dominick

Thanks for the info. Out of interest, how do you know this? Where did you
read this up? There is scant information on any of this which i can find.
In general, security for requests are hooked up by modules. Modules handle
pipeline events despite the handler. when it is the handlers turn to
execute it will, and then subsequent pipeline events will be handled by the
modules. The fact that .svc has a
System.ServiceModel.Activation.HttpHandler shouldn't affect the handling of
the pipeline events by httpmodules which would take place regardless.

The only way to do that is to unhook the other modules - and given these are
copied and hooked up each time a new pipeline thread is created would be
folly.

Please explain more.

Cheers






"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a141748c9990ca28ad490 (AT) news (DOT) microsoft.com...

If compat mode is not enabled - the WCF HttpModule will take the request
off the pipeline in PostAuthenticateRequest and will directly jump to EndRequest.
Like i wrote in my blog post.

How can you verify that - use Reflector to look at System.ServiceModel.Activation.HttpModule


You can find other bits and pieces of information on the internet of course



-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

If compat mode is not enabled - the WCF HttpModule will take the request
off the pipeline in PostAuthenticateRequest and will directly jump to EndRequest.
Like i wrote in my blog post.

How can you verify that - use Reflector to look at System.ServiceModel.Activation.HttpModule


You can find other bits and pieces of information on the internet of course



-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Thanks - you are one step behind me / or in front - depending on your angle.
Lutz Roeder is my best friend (though he does't know it ;-)

I was firing it up as your post came in.

Its a bit of a tricky read from a cursory glance but it certainly does
respond to the compat attribute. If my 5 minute persual is correct i think
it is processing the request on a different thread and therefore there is no
context or pipeline? That could well be wrong....but that's how it looks on
first glance.

Incidentally - found a note here -
http://msdn2.microsoft.com/en-us/lib...34(VS.90).aspx

Cheers



"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a1418d8c99920eaad6260 (AT) news (DOT) microsoft.com...

Thanks - you are one step behind me / or in front - depending on your angle.
Lutz Roeder is my best friend (though he does't know it ;-)

I was firing it up as your post came in.

Its a bit of a tricky read from a cursory glance but it certainly does
respond to the compat attribute. If my 5 minute persual is correct i think
it is processing the request on a different thread and therefore there is no
context or pipeline? That could well be wrong....but that's how it looks on
first glance.

Incidentally - found a note here -
http://msdn2.microsoft.com/en-us/lib...34(VS.90).aspx

Cheers



"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a1418d8c99920eaad6260 (AT) news (DOT) microsoft.com...

It is by design. WCF is host agnostic - and using features like ASP.NET URL
authorization ties you to a specific hosting environment. Thats why you have
to specifically opt-in for compat mode.

Regardless if the module or the handler process the WCF request - it is alway
asynchronous.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)