0

I am developing a single-tenant web application that will be deployed in client data centers and for security reasons we would like to disable the metadata exchange on the applications WCF services. Is it possible to do this this programatically within our service application or another mechanism besides the web.config? We want to prevent more technically minded clients from going to the web.config and turning metadata exchange back on.

elliot-j
  • 10,709
  • 3
  • 19
  • 18

2 Answers2

1

You can disable the metadata exchange programmatically by setting the HttpGetEnabled/HttpsGetEnabled to false.

First, Create a derive host from ServiceHost.

 public class DerivedHost : ServiceHost
 {
    public DerivedHost( Type t, params Uri baseAddresses ) :
    base( t, baseAddresses ) 
    {
        DisableMetadataExchange();
    }

    private void DisableMetadataExchange()
    {
        var metadata = Description.Behaviors.Find<ServiceMetadataBehavior>();

        if metadata != null)
        {
            // This code will disable metadata exchange
            metadata .HttpGetEnabled = false; 
            metadata .HttpsGetEnabled = false; 
         }
    }
 }

Second, Create a derived factory from ServiceHostFactory.

public class DerivedFactory : ServiceHostFactory
{
   public override ServiceHost CreateServiceHost( Type t, Uri[] baseAddresses )
   {
      return new DerivedHost( t, baseAddresses );
   }
}

Third, Create or Edit your your svc file Markup and apply your derived factory.

<% @ServiceHost Factory=”DerivedFactory” Service=”MyService” %>

Fourth, Test your service in the browser and you should see a message contain "Metadata publishing for this service is currently disabled".

If want more details about this implementation kindly visit this link.

jtabuloc
  • 2,479
  • 2
  • 17
  • 33
  • The code sample is definitely useful, though I'm a little confused on how to accomplish this when the service is managed through IIS. The MSDN example has them creating there the service connection manually, which is not what we want. – elliot-j Jul 21 '15 at 18:53
  • @sparticus_37, I update my answer to make it work in IIS. – jtabuloc Jul 23 '15 at 09:03
0

Yes. If you code your WCF service as "self describing", which basically means using a WCF intercept layer to handle all the incoming requests to an endpoint, you can just return null from the MEX request.

To make this work is a bit tricky but in my experience leads to a much cleaner implementation than all those voluminous web.config entries. This is described here WCF Configuration without a config file.

Community
  • 1
  • 1
PhillipH
  • 6,182
  • 1
  • 15
  • 25