This project is read-only.

If non-repudiation is important, consider setting SuppressAuditFailure property to false

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

If non-repudiation is important, consider setting the SuppressAuditFailure property to false. This setting will cause an exception to be thrown when there is any audit failure. By default your WCF will ignore audit failures and allow the service to continue running.

By setting SuppressAuditFailure to false an exception can be thrown and handled by your WCF service. If you choose to interrupt service based on the audit failure exception you may open yourself to a denial of service attack on your service, so you should use this option cautiously and only when the business risk is overwhelming where auditing is a must you should opt for this, thereby users won’t be able to deny wrongdoing.
// configuration snippet 
<configuration>
  <system.serviceModel>
    <behaviors>
      <behavior>
        <serviceSecurityAudit
            auditLogLocation="Application"
*            suppressAuditFailure="false"*
            serviceAuthorizationAuditLevel="Failure"
            messageAuthenticationAuditLevel=
                        "SuccessOrFailure" /> 
      </behavior>
    </behaviors>
  </system.serviceModel>
</configuration>

Last edited Apr 24, 2008 at 12:10 AM by prashantbansode, version 2

Comments

No comments yet.