This project is read-only.

Validate parameter input on the server

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

Input and data validation represent one line of defense in the protection of your WCF application. Validate all parameters exposed in WCF service operations to protect the service from attack by a malicious client. Conversely, you should also validate all return values received by the client to protect the client from attack by a malicious service.
  • To perform input validation on operations that accept message or data contracts, use a message inspector to validate the operation.
  • To perform input validation on other parameter types, use a custom parameter inspector in order to validate parameters on operations in your service.

The following code snippet shows how to validate the input on both the server and on the client by creating a custom parameter inspector:
  1. Create a new class, derived from IParameterInspector, to implement the validation logic.
  2. Use BeforeCall() to validate your input parameters and AfterCall() to validate your output parameters.
  3. Use AfterCall() to validate the response from the service, and BeforeCall() to validate the return from the service.
Example
public class Validation
{
      public class ValidationParameterInspector : IParameterInspector
      {
            public void AfterCall(string operationName, object[] outputs, object returnValue, object correlationState)
            { … 	}


public object BeforeCall(string operationName, object[] inputs)
{ …    }
}
}

Additional Resources

  • How To – Perform Input Validation in WCF

Last edited Apr 17, 2008 at 12:48 AM by prashantbansode, version 1

Comments

No comments yet.