This project is read-only.

Validate service responses on the client

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

When making calls from your client, validate the service’s responses for malicious or malformed data. If you are using basicHttpBinding or have turned off message and transport security in any other binding it is possible for your service responses to be spoofed or modified on the wire. Validate the responses to provide a line of defense for your clients.

The steps to validate on the client are the same as validating on the server, except that the code resides in the client application:
  • To perform input validation on operations that accept message or data contracts, use a message inspector to validate the operation.
  • To perform input validation on other parameter types, use a custom parameter inspector in order to validate parameters on operations in your service.

The following code snippet shows how to validate the input on both the server and on the client by creating a custom parameter inspector:
  1. Create a new class, derived from IParameterInspector, to implement the validation logic.
  2. Use BeforeCall() to validate your input parameters and AfterCall() to validate your output parameters.
  3. Use AfterCall() to validate the response from the service, and BeforeCall() to validate the return from the service.
public class Validation
      public class ValidationParameterInspector : IParameterInspector
            public void AfterCall(string operationName, object[] outputs, object returnValue, object correlationState)
            { … 	}

public object BeforeCall(string operationName, object[] inputs)
{ …    }

Last edited Apr 17, 2008 at 12:49 AM by prashantbansode, version 1


No comments yet.