none
How to capture message security exceptions in a WCF service . RRS feed

  • Question

  • Hi There, 

    I have a WCF service which is used by a third party consumer. They are signing the request messages with some private key. In dev environment everything worked fine. But when we moved to higher environment , service consumer started to sign(by mistake) with an invalid certificate/key and started getting message security exceptions, but as their request were not hitting my actual service code (Failing at message security validation level) , i was not able to see anything in my logs. 

    Then , i added a global.asax to my service to capture the actual error logs at my end , but its not firing application_error even at all. 

    Can anyone help me in logging such errors at global level in a wcf service.

    Thursday, April 3, 2014 7:54 PM

Answers

  • Security logging is configurable. Try this:

    <behaviors>
       <behavior name="yourAuditBehavior">
          <serviceSecurityAudit auditLogLocation="Application"
                suppressAuditFailure="false" 
                serviceAuthorizationAuditLevel="None" 
                messageAuthenticationAuditLevel="SuccessOrFailure" />
          </behavior>
    </behaviors>

    "yourAuditBehavior" needs to be defined for the service, so you would do something like this:

    <services>
        <service behaviorConfiguration=" yourAuditBehavior">
           <endpoint address=""
                    binding="wsHttpBinding"
                    bindingConfiguration="CertificateDefault" 
                    contract="Name.Space.Your.Service.IYourName" />
        </service>
    </services>

    This Microsoft reference will detail what you'll need to do: Auditing Security Events for WCF

    Thursday, April 3, 2014 11:16 PM
  • If you are sending some kind of a custom object back to the client side, then put a public List<string> Errors {get; set;} in the object and populate the object's Errors property.

    Then you check the customobject.Errors  > 0 on the client side and if > 0 he send the Errors to something like Log4net that implemented on the client side.

    Of course, you would need a try/catch to catch the error, populate the object with the error and send the object from the service back to the client.

    Friday, April 4, 2014 3:55 AM

All replies

  • Security logging is configurable. Try this:

    <behaviors>
       <behavior name="yourAuditBehavior">
          <serviceSecurityAudit auditLogLocation="Application"
                suppressAuditFailure="false" 
                serviceAuthorizationAuditLevel="None" 
                messageAuthenticationAuditLevel="SuccessOrFailure" />
          </behavior>
    </behaviors>

    "yourAuditBehavior" needs to be defined for the service, so you would do something like this:

    <services>
        <service behaviorConfiguration=" yourAuditBehavior">
           <endpoint address=""
                    binding="wsHttpBinding"
                    bindingConfiguration="CertificateDefault" 
                    contract="Name.Space.Your.Service.IYourName" />
        </service>
    </services>

    This Microsoft reference will detail what you'll need to do: Auditing Security Events for WCF

    Thursday, April 3, 2014 11:16 PM
  • Thanks for the reply Paditallo !

    Hope these logs will be written in windows event logs, I am looking for a solution where i can write these exceptions in a log file or so. 

    is that possible using code e.g. in global.asax etc ?

    Friday, April 4, 2014 12:49 AM
  • Here are a few more references with log file examples/event logging examples:

    http://msdn.microsoft.com/en-us/library/ff647243.aspx

    http://msdn.microsoft.com/en-us/library/ff650832.aspx

    Friday, April 4, 2014 1:20 AM
  • If you are sending some kind of a custom object back to the client side, then put a public List<string> Errors {get; set;} in the object and populate the object's Errors property.

    Then you check the customobject.Errors  > 0 on the client side and if > 0 he send the Errors to something like Log4net that implemented on the client side.

    Of course, you would need a try/catch to catch the error, populate the object with the error and send the object from the service back to the client.

    Friday, April 4, 2014 3:55 AM