Defining the configuration properties of a custom endpoint behavior for WCF

Question

I have created a custom endpoint behavior for the WCF webhttp adapter. I have found how to make a field of the behavior GUI required, give it a default value, ... But I don't find how to make a sensitive field masked. Is there to-the-point documentation available what options are available and how to implement them?

---

Lieven De Moor BizTalk Integration Specialist

Answer 1

Hi,

Some alternative I can think of, for this scenario.

1) Do not to use Configuration Property for the sensitive data. Keep outside like SSO or any other place where you find its secure, access in behavior at runtime.

2) Use Encryption / Decryption algorithm or mechanism to secure the sensitive data, access sensitive data only in run time.

Out of the box, there is no feature. 

WCF Security Best Practices

https://www.owasp.org/index.php/WCF_Security_Best_Practices

Thanks, SMSVikasK

Answer 2

Thank for your answer!

Integration with ENTSSO was what I already implemented as alternative. Still, I wanted to provide this option for testing on local DEV machines without ENTSSO configured, and so it would have been handy to have masked fields. But as this option will only be used on a local DEV environment, masking the field is not a must.

---

Lieven De Moor BizTalk Integration Specialist

Answer 3

Hello,

you can set default values when over IEndpointBehavior method. or override default constructor with default values 

public void ApplyClientBehavior(ServiceEndpoint endpoint, System.ServiceModel.Dispatcher.ClientRuntime clientRuntime)
        {
            clientRuntime.MessageInspectors.Add(new yourClientMessageInspector(
                new yourCredentialMethod
                {
                    Id =  Default Value,
                    username= 'Default Value',     Pwd = 'Pwd'
                }));
        }

hope this helps.

https://adventuresinsidethemessagebox.wordpress.com/2015/07/01/sharing-context-between-biztalk-and-wcf-behavior-extensions/

---

Ram

Answer 4

Hi Lieven,

I think SSO is the best out of the box option given by Biztalk to achieve this..

Regards,

---

Mandar Dharmadhikari

Answer 5

Hi Lieven,

ENTSSO for PROD and no masking for DEV is what makes more sense here.

---

My Technet Articles

If you like this or another reply, vote it up!
If you think this or another reply answers the original question, mark it or propose it as an answer.

---

Mauricio Feijo
www.mauriciofeijo.com

Answer 6

Hi Lieven,

You can do the masking in the wcf behavior also . We did in one of project where we created one wcf behavior and we need to mask the user credential field . For that we have used [PasswordPropertyText(true)] attribute on the top of field in the wcf behavior which we wanted to mask. for more information about this property can be found :

https://msdn.microsoft.com/en-us/library/system.componentmodel.passwordpropertytextattribute(v=vs.110).aspx

Let me know if you face any problem while implementing this.

---

Manish

Answer 7

Hi Manish,

Thanks for sharing with us.

Have just verified, it's working.

@Lieven, Just make use of this.

        /// <summary>
        /// Gets or sets the password.
        /// </summary>
        /// <value>The password.</value>
        [Category("Security")]
        [System.ComponentModel.PasswordPropertyText(true)]
        [ConfigurationProperty("Password", DefaultValue = "", IsRequired = true)]
        public string Password
        {
            get { return (string)base["Password"]; }
            set { base["Password"] = value; }
        }

Behaviour View In Send port.

Thanks, SMSVikasK