Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / November 2004

Tip: Looking for answers? Try searching our database.

WS Addressing

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Teun - 02 Nov 2004 09:40 GMT
Hello,

I have a question about WSE 2.0.
I have a Web Service client.

In this client I set the replyTo and the fauldTo:
Proxy.Service1 ws = new Proxy.Service1();
ws.RequestSoapContext.Addressing.FaultTo = new Uri(uri);
ws.RequestSoapContext.Addressing.ReplyTo = new Uri(uri);

My webservice is enabled for WSE 2.0. I set this with the WSE 2.0 tool.

When I call the webservice, the FaultTo and ReplyTo-tags are in the Soap
message.

The problem is: the webservice send the response not to the Reply/FaultTo
Uri  but he send it to the webserviceclient.

Could you tel me wat the problem is?

Thank you in advance,

Teun
Reply to this Message
Derek Harmon - 05 Nov 2004 06:43 GMT
> When I call the webservice, the FaultTo and ReplyTo-tags are in the Soap
> message.
>
> The problem is: the webservice send the response not to the Reply/FaultTo
> Uri  but he send it to the webserviceclient.

Check the configuration file on the server for this web service (assuming this
is a WSE web service), and ensure it contains:

 <microsoft.web.services2>
   <messaging>
     <allowRedirectedResponses enabled="true" />
   </messaging>
 </microsoft.web.services2>

The web service is not obligated to honor the replyTo and faultTo from the
SOAP request, it can choose to respond to your client directly.  What you
describe sounds like allowRedirectedResponses is disabled (this is the
default setting, btw).

When you think about why this is, what if a number of requests to this
web service all pointed to some innocent web site?  It could be bombarded
by responses it never asked for.  The web service will have been lured into
launching a denial of service attack on the poor site identified by the replyTo
and faultTo URIs.

That's why replyTo and faultTo are disabled by default.  They should only
be enabled if the client digitally signs these headers to prevent tampering,
the server can ensure they're legitimate (perhaps by consulting a white list),
and only when the server trusts its clients (heh, heh, that'll be the day. ;-)  )

Derek Harmon
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.