How do I figure out during dispatch whether a request is destined to be a metadata request or a normal application request?
The reason you might care whether a request in flight is for metadata or not is because of security policy. You might want to permit lots of people to access your metadata but be very strict about who can call application methods. If you’re a security routine that intercepts all sorts of different calls, then you need to know what type of call is currently happening to make the right decision. Otherwise, you don’t know who to apply scrutiny to and who to just let in.
In the context of the currently in flight operation, there are three pieces of data that will help you figure this out. If you see all three signs, then you know that the request is going to be for metadata retrieval.
- Check the contract name of the endpoint that the current operation is being dispatched to. It should be IMetadataExchange.
- Just in case someone defines a different contract with the same name, also check the contract namespace. It should be http://schemas.microsoft.com/2006/04/mex.
- Finally, check the action of the operation. If it’s an operation that does metadata transfer, then the action should be http://schemas.xmlsoap.org/ws/2004/09/transfer/Get/.
Next time: Silent Security Failures