Suggested Videos
Part 11 - Difference between datacontract and messagecontract in wcf
Part 12 - Backward compatible WCF contract changes
Part 13 - ExtensionDataObject in WCF
In Part 13, we discussed, how to implement IExtensibleDataObject to preserve unknown elements during serialization and deserialization of DataContracts. Please watch Part 13, before proceeding.
The downside of implementing IExtensibleDataObject interface is the risk of Denial of Service attack. Since, the extension data is stored in memory, the attacker may flood the server with requests that contains large number of unknown elements which can lead to system out of memory and DoS.
How to turn off IExtensibleDataObject feature?
One way is to remove the implementation of IExtensibleDataObject interface from all the DataContracts. This should work fine as long as we have a few data contracts on which IExtensibleDataObject interface is implemented. The downside of changing the application code is that we have to rebuild and redeploy services to the production server.
What if there are large number of DataContracts that have implemented IExtensibleDataObject interface?
IExtensibleDataObject can be enabled or disabled using service behavior configuration as shown below. With this option later if we want to enable support, all we need to do is set ignoreExtensionDataObject to false.
<behaviors>
<serviceBehaviors>
<behavior name="ignoreExtensionData">
<dataContractSerializer ignoreExtensionDataObject="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
This can also be done programatically using ServiceBehaviorAttribute. Set IgnoreExtensionDataObject property to true.
[ServiceBehavior(IgnoreExtensionDataObject = true)]
public class EmployeeService : IEmployeeService
When IExtensibleDataObject feature is turned off, the deserializer will not populate the ExtensionData property.
Part 11 - Difference between datacontract and messagecontract in wcf
Part 12 - Backward compatible WCF contract changes
Part 13 - ExtensionDataObject in WCF
In Part 13, we discussed, how to implement IExtensibleDataObject to preserve unknown elements during serialization and deserialization of DataContracts. Please watch Part 13, before proceeding.
The downside of implementing IExtensibleDataObject interface is the risk of Denial of Service attack. Since, the extension data is stored in memory, the attacker may flood the server with requests that contains large number of unknown elements which can lead to system out of memory and DoS.
How to turn off IExtensibleDataObject feature?
One way is to remove the implementation of IExtensibleDataObject interface from all the DataContracts. This should work fine as long as we have a few data contracts on which IExtensibleDataObject interface is implemented. The downside of changing the application code is that we have to rebuild and redeploy services to the production server.
What if there are large number of DataContracts that have implemented IExtensibleDataObject interface?
IExtensibleDataObject can be enabled or disabled using service behavior configuration as shown below. With this option later if we want to enable support, all we need to do is set ignoreExtensionDataObject to false.
<behaviors>
<serviceBehaviors>
<behavior name="ignoreExtensionData">
<dataContractSerializer ignoreExtensionDataObject="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
This can also be done programatically using ServiceBehaviorAttribute. Set IgnoreExtensionDataObject property to true.
[ServiceBehavior(IgnoreExtensionDataObject = true)]
public class EmployeeService : IEmployeeService
When IExtensibleDataObject feature is turned off, the deserializer will not populate the ExtensionData property.