Search code examples
c#wcfsecurityiqueryablenettcpbinding

Passing query expressions over the wire with WCF

I want to implement something like a WCF OData provider but using NetTcpBinding instead of WebHttpBinding / REST. I want the client to be able to write linq queries that are transparently serialized and sent to the server (or potentially, multiple servers, to consolidate distributed database instances).

One way to do this is to implement a custom IQueryable provider. You could pass the query expression over the wire in (at least) two ways:

1) Serialize the expression to xml, send it, and deserialize it on the server

2) Pass what is more-or-less the precursor to raw SQL to the server in the form of DataContracts

1 is difficult and simply alot of work, and 2 obviously could pose security risks (sql injection). Say for instance a 'Where' expression was encapsulated and passed to the server like so, 

[DataContract]
public class WhereFilter
{
    [DataMember]
    public string Property { get; set; }

    [DataMember]
    public string Operation { get; set; }

    [DataMember]
    public string Value { get; set; }
}

Where the above ultimately represents the part of an SQL query that states 'Where [SomeColumn] = 'SomeValue'.

My question is whether the WCF client-server connection could be made secure enough to warrant such an approach without presenting too much of a security risk? Or alternatively if there are any other ways of implementing an OData-like provider over NetTcpBinding i'd be interested.

Solution

  • I'd begin by trying the Expression Tree Serialization project. It aims to allow serialization of expressions, but I haven't used it to comment on how well it works.

    Failing that, then you could construct queries using a DataContract. There are risks but you can always exclude unwanted operations (e.g. UPDATE or DELETE the UserRole table) through database permissions. Your WCF service should connect to the database with a dedicated account, and that account should only have permissions to do what it needs (no CREATE or DROP, only SELECT from relevant tables, etc).

    And of course you can also secure your WCF connection to stop unwanted connections (see WCF Security Overview). One option is to require certificate authentication - only those users with the relevant certificate will be able to use the service.