WCF - WSDL or pre-compiled Proxy

Question

this is B2B scenario, one client (at least for now).

Server environment: WCF service, IIS6, .NET v3.5

Client environment: dev shop is .NET 2.0/VS2005. Will be calling my WCF service.

Question: should i
(a) open WSDL gen for the client(not desirable for security reasons)
(b) send a WSDL file(s) to the client
(c) pre-compile Proxy into dll (on my side) and send it to the client
(d) ???
?

Any suggestions on what would be the best practice for this scenario, any pros/cons?

Thanks in advance,
Igor

Answer 1

In order of preference I would be inclined to:

1. Have the service expose the WSDL (with security enabled)
2. Send a WSDL file to the service consumer

I was going to list option 3 as sending a proxy DLL but on second thought I wouldn't even list it as an option. It seems to me that shipping your client a proxy DLL opens up a big can of worms that I would not want to deal with.

The main problem is that you end up having to support executable code that is deployed at the client site. The proxy code could be generated by svcutil but if there is some sort of problem invoking the service I can just see the client calling you for support and telling you that your proxy is not working. Now, their claim is probably not correct but it's hard for you to prove it since you don't know what they are doing on their side. e.g.

• Maybe they didn't install the proxy DLL?
• Maybe there is some permission problem?
• Maybe they don't know what they are doing (yeah, I know that never happens. :) ).
• Maybe a .NET upgrade on their side affected your proxy?
• You might even run into some versioning headaches when sending them new proxies.

If your customer is not that savvy instead of trying to help them by creating proxy DLL perhaps putting some time and effort into assisting them in getting the correct configuration and usage of your service would be a better approach?

Answer 2

If you don't want to actually publish the WSDL and make it available online for calling clients, then I would prefer the "send me the WSDL and XSD" approach.

That way, you still give the client calling you the ability and flexibility of creating the proxy the way they see fit.

I would only consider using a pre-compiled proxy in an assembly if the calling party was unable or unwilling to create the proxy themselves, and only if they asked me to supply that code in assembly form.

Marc

Answer 3

Why is a publicly available WSDL not desirable for security reasons?

I may be willing to admit that publishing an API (which is basically what you are doing with WSDL) makes you a bit more vulnerable than if you didn't, but it would be wrong to assume that hiding the WSDL constitutes any kind of security. This is ironically called security by obscurity, and it will be broken by any determined attacker.

The web service should be secure in itself. WCF offers many security features, but that is perpendicular to your question.

I'd prefer publishing the WSDL. If you don't want to do that, or if there is a policy in place that says that you can't do that, then send the WSDL to the client team so they can use it as they wish.

Precompiling the proxy will only enforce your coding conventions on the client team, and they may not appreciate that - for example, I often prefer my proxies to be generated with the /i switch that makes the generated classes internal. I also like to be able to specify the .NET namespaces so that they fit the rest of my code. That would not be possible if I got a precompiled assembly (I would be able to use it anyway, but it would just annoy me).