SvcUtil Generated Config

Link. September 28, 2007. Comments [2]. Posted in: WCF

Scott Seely seems to object to my previous comment on being careful about the defaults used by svcutil.exe. Scott goes on to describe in detail how svcutil figures out what should get written in the default configuration, which is pretty useful.

But, seems to me like Scott may have misunderstood my comment. Yes, I do know how svcutil.exe works and even why it chooses the defaults it chooses. I'm not arguing against it configuring default values (even for all binding properties, as cumbersome as that can be). I'm arguing against the rationale of the default values themselves, as they make little sense for a client side proxy.

Don't get me wrong, I fully agree with Scott's comment that "Bigger defaults would have made it easier to blow up your average WCF endpoint, and that wouldn't have been a good thing", but that's an assertion that makes a lot of sense for a service endpoint. A client side proxy, on the other hand, will rarely require such stringent settings and in fact it constantly gets in the way (only case where this would be significant is in the case of duplex contracts).

In other words, I'm arguing for SvcUtil being slightly more smart about the default values depending on the context. And even more, I'm arguing that the default security constraints configured by default on WCF bindings (SvcUtil or no SvcUtil) are too small. I'm not saying to make them unlimited, but they could benefit from slightly larger values, particularly for WSHttpBinding and friends.

But as long as we're on the topic, let's add one more to the mix: The truth is, that these kind of security constraints are sitting right in no man's land. Developers will very rarely look at them (unless they are already aware of the issue) simply because they test their services in limited environments, where, for example, messages might be small enough to cause no trouble. But then they go blow up in their faces in the production environment. Administrators on the other end, have no clue what this settings are or what they configure (in fact, they have no clue they even exist) and will simply ignore them... until they blow up in their faces as well. This is not a good situation by any means, because you know what people will do? They'll just get used to configure them always to the maximum possible value.

Windows Communication Foundation

Friday, September 28, 2007 11:31:07 AM (SA Pacific Standard Time, UTC-05:00)

Thomas-- are you simply speaking about the values for things that are 'sizes'? If so, can you share which ones are causing you the most issues? I've got a handy solution in mind.

Also, FWIW, your explanation of "svcutil" doing XY & Z just reminded me that many folks don't know where svcutil starts and the System.ServiceModel guts start. The point of my post was to draw that line.

Scott Seely

Friday, September 28, 2007 2:22:18 PM (SA Pacific Standard Time, UTC-05:00)

Scott,

Yes, I'm talking about the sizes parameters (mostly maxRequestSize and readerQuotas stuff).

You're right I was a little loose with my terms, and I know part of the problem is really the defaults in the ServiceModel stuff and not SvcUtil, but having SvcUtil be a little bit more smart about it would go a long way.

Tomas Restrepo

Comments are closed.

Commonality

by daemons be driven

SvcUtil Generated Config

Syndicate

About

Ads

Categories

Statistics

Archive

Other