We use IExtensionDataObject to preserve unknown elements during serialization and deserialization
of DataContract
On the service sisde, at the time of deserialization the unkwon elements from the client are
store in ExtensionDataObject.To send data to the client, the service has to serialize data into XML.
During this serialization process the data from ExtensionObjectOject is serialized into XML as it was
provided at the time of service call.
To use Extension object we need to make service class singleton by using ServiceBehavior attribute
ServiceBehavior (InstanceContextMode = InstanceContextMode.Single)
of DataContract
On the service sisde, at the time of deserialization the unkwon elements from the client are
store in ExtensionDataObject.To send data to the client, the service has to serialize data into XML.
During this serialization process the data from ExtensionObjectOject is serialized into XML as it was
provided at the time of service call.
To use Extension object we need to make service class singleton by using ServiceBehavior attribute
ServiceBehavior (InstanceContextMode = InstanceContextMode.Single)
Drawback of IExtensibleDataObject
Since the extension data is store in memory, the attacker may flood the server with request that contains large number of unknown elements which can lead to system out of Memory.
How to turn of IExtensibleDataObject
One way is removed IExtensibleDataObject from each class where it is used. And second one is through config file.
<behaviors>
<serviceBehaviors>
<behavior name="ignoreExtensionData">
<dataContractSerializer ignoreExtensionDataObject="True" />
</serviceBehaviors>
</behaviors>
Third way is using ServiceBehaviors attribute
[ServiceBehaviors (IgnoreExtensionDataObject="true")]
No comments:
Post a Comment