wcfauthenticationierrorhandler

WCF - IErrorHandler vs Authentication


I'm writing a WCF service with some authentication and a custom error handler. However, I'm coming up against this problem: my implementation of IErrorHandler is not getting hit when the authentication throws an exception, but runs just fine with other exeptions.

Does authentication run before IErrorHandler gets built? Am I barking up the wrong tree trying to get it to catch those errors?

Yes, I have tried (and am) throwing a FaultException in my authentication, not SecurityTokenException.


Solution

  • So first thing is to make sure that your custom Error Handler is also implementing IServiceBehavior. IServiceBehavior requires that you implement a couple other methods but the important one is "ApplyDispatchBehavior", in which you must add the ErrorHandler to the channel dispatchers.

    C#

    public class CustomErrorHandler: IServiceBehavior, IErrorHandler
    {
        public bool HandleError(Exception error)
        {
            //Return True here if you want the service to continue on as if
            //  the error was handled
    
            return true;
        }
    
        public void ProvideFault(Exception error,
                                 MessageVersion version,
                                 ref Message fault)
        {
            FaultException fe = new FaultException(
                new FaultReason(error.Message),
                new FaultCode("Service Error"));
    
            MessageFault mf = fe.CreateMessageFault();
            fault = Message.CreateMessage(version, mf, fe.Action);
        }
    
        public void ApplyDispatchBehavior(ServiceDescription serviceDescription, 
                                          ServiceHostBase serviceHostBase)
        {
    
            IErrorHandler eh = new CustomErrorHandler();
    
            foreach (ChannelDsipatcherBase cdb in serviceHostBase.ChannelDispatchers)
            {
                ChannelDispatcher cd = cdb as ChannelDispatcher;
                cd.ErrorHandlers.Add(eh);
            }
    
        }
    
        public void AddBindingParameters(ServiceDescription serviceDescription,
                                         ServiceHostBase serviceHostBase, 
                                         Collection<ServiceEndpoint> endpoints, 
                                         BindingParameterCollection bindingParameters)
        {
            //Add binding parameters if you want, I am not
        }
    
        public void Validate(ServiceDescription serviceDescription,
                             ServiceHostBase serviceHostBase)
        {
            //Add custom fault validation here if you want
        }
    }
    

    Then you need to add the CustomErrorHandler as a service behavior and add the behavior

    web.config

    <system.serviceModel>
        <extensions>
            <behaviorExtensions>
                <add name="ErrorHandler"
                     type="ServiceNamespace.CustomErrorHandler, ServiceNamespace, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
            </behaviorExtensions>
        </extensions>
        <behaviors>
            <serviceBehaviors>
                <behavior name="MyBehavior1">
                    <!--Put other behaviors for your service here then add the next line-->
                    <ErrorHandler />
                </behavior>
            </serviceBehaviors>
        </behaviors>
    </system.serviceModel>
    

    This way all your thrown exceptions will be converted to faults to return back to the client.

    In the case of SecurityTokenExceptions, you do not want to convert those to Fault Exceptions right away. You actually do want to throw these as SecurityTokenExceptions in the custom validation in order for the service/server to recognize that the security authorization failed, and automatically returns as a fault equiv of a "403 : Access Denied". I am not 100% but I think that the custom auth and validation pieces happen before custom service behaviors, like the error handler, are loaded. Unfortunately, if you need to troubleshoot something in your auth, you will need to turn on WCF tracing on the service, see this article titled "How to turn on WCF Tracing".

    If you need to log failed auth attempts, you will probably need to put it directly in your custom validator.