This project is read-only.

When Impersonating Declaratively, Only Impersonate On the Operations That Require It

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Only impersonate specific operations that require it. If you impersonate on operations that do not require the additional privileges you are increasing your attack surface as well as the potential impact of an exploit.

Impersonation is a costly operation and is usually used for higher privileged original callers. Use impersonation selectively only on the operations which needs it reduces the potential attack surface. You can impersonate declaratively by applying the OperationBehaviorAttribute attribute on any operation that requires client impersonation, as shown in the following code example:
[*OperationBehavior*(Impersonation = ImpersonationOption.*Required*)]
public string GetData(int value)
   return “test”;

Additional Resources

Last edited Jun 12, 2008 at 10:39 PM by prashantbansode, version 1


No comments yet.