This morning (right after my first coffee) I had to troubleshoot an URI ACL issue with Christian. He tried using my tool to reserve URI namespaces to host a bunch of services using HTTP. But it didn’t work.
I told him that the right format for the URL is:
http://localhost:7777/Service/
but this gave us access denied. I then tried:
No success.
After a little bit of trial and error, I managed to get it to work using:
That surprised me, because I am 100% positive that the ‘*’ and localhost works for plain HttpListener and that’s ultimately what WCF’s ServiceHost uses to listen to HTTP requests.
So what’s the difference between ‘+’ and ‘*’ and why is this not working with WCF? Well – too bad the httpcfg.exe docs don’t tell you, so I had to dig deep into the Windows SDK and finally found a decent description of the URL prefix formats in the docs for the HTTP_SERVICE_CONFIG_URLACL_SET structure (the structure you pass into the unmanaged reservation API called HttpServiceSetConfigurationAcl). Intuitive, isn’t it?
The ‘*’ is a so called weak wildcard whereas ‘+’ is a strong wildcard. Strong wildcards seem to work regardless of the host header in the HTTP request, weak wildcards only listen to registered hostnames. Strong wildcards also take precedence over weak ones. Check the SDK document for more interesting details.
By default WCF demands a strong wildcard. But you can change this with the HostNameComparison property on the BasicHttpBinding class (thanks for the pointer, Nicholas).
Christian also nagged me that my tool is not able to show all existing URL registration (well, he was just too lazy to type ‘httpcfg query urlacl’ ;). But hey – only happy users are good users, and here is a new version of it:
leastprivilege.com 