CCF Web Services
When you write or use Web services within CCF, do not permit anonymous access to any call center Web services. We strongly recommend that you use Windows Integrated Authentication and Active Directory to help secure the use of Web services.
Any errors from Web services should be logged on the server. Detailed information about an error should not be passed back to the ID, although you might need to use a generic error message in some situations. For example, neither the Web service stack trace nor details of a SQL transaction should be logged on the desktop, but only on the server.
The following example shows how an error in a Web service can be handled.
catch ( Exception exp )
{
Logging.error( this.ToString(), exp.Message, exp );
Throw new Exception( “some generic error message” );
}
This approach does not pass specific error details, but it does provide enough information to indicate there was an error.
In addition, consider the following recommendations:
- Use Web services for all database access from CCF.
- Disable access to HTTP Get and Post methods for all Web services. Enable SOAP access only. You can configure this in the Web.config file.