开发者

Windows Azure WCF Security

I've a wcf service deployed to the cloud. Could开发者_高级运维 anyone guuide me through best practices on how I can secure the end point in azure please?

Thanks.


In my opinion, the easiest approach is to use the AppFabric Access Control Service (ACS) to generate a Secure Web Token (SWT) that you pass to the WCF service via an authorization HTTP header. In the service method, you can then read and validate the SWT from the header.

It's pretty straightforward, particularly if you create proxies dynamically rather than using Service References.

This is how I get the SWT from ACS:

private static string GetToken(string serviceNamespace, string issuerKey, string appliesto)
{
    WebClient client = new WebClient();

    client.BaseAddress = String.Format("https://{0}.accesscontrol.windows.net", serviceNamespace);
    client.UseDefaultCredentials = true;

    NameValueCollection values = new NameValueCollection();

    values.Add("wrap_name", serviceNamespace);
    values.Add("wrap_password", issuerKey);
    values.Add("wrap_scope", appliesto);

    byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);

    string response = System.Text.Encoding.UTF8.GetString(responseBytes);

    string token = response
                        .Split('&')
                        .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
                        .Split('=')[1];

    return token;
}

issuerKey, as it was referred to in ACS v1 is now the Password from the Service Identity in ACS v2.

To call the service:

string accessToken = GetToken(serviceNamespace, issuerKey, appliesto);

string authHeaderValue = string.Format("WRAP access_token=\"{0}\"", HttpUtility.UrlDecode(accessToken));

// TInterface is the service interface
// endpointName refers to the endpoint in web.config
ChannelFactory channelFactory = new ChannelFactory<TInterface>(endpointName);

TInterface proxy = channelFactory.CreateChannel();

OperationContextScope scope = new OperationContextScope(proxy as IContextChannel);

WebOperationContext.Current.OutgoingRequest.Headers.Add(HttpRequestHeader.Authorization, authHeaderValue);

// Call your service
proxy.DoSomething();

On the service-side, you extract the token from the header and validate it. I can find out the code for that, if this looks like the approach you want to take.

Try this blog post by Alik Levin as a good starting point.


A typical, broadly interoperable approach would be to use HTTP Basic Authentication over an SSL connection. The approach for running this in Azure is really very similar to how you would achieve this on a traditional Windows server.

You can implement an IIS Http Module and provide your own implementation of a BasicAuthenticationModule - this can work however you want but calling in to ASP.NET Membership (a call to ValidateUser) would be a common approach. The store for that can be hosted in SQL Azure.

You can then surface this to WCF by implementing IAuthorizationPolicy and adding this to your authorizationPolicies WCF config element.

The Patterns and Practices team have a walkthrough of this with complete code at http://msdn.microsoft.com/en-us/library/ff649647.aspx. You can ignore the brief Windows Forms discussion - being web services, their choice of client is irrelevant.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜