Geeks With Blogs

News
Elton Stoneman (@EltonStoneman) IT Consultant, integration specialist, @Microsoft MVP and @Pluralsight author.

This is the third in the IPASBR series, see also:

As the patterns get further from the simple .NET full-trust consumer, all that changes is the communication protocol and the authentication mechanism. In Part 3 the scenario is that we still have a secure .NET environment consuming our service, so we can store shared keys securely, but the runtime environment is locked down so we can't use Microsoft.ServiceBus to get the nice WCF relay bindings. To support this we will expose a RESTful endpoint through the Azure Service Bus, and require the consumer to send a security token with each HTTP service request.

Pattern applicability

This is a good fit for scenarios where:

  • the runtime environment is secure enough to keep shared secrets
  • the consumer can execute custom code, including building HTTP requests with custom headers
  • the consumer cannot use the Azure SDK assemblies
  • the service may need to know who is consuming it
  • the service does not need to know who the end-user is

Note there isn't actually a .NET requirement here. By exposing the service in a REST endpoint, anything that can talk HTTP can be a consumer. We'll authenticate through ACS which also gives us REST endpoints, so the service is still accessed securely. Our real-world example would be a hosted cloud app, where we we have enough room in the app's customisation to keep the shared secret somewhere safe and to hook in some HTTP calls. We will be flowing an identity through to the on-premise service now, but it will be the service identity given to the consuming app - the end user's identity isn't flown through yet.

In this post, we’ll consume the service from Part 1 in ASP.NET using the WebHttpRelayBinding. The code for Part 3 (+ Part 1) is on GitHub here: IPASBR Part 3.

Authenticating and authorizing with ACS

We'll follow the previous examples and add a new service identity for the namespace in ACS, so we can separate permissions for different consumers (see walkthrough in Part 1). I've named the identity partialTrustConsumer. We’ll be authenticating against ACS with an explicit HTTP call, so we need a password credential rather than a symmetric key – for a nice secure option, generate a symmetric key, copy to the clipboard, then change type to password and paste in the key:

password

We then need to do the same as in Part 2 , add a rule to map the incoming identity claim to an outgoing authorization claim that allows the identity to send messages to Service Bus:

Issuer: Access Control Service
Input claim type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Input claim value: partialTrustConsumer
Output claim type: net.windows.servicebus.action
Output claim value: Send

As with Part 2, this sets up a service identity which can send messages into Service Bus, but cannot register itself as a listener, or manage the namespace.

RESTfully exposing the on-premise service through Azure Service Bus Relay

The part 3 sample code is ready to go, just put your Azure details into Solution Items\AzureConnectionDetails.xml and “Run Custom Tool” on the .tt files.  But to do it yourself is very simple. We already have a WebGet attribute in the service for locally making REST calls, so we are just going to add a new endpoint which uses the WebHttpRelayBinding to relay that service through Azure. It's as easy as adding this endpoint to Web.config for the service:

        <endpoint address="https://sixeyed-ipasbr.servicebus.windows.net/rest"
                  binding="webHttpRelayBinding" 
                  contract="Sixeyed.Ipasbr.Services.IFormatService"
                  behaviorConfiguration="SharedSecret">
        </endpoint>

- and adding the webHttp attribute in your endpoint behavior:

          <behavior name="SharedSecret">
            <webHttp/>
            <transportClientEndpointBehavior credentialType="SharedSecret">
              <clientCredentials>
                <sharedSecret issuerName="serviceProvider"
                              issuerSecret="gl0xaVmlebKKJUAnpripKhr8YnLf9Neaf6LR53N8uGs="/>
              </clientCredentials>
            </transportClientEndpointBehavior>
          </behavior>

Where's my WSDL?

The metadata story for REST is a bit less automated. In our local webHttp endpoint we've enabled WCF's built-in help, so if you navigate to:

http://localhost/Sixeyed.Ipasbr.Services/FormatService.svc/rest/help

- you'll see the uri format for making a GET request to the service. The format is the same over Azure, so this is where you'll be connecting:

https://[your-namespace].servicebus.windows.net/rest/reverse?string=abc123

Build the service with the new endpoint, open that in a browser and you'll get an XML version of an HTTP status code - a 401 with an error message stating that you haven’t provided an authorization header:

<?xml version="1.0"?><Error><Code>401</Code><Detail>MissingToken: The request contains no authorization header..TrackingId:4cb53408-646b-4163-87b9-bc2b20cdfb75_5,TimeStamp:10/3/2012 8:34:07 PM</Detail></Error>

By default, the setup of your Service Bus endpoint as a relying party in ACS expects a Simple Web Token to be presented with each service request, and in the browser we're not passing one, so we can't access the service. Note that this request doesn't get anywhere near your on-premise service, Service Bus only relays requests once they've got the necessary approval from ACS.

Why didn't the consumer need to get ACS authorization in Part 2?

It did, but it was all done behind the scenes in the NetTcpRelayBinding. By specifying our Shared Secret credentials in the consumer, the service call is preceded by a check on ACS to see that the identity provided is a) valid, and b) allowed access to our Service Bus endpoint. By making manual HTTP requests, we need to take care of that ACS check ourselves now.

We do that with a simple WebClient call to the ACS endpoint of our service; passing the shared secret credentials, we will get back an SWT:

var values = new System.Collections.Specialized.NameValueCollection();
values.Add("wrap_name", "partialTrustConsumer"); //service identity name
values.Add("wrap_password", "suCei7AzdXY9toVH+S47C4TVyXO/UUFzu0zZiSCp64Y="); //service identity password
values.Add("wrap_scope", "
http://sixeyed-ipasbr.servicebus.windows.net/"); //this is the realm of the RP in ACS

var acsClient = new WebClient();
var responseBytes = acsClient.UploadValues("
https://sixeyed-ipasbr-sb.accesscontrol.windows.net/WRAPv0.9/", "POST", values);
rawToken = System.Text.Encoding.UTF8.GetString(responseBytes);

With a little manipulation, we then attach the SWT to subsequent REST calls in the authorization header; the token contains the Send claim returned from ACS, so we will be authorized to send messages into Service Bus.

Running the sample

Navigate to http://localhost:2028/Sixeyed.Ipasbr.WebHttpClient/Default.cshtml, enter a string and hit Go! - your string will be reversed by your on-premise service, routed through Azure:

clip_image002

Using shared secret client credentials in this way means ACS is the identity provider for your service, and the claim which allows Send access to Service Bus is consumed by Service Bus. None of the authentication details make it through to your service, so your service is not aware who the consumer is (MSDN calls this "anonymous authentication").

Posted on Thursday, October 4, 2012 10:12 PM github , REST , IPASBR , ACS | Back to top


Comments on this post: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
Thanks this worked well for me...
Left by nadja on Nov 07, 2012 12:34 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
your website actual nice administration I am a real animated of your analytic website thanks
Left by manandwomenfashion.com on Dec 29, 2012 4:31 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
More importantly, you will retain the information you learn while studying and be able to apply that information in real-world network environments. Achieving a quality Cisco certification isn't a difficult endeavor. It takes dedication and commitment, but also a love of the technology. This single trait alone is the key to your certificatio.
Left by David on Feb 16, 2013 9:23 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
Computers themselves, and software yet to be developed, will revolutionize the way we learn.
Left by bronx no fault doctor on Mar 23, 2013 5:04 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
Each year has been so robust with problems and successes and learning experiences and human experienes that a year is a lifetime at Apple. So this has been ten lifetimes.
Left by ideas for bucks night on Apr 17, 2013 7:13 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
I think we're having fun. I think our customers really like our products. And we're always trying to do better.
Left by ideas for bucks night on Apr 17, 2013 7:13 AM

# research paper on leadership
Requesting Gravatar...
It is not a secret either that checking and grading those highly artistic student masterpieces has become a real pain in the neck for professors and TAs who have to spend their valuable time on processing the hundreds of thousands of words, yielded at the end of each semester by their students, rather than concentrating on the first-hand teaching and conducting their research work. It is sad to admit, but the overall modern trend consists in increase of class sizes and depersonalization of education.
Left by mark on Apr 18, 2013 9:46 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
This is a good model to improve account security.Remy Hair extensions
Left by Andy on Jun 03, 2013 4:47 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
It took us three years to build the NeXT computer. If we'd given customers what they said they wanted, we'd have built a computer they'd have been happy with a year after we spoke to them - not something they'd want now.
PR1 to PR7 Blog Comments
Left by sidra on Jun 06, 2013 11:17 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
SQL Azure uses a special version of Microsoft SQL Server as its backend. It provides high availability by storing multiple copies of databases, elastic scale and rapid provisioning. binaereoption.bloggplatsen.se It exposes a subset of the full SQL Server functionality, including only a subset of the data types — including string, numeric, date and boolean.
Left by angel on Jun 11, 2013 1:20 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
They represent each other which help in continuity... Bookmark It
Left by fred on Jun 13, 2013 10:08 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
Hi, being a geek is nice sometimes you now, I experience it later that night, I have a picture of me when I was a geek check it out
chicago limo rentals
Left by mika on Jun 19, 2013 3:08 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
Qu'il est également utilisé comme montre l'outil de synchronisation? Ensuite, vous êtes hors de la! Parce que maintenant le téléphone pour obtenir cette fonction, si vous regardez juste comme un outil de synchronisation, puis vous conseille de donner a acheté le tableau! . Maintenant, regardez juste pour voir le temps, de plus se reflète le go?t, le tempérament et même l'identité d'une personne. Que ce soit les hommes ou les femmes, un autre type de montre peut vous apporter des résultats inattendus, surtout quand beaucoup de gens regardent une personne, mais ne regardez pas votre montre d'usure. [url=http://www.repliquemontreluxe.org]replique montre[/url] est devenue un symbole des capacités humaines et des idées. Nous choisissons la montre, assurez-vous de faire attention: choisir le plus approprié, choisir de bonne qualité. Nous résumons quelques options pour observer la règle.
Left by Nma on Jun 29, 2013 4:33 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
Very good job. Helped me lot.
Left by Rajesh on Jul 09, 2013 6:17 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
The information mentioned here is what I was looking for

cyberlink coupon codes
Left by Rahul on Jul 22, 2013 1:42 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
This articles helps me more.Thanks for your sharing,I will pay more attentions to your blog. Looking forward to your better and better articles.See you next time.
<a sl-processed="1" href="http://www.youtube.com/watch?v=LgzONVL7_3U">click here
Left by ABBY on Nov 03, 2013 1:01 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
great share we live and learn something new each day :) www.norgesautomaten.cc
Left by Paul on Dec 19, 2013 5:15 PM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
http://www.repliquesdemontre.fr
Left by yuoboy@gmail.com on Mar 12, 2014 11:15 AM

# re: Integration Patterns with Azure Service Bus Relay, Part 3: Anonymous partial-trust consumer
Requesting Gravatar...
I am very happy to find this blog.Thanks for creating the page! I'm positive that it will be very popular. It has good and valuable content which is very rare these days. -buy instagram Comments
Left by vincentpila on Apr 08, 2014 10:15 AM

# Mr
Requesting Gravatar...
I have been searching about this topic and decided to do some research. Your article has some useful information. Do you have any more on this subject?
http://www.cushyoffice.com/products/category/desk-chairs/?brand=Lexmod
Left by BrandonS1s on Apr 23, 2014 5:25 PM

Your comment:
 (will show your gravatar)
 


Copyright © Elton Stoneman | Powered by: GeeksWithBlogs.net | Join free