Geeks With Blogs

News View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn
Michael Stephenson keeping your feet on premise while your heads in the cloud

Recently we have been working on a project using the Windows Azure Service Bus to expose line of business applications. One of the topics we discussed a lot was around the security aspects of the solution. Most of the samples you see for Windows Azure Service Bus often use the shared secret with the Access Control Service to protect the service bus endpoint but one of the problems we found was that with this scenario any claims resulting from credentials supplied by the client are not passed through to the service listening to the service bus endpoint. As an example of this we originally were hoping that we could give two different clients their own shared secret key and the issuer for each would indicate which client it was. If the claims had flown to the listening service then we could check that the message sent by client one was a type they are allowed to send. Unfortunately this claim isn't flown to the listening service so we were unable to implement this scenario.

We had also seen samples that talk about changing the relayClientAuthenticationType attribute would allow you to authenticate the client within the service itself rather than with ACS. While this was interesting it wasn't exactly what we wanted. By removing the step where access to the Relay endpoint is protected by authentication against ACS it means that anyone could send messages via the service bus to the on-premise listening service which would then authenticate clients. In our scenario we certainly didn't want to allow clients to skip the ACS authentication step because this could open up two attack opportunities for an attacker. The first of these would allow an attacker to send messages through to our on-premise servers and potentially cause a denial of service situation. The second case would be with the same kind of attack by running lots of messages through service bus which were then rejected the attacker would be causing us to incur charges per message on our Windows Azure account.

The correct way to implement our desired scenario is to combine one of the common options for authenticating against ACS so the service bus endpoint cannot be accessed by an unauthenticated caller with the normal WCF security features using the TransportWithMessageCredential security option.

Looking around I could not find any guidance on how to implement this correctly so on the back of setting this up I decided to write a couple of articles to walk through a couple of the common scenarios you may be interested in.

These are available on the following links:


Posted on Tuesday, October 30, 2012 3:46 AM Azure Service Bus | Back to top

Comments on this post: TransportWithMessageCredential & Service Bus – Introduction

# Mobdro
Requesting Gravatar...
good very good user-friendly. Various different features Mobdro Below I’ve presented you the download links to all system gadgets download Mobdro for PC nice.
Left by krush on Mar 30, 2016 11:02 PM

# shareitforpcz
Requesting Gravatar...
good I brought up underneath. Earliest carry out these straightforward requirements SHAREit for PC you require to adhere to the below actions which will be diverse from above process. SHAREit Windows PC nice.
Left by jiya on Apr 25, 2016 7:17 PM

# re:shareit
Requesting Gravatar...
good Get to Bluestacks residence webpage and mouse click on All apps. SHAREit for PC request for many who prefer to copy big data between numerous units. SHAREit Windows PC nice.
Left by om on Jun 14, 2016 7:28 PM

# re: TransportWithMessageCredential & Service Bus – Introduction
Requesting Gravatar...
good no much longer limited to property owners. Best portable water softener reviews The industrial quality, rotating contacts and the military nice.
Left by mohit on Sep 19, 2016 6:18 PM

# re: TransportWithMessageCredential & Service Bus – Introduction
Requesting Gravatar...
good Launch vShare SE iOS from the homescreen. vShare Android also slide on to the last web page then wait up until the setup is finished. nice.
Left by vedant on Jan 01, 2017 10:25 PM

# imobdroapp
Requesting Gravatar...
good as well as most more suitable application to obtaining new kid mobdro for android One authorities website is developed for Mobdro individuals nice.
Left by Theodore on Jan 30, 2017 6:26 PM

# re: TransportWithMessageCredential & Service Bus – Introduction
Requesting Gravatar...
Great to that of various other platforms. Kodi for Windows Kodi If you have actually obtained every one of your media Fine.
Left by Mehul on Feb 14, 2017 9:56 PM

Your comment:
 (will show your gravatar)

Copyright © Michael Stephenson | Powered by: | Join free