Geeks With Blogs

News View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn
Michael Stephenson keeping your feet on premise while your heads in the cloud

As discussed in the introduction article this walkthrough will explain how you can implement WCF security with the Windows Azure Service Bus to ensure that you can protect your endpoint in the cloud with a shared secret but also flow through a username token so that in your listening WCF service you will be able to identify who sent the message. This could either be in the form of an application or a user depending on how you want to use your token.


Before going into the walk through I want to explain a few assumptions about the scenario we are implementing but to keep the article shorter I am not going to walk through all of the steps in how to setup some of this.

In the solution we have a simple console application which will represent the client application. There is also the services WCF application which contains the WCF service we will expose via the Windows Azure Service Bus.

The WCF Service application in this example was hosted in IIS 7 on Windows 2008 R2 with AppFabric Server installed and configured to auto-start the WCF listening services. I am not going to go through significant detail around the IIS setup because it should not matter in relation to this article however if you want to understand more about how to configure WCF and IIS for such a scenario please refer to the following paper which goes into a lot of detail about how to configure this. The link is:


The Service Component

To begin with let's look at the service component and how it can be configured to listen to the service bus using a shared secret but to also accept a username token from the client. In the sample the service component is called Acme.Azure.ServiceBus.Poc.UN.Services. It has a single service which is the Visual Studio template for a WCF service when you add a new WCF Service Application so we have a service called Service1 with its Echo method.

Nothing special so far!....

The next step is to look at the web.config file to see how we have configured the WCF service.

In the services section of the WCF configuration you can see I have created my service and I have created a local endpoint which I simply used to do a little bit of diagnostics and to check it was working, but more importantly there is the Windows Azure endpoint which is using the ws2007HttpRelayBinding (note that this should also work just the same if your using netTcpRelayBinding).

The key points to note on the above picture are the service behavior called MyServiceBehaviour and the service bus endpoints behavior called MyEndpointBehaviour. We will go into these in more detail later.


The Relay Binding

The relay binding for the service has been configured to use the TransportWithMessageCredential security mode. This is the important bit where the transport security really relates to the interaction between the service and listening to the Azure Service Bus and the message credential is where we will use our username token like we have specified in the message/clientCrentialType attribute.

Note also that we have left the relayClientAuthenticationType set to RelayAccessToken. This means that authentication will be made against ACS for accessing the service bus and messages will not be accepted from any sender who has not been authenticated by ACS.


The Endpoint Behaviour

In the below picture you can see the endpoint behavior which is configured to use the shared secret client credential for accessing the service bus and also for diagnostic purposes I have included the service registry element.

Hopefully if you are familiar with using Windows Azure Service Bus relay feature the above is very familiar to you and this is a very common setup for this section. There is nothing specific to the username token implementation here.

The Service Behaviour

Now we come to the bit with most of the username token bits in it. When you configure the service behavior I have included the serviceCredentials element and then setup to use userNameAuthentication and you can see that I have created my own custom username token validator.


This setup means that WCF will hand off to my class for validating the username token details. I have also added the serviceSecurityAudit element to give me a simple auditing of access capability.

My UsernamePassword Validator

The below picture shows you the details of the username password validator class I have implemented. WCF will hand off to this class when validating the token and give me a nice way to check the token credentials against an on-premise store.

You have all of the validation features with a non-service bus WCF implementation available such as validating the username password against active directory or membership features or as in my case above something much simpler.


The Client

Now let's take a look at the client side of this solution and how we can configure the client to authenticate against ACS but also send a username token over to the service component so it can implement additional security checks on-premise.

I have a console application and in the program class I want to use the proxy generated with Add Service Reference to send a message via the Azure Service Bus. You can see in my WCF client configuration below I have setup my details for the azure service bus url and am using the ws2007HttpRelayBinding.

Next is my configuration for the relay binding. You can see below I have configured security to use TransportWithMessageCredential so we will flow the username token with the message and also the RelayAccessToken relayClientAuthenticationType which means the component will validate against ACS before being allowed to access the relay endpoint to send a message.



After the binding we need to configure the endpoint behavior like in the below picture. This is the normal configuration to use a shared secret for accessing a Service Bus endpoint.


Finally below we have the code of the client in the console application which will call the service bus. You can see that we have created our proxy and then made a normal call to a WCF service but this time we have also set the ClientCredentials to use the appropriate username and password which will be flown through the service bus and to our service which will validate them.




As you can see from the above walkthrough it is not too difficult to configure a service to use both a shared secret and username token at the same time. This gives you the power and protection offered by the access control service in the cloud but also the ability to flow additional tokens to the on-premise component for additional security features to be implemented.


The sample used in this post is available at the following location:


Posted on Tuesday, October 30, 2012 3:46 AM Azure Service Bus | Back to top

Comments on this post: Combining Shared Secret and Username Token – Azure Service Bus

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
Hi Michael

I have one problem with simmilar scenario. From tools like Postman relay api works good. But from JavaScript, browser first send "OPTIONS" request, without token, and the service responds with "The request contains no authorization header. "
What is the best solution?
Left by Krzysztof on Dec 09, 2015 2:36 AM

# Mobdro Kodi
Requesting Gravatar...
good Mobdro Top quality APK is merely price few us dollars/year. visit this If you happen to be searching for the specific technique to Mobdro Kodi Install nice.
Left by keya on Mar 30, 2016 8:43 PM

# vidmate
Requesting Gravatar...
good Television series or film in large definition all free of charge of demand. Vidmate PC Downloader software in the search package. You will observe the Vidmate Android APK nice.
Left by dinal on Apr 17, 2016 11:32 PM

# re: celebritysnapchatt
Requesting Gravatar...
good and you might perish having a laugh when viewing her photos. celebrity snapchat usernames Teigen is usually fairly very much a interpersonal great.
Left by amrit on Jun 18, 2016 10:39 PM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
good shareit is certainly that handling the Shows (PPT) from their shareit app. SHAREit for PC to additional system gadget make use of this SHAREit Windows PC nice.
Left by janvi on Jun 25, 2016 12:17 AM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
good and can begin participating in Pokemon Proceed best on your android gadget. Download Pokemon GO iPhone want to perform the video game. On the other hand, Pokemon GO for iPhone nice.
Left by dev on Jul 17, 2016 10:42 PM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
good Make sure you download the over software program initially Periscope Download Compatible with all series AMD pcs. nice.
Left by ratan on Jul 24, 2016 7:39 PM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
good The software consists of even more than 600 outstanding color pictures vShare for iphone zapya APK assist you to conveniently to show nice.
Left by prem on Jul 24, 2016 9:45 PM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
good your Local wi-fi network. It is not meant to be utilized with public wi-fi networks. wifikill pro apk special requirement required for NetCut nice.
Left by mayuri on Jan 01, 2017 11:14 PM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
good HD Movies as well as video clips with no headache. Download Vidmate After that you will certainly obtain the below screen nice.
Left by rickie on Feb 03, 2017 6:54 PM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
How to Mbdro android for android from official site and easy steps to install install mobdro for free for android for free. You can check and if you wanna get your ex back, Text Your Ex Back.
Left by Larry Jones on Feb 13, 2017 1:01 AM

# re: Combining Shared Secret and Username Token – Azure Service Bus
Requesting Gravatar...
good stories and also art with day-to-day video clips. Viva Video for iPhone As soon as the Play Store opens, look for VivaVideo nice.
Left by robert on Feb 14, 2017 11:59 PM

Your comment:
 (will show your gravatar)

Copyright © Michael Stephenson | Powered by: