Aspectos de Utilização do Windows Azure AppFabric

pedrofelix at cc.isel.ipl.pt

• Service Bus

– Goals and scenarios

– WCF integration

• Access Control Service

– Goals and scenarios

– Configuration

– Next version (ACS Labs)

Outline

2

SERVICE BUS

3

• How to expose a service running on my laptop?

– Attached physical resource

– No control over the local network

• No public address, NAT, firewall denies inbound traffic

4

Problem

outbound inbound

address?

“All problems in computer science can be solved by another level of indirection”

Butler Lampson

5

Intermediary

outbound outbound

SB

• Service exposed via a public endpoint

• Messages relayed from public (SB) to private endpoint

6

Service Remoting

outbound Service Bus outbound

public name

Registry

DNS

sends listens

WCF Architecture

7

Transport

Encoding

Protocol

Protocol

Dispatcher

Service Instance

Service Model Layer

Channel Stack Layer

Messages to Instance Calls

Message Processing and Communication

Transport

WCF and SB

8

Transport Encoding

Protocol

Protocol

Dispatcher

Service Instance

Service Bus

net.tcp

http

sb

http

local endpoints

remote endpoints

WCF Architecture

9

Transport

Encoding

Protocol

Protocol

Dispatcher

Service Instance

Service Model Layer

Channel Stack Layer

Binding Element

Binding Element

Binding Element

Binding Element

Binding Element

Binding Element

Binding Element

Binding Relay Binding

Binding Element

Behaviors

• Windows Azure AppFabric SDK

– Microsoft.ServiceBus.dll

• Binding Elements

– Http(s)RelayTransportBindingElement

– TcpRelayTransportBindingElement

– RelayedOnewayTransportBindingElement

• Behaviors (IEndpointBehavior)

– TransportClientEndpointBehavior

– ServiceRegistrySettings

– ConnectionStatusBehavior

10

Binding Elements and Behaviors

• WebHttpRelayBinding

– HTTP (Web programming model)

– Client interoperability

• BasicHttpRelayBinding e WS2007HttpRelayBinding

– SOAP over HTTP (basic profile | WS-*)

– Client interoperability

• NetTcpRelayBinding

– Similar to NetTcpBinding (request-response and duplex)

• NetOnewayRelayBinding e NetEventRelayBinding

– One- way w/buffering and multicast

11

Relay Bindings

HelloCloud: the service

12

[ServiceContract] class TheService{ [OperationContract, WebGet(UriTemplate="")] Stream GetScreen(){ var stream = new MemoryStream(); new ScreenCapturer().GetEncodedBytesInto(stream); stream.Seek(0, SeekOrigin.Begin); WebOperationContext.Current.OutgoingResponse.ContentType = "image/jpeg"; return stream; } }

HelloCloud: the local endpoint

13

using (var host = new WebServiceHost(typeof(TheService))){ host.AddServiceEndpoint( typeof(TheService), new WebHttpBinding(), "http://gaviao:8080/screen"); host.Open(); //... }

Host Endpoint

Contract

http://gaviao:8080/screen

WebHttpBinding

HelloCloud: the remote endpoint

14

var sbTransport = new TransportClientEndpointBehavior() { CredentialType = TransportClientCredentialType.SharedSecret }; sbTransport.Credentials.SharedSecret.IssuerName = "owner"; sbTransport.Credentials.SharedSecret.IssuerSecret = “...”; host.AddServiceEndpoint( typeof(TheService), new WebHttpRelayBinding( EndToEndWebHttpSecurityMode.None, RelayClientAuthenticationType.None), "http://demos-pfelix.servicebus.windows.net/screen") .Behaviors.Add(sbTransport);

Host Endpoint

Contract

http://...servicebus...

WebHttpRelayBinding

Credentials for the SB

WCF Architecture, Again

15

Transport

Encoding

Protocol

Protocol

Dispatcher

Service Instance

Service Model Layer

Channel Stack Layer

WCF Data Service

class MyDataService : DataService<MyDataModel>{...}

RelayTransport Service Bus

A Data Service (“Astoria”/OData)

exposed via the Service Bus

• web.config based configuration

• IIS Message Based Activation

– Application is started on the first received message

• Azure AppFabric

– Application must start before the first message

– If not, no SB endpoint is listening

• Server AppFabric

– Auto-Start feature

16

IIS Hosting

IIS Hosting

17

Service Bus

IIS App App

• Eventing – multicast

– One-way messages

– Multiple listeners

– Message distribution - multicast

18

Eventing (pub-sub)

outbound Service Bus outbound

outbound

sends listens

listens

• Transfer protection

– Confidentiality

– Integrity and source authentication

• Access Control

– Send operation

– Listen operation

19

Security

• Transport-level protection

– SSL/TLS

– HTTPS

– Not end-to-end

• Message-level protection

– WS-Security

20

Transfer protection

• NetTcpRelayBinding and WSHttpRelayBinding

– Similar message-level security options as the standard bindings

– Service credential – certificate

– Client credential – username, certificate, issued token

• Custom binding

– WCF protocol binding elements

– Service Bus transport binding elements

21

Message-level Protection

• Access Control

– Both “listen” and “send” subject to access control

– Programmable authorization policy

• Isolation – SB is the DMZ

22

Access Control

ACS

sends listens

ACCESS CONTROL SERVICE

23

Access Control Service

24

Service Bus LiveID Google

Facebook

Organizational Directory

On-premises Service

Access Control Enforcement

Access Control Decision

Identity Information

Policy

ACS

Protocols Token Formats

• Token formats

– Identity Provider → ACS: SAML and SWT

– ACS → Service: SWT

– SWT – Simple Web Token

• Protocol

– OAuth WRAP (Web Resource Authorization Protocol)

– HTTP based request-response (no SOAP)

25

ACS v1

• Simple Web Token (SWT) – Form encoded name-value pairs

– HMAC-SHA-256 symmetric signature

• WRAP token request – HTTP POST

– username+password or authentication assertion (e.g. SAML)

• WRAP protected client call – HTTP header (Authorization: WRAP access_token =

“…”)

– GET or POST parameter (wrap_access_token = “…”)

26

WRAP and SWT

Scenario

27

Membership

Access Control Service

WIF

LeadDev Alice

Listen

WIF

WS-Trust

WRAP

Service Bus

SAML

SWT

username +

password

28

Issuers

Symmetric Key

X.509 Certificate

Scope

Applies To

ACS Issuer Service Claims Claims

Rules

Listen

• Token Formats: SWT and SAML

• Protocols

– WS-Federation (passive)

– WS-Trust (active, SOAP)

– OAuth (active, HTTP)

• Identity Providers

– Google

– Facebook

– LiveID

29

ACS vNext

Scenario (vNext)

30

ACS labs

ASP.NET Web App

WIF

Google

Facebook

Q&A

31