Upload
edgardo-poll
View
214
Download
1
Embed Size (px)
Citation preview
Building applicationsthat combineWCF, WF and Cardspace in the .NET Framework
3.5
Gaëtan HolderbekeXavier Pellegrino
Session Objectives & Prerequisites
ObjectivesWCF & WF OverviewMessaging using Workflow ServicesIdentity Metasystem Securing WCF with CardSpace
PrerequisitesExperience with either WF or WCF in .NET 3.0Application Security basisSome experience with the other
Agenda
Introduction to:WCFWF
Better Together:Workflow ServicesService Communications
Identity Metasystem:CardSpaceSTS
{WCF}
Rhetorical Question
WHAT IS A SERVICE?
Some functionality exposed via a structured messaging scheme…
Windows Communication Foundation
The Swiss-Army Chainsaw of service platforms
Unified programming model
Great manageability featuresTracing, message logging, threading controls, DOS remediation, WMI integration, configurability, etc.
Introduced in .NET 3.0, enhanced in .NET 3.5
Clients, Services & Endpoint
Client Service
Message
EndpointEndpoint
Endpoint
Endpoint
CBA
CBA
ABC
CBA
AddressWhere?
ContractWhat?
BindingHow?
Endpoint
WCF Gross Anatomy<service>
<endpoint name=“MyService”
address=“http://MyServer:6666/MyService” binding=“basicHttpBinding”
contract=“IMyInterface”/>[ServiceContract]public interface IMyInterface { [OperationContract] void MyMethod(String arg);}
[ServiceBehavior(InstanceContextMode=
InstanceContextMode.Single]public class MyService: IMyInterface { public void MyMethod(String arg){…}}
Service Contract Definition
Address
Binding
Contract
Service Type
{WF}
Windows Workflow Foundation
What is Workflow?
What’s the value of Workflow?
Workflow is the organization of work
Long Running Logic
FlexibilityTransparency
Visual Studio Designer
A Workflow
Activity
Workflow ServicesApproaches
Service implemented as WorkflowLeverage Workflow development experienceAllows long-running, durable Services
Workflow hosted as ServiceServiceContract provides typed interface for integrating with the WorkflowMessages enforce by-value, serializable dataWorkflows can be message-activated
{DEMO}Workflow Services
Workflow Services Architecture
Workflow Runtime
ServiceHost
ServiceDescription
ServiceBehavior
OperationBehavior
Workflow.cs orWorkflow.xoml
App.config
Service Runtime
OperationInvoker
OperationSelector
InstanceProvider
MessageInspector
ListenerChannel
Service Instance
Operation 1
Operation 2Workflow
ServiceHost
WorkflowServiceBehavior
WorkflowOperationBehavior
WorkflowOperationInvoker
DurableInstanceProvider
MessageContextInspector
ContextChannel
Workflow Instance
ReceiveActivity 1
ReceiveActivity 2
WF Persistence DB
Service.cs
Context Exchange
Transport model for exchange will not work in long-running process
Manage at application or process layer
Need to agree upon a protocol to exchange context
Context Exchange Protocol
Service
Receive
Receive
Client
Send
Send
op x response
{instanceId}
op x params
op y params
{instanceId}
op y response
Context repository (your choice)
op y params
{instanceId}
op y response
{instanceId}
Non-WF Client
Duplex Communication
Cannot rely on a duplex channel
Model this via two contracts (inside two WorkflowServiceHost’s)
Explicitly provide “client” context in the initiating message to the “server”
Duplex Message Flow
Client Service
{no context}
ClientId
BeginWorkflow
{ServiceId}
Body
BeginWorkItem
{ServiceId}
Body
{ServiceId}
Body
ContinueWorkItem
CompleteWorkItem
{ServiceId}
BodyWorkItemCompl
ete{ClientId}
Body
SendRequest
ReceiveRespose
Send
Send
Send
Receive
ReceiveRequest
Receive
Receive
Receive
Send
{EXAMPLE}Duplex Messaging
{IDENTITY}
Identity on the Internet Today
PasswordsNot a secure option with today’s computing powerToo easy to attack, long passwords hard to rememberWe need stronger options!
Identity silosHow many user accounts do you have on the web?Each requires its own password or other credentialExpensive and painful to manage
Today’s “solution”Most users have one password they use everywhere!
Information Card From the user's perspective
Data about myselfName, phone, address…
Data about a relationship with some entity
Frequent Flyer -> AirlineCredit card holder -> BankCitizen of X -> Government
I may have to “do” something for using the card
Insert smartcardBe on my company’s network
Perception:I send this card so that the service provider will recognize me and use the information I disclose.
Information Card From the computer's perspective
Token FormatSAML, Kerberos…
STS InformationAddressMetadataPolicy
Authentication factor type & hintsThumbprint for certificatesCard ID for self issued
A card represent the ability of obtaining a token of a certain format, containing certain claims, requesting it from a certain STS following a certain policy
A Token
ClaimName1: Value1
ClaimNamen: Valuen
S
…
Issuer’s signature[optional] key material
Claims collection
E
Encryption for the intended audience
Windows CardSpace
Windows CardSpace is an identity selector for the metasystem
Represents digital identities graphicallyGets the user more highly involved in authenticationDesigned to be difficult to spoof (helps mitigate phishing attacks)
Makes identity feel realEach identity represented as a card
{DEMO}
Externalizing Authentication
Embedding identity management code in the app codebase is a Bad Idea
CompetenceMaintenanceRobustness/Flexibility
The technical details of authentication should be abstracted away
from the application developer
S+S
Trust
Trust
Trust
IP
IP
Reso
urc
es
R-STS
R-STS
User’s PC
Identity Flow
SAML
User’s PC
Website
Identity Provider
Token PolicyCards
Store
STS
Identities Store
SAML
Get Login Page
Read Policies
Pass Policies to Identity SelectorFilter the list based on policies
Pass card to STS
The IP authenticates RST…
If successful, builds& signs the requested token
The website authenticatesthe token
The IP sends back the token
The application posts the token to the website
{DEMO}
ZermattFramework for implementing claims-based identity in your applications
Set of .NET Framework 3.5 classesFederated Authentication HttpModuleIIdentity -> IClaimsIdentityIPrincipal -> IClaimsPrincipal
Information Card Design ControlPassive Sign In Design Control
Still Beta…
SUMMARY
WCF provides numerous extension points and configuration parameters
Workflow Services provide a natural way to build services.With an understanding of context, advanced communication patterns can be implemented across many parties.
Identity Management Frameworks provide great opportunities to drive security implementations targeting the future of software architecture.
Related Contents
• Community site, samples, news• http://cardspace.nefx3.com• www.dinnernow.net
• MSDN Forum• http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=784&SiteID=1
• MSDN Home Page• http://msdn.microsoft.com/identity
Any questions ?
Feel Free to meet during the break
Or contact us:
[email protected]@pragmaconsult.lu
www.pragmaconsult.lu
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.