Aspectos de Utilização do Windows Azure AppFabric
pedrofelix at cc.isel.ipl.pt
• Service Bus
– Goals and scenarios
– WCF integration
• Access Control Service
– Goals and scenarios
– Configuration
– Next version (ACS Labs)
Outline
2
SERVICE BUS
3
• How to expose a service running on my laptop?
– Attached physical resource
– No control over the local network
• No public address, NAT, firewall denies inbound traffic
4
Problem
outbound inbound
address?
“All problems in computer science can be solved by another level of indirection”
Butler Lampson
5
Intermediary
outbound outbound
SB
• Service exposed via a public endpoint
• Messages relayed from public (SB) to private endpoint
6
Service Remoting
outbound Service Bus outbound
public name
Registry
DNS
sends listens
WCF Architecture
7
Transport
Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Model Layer
Channel Stack Layer
Messages to Instance Calls
Message Processing and Communication
Transport
WCF and SB
8
Transport Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Bus
net.tcp
http
sb
http
local endpoints
remote endpoints
WCF Architecture
9
Transport
Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Model Layer
Channel Stack Layer
Binding Element
Binding Element
Binding Element
Binding Element
Binding Element
Binding Element
Binding Element
Binding Relay Binding
Binding Element
Behaviors
• Windows Azure AppFabric SDK
– Microsoft.ServiceBus.dll
• Binding Elements
– Http(s)RelayTransportBindingElement
– TcpRelayTransportBindingElement
– RelayedOnewayTransportBindingElement
• Behaviors (IEndpointBehavior)
– TransportClientEndpointBehavior
– ServiceRegistrySettings
– ConnectionStatusBehavior
10
Binding Elements and Behaviors
• WebHttpRelayBinding
– HTTP (Web programming model)
– Client interoperability
• BasicHttpRelayBinding e WS2007HttpRelayBinding
– SOAP over HTTP (basic profile | WS-*)
– Client interoperability
• NetTcpRelayBinding
– Similar to NetTcpBinding (request-response and duplex)
• NetOnewayRelayBinding e NetEventRelayBinding
– One- way w/buffering and multicast
11
Relay Bindings
HelloCloud: the service
12
[ServiceContract] class TheService{ [OperationContract, WebGet(UriTemplate="")] Stream GetScreen(){ var stream = new MemoryStream(); new ScreenCapturer().GetEncodedBytesInto(stream); stream.Seek(0, SeekOrigin.Begin); WebOperationContext.Current.OutgoingResponse.ContentType = "image/jpeg"; return stream; } }
HelloCloud: the local endpoint
13
using (var host = new WebServiceHost(typeof(TheService))){ host.AddServiceEndpoint( typeof(TheService), new WebHttpBinding(), "http://gaviao:8080/screen"); host.Open(); //... }
Host Endpoint
Contract
http://gaviao:8080/screen
WebHttpBinding
HelloCloud: the remote endpoint
14
var sbTransport = new TransportClientEndpointBehavior() { CredentialType = TransportClientCredentialType.SharedSecret }; sbTransport.Credentials.SharedSecret.IssuerName = "owner"; sbTransport.Credentials.SharedSecret.IssuerSecret = “...”; host.AddServiceEndpoint( typeof(TheService), new WebHttpRelayBinding( EndToEndWebHttpSecurityMode.None, RelayClientAuthenticationType.None), "http://demos-pfelix.servicebus.windows.net/screen") .Behaviors.Add(sbTransport);
Host Endpoint
Contract
http://...servicebus...
WebHttpRelayBinding
Credentials for the SB
WCF Architecture, Again
15
Transport
Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Model Layer
Channel Stack Layer
WCF Data Service
class MyDataService : DataService<MyDataModel>{...}
RelayTransport Service Bus
A Data Service (“Astoria”/OData)
exposed via the Service Bus
• web.config based configuration
• IIS Message Based Activation
– Application is started on the first received message
• Azure AppFabric
– Application must start before the first message
– If not, no SB endpoint is listening
• Server AppFabric
– Auto-Start feature
16
IIS Hosting
IIS Hosting
17
Service Bus
IIS App App
• Eventing – multicast
– One-way messages
– Multiple listeners
– Message distribution - multicast
18
Eventing (pub-sub)
outbound Service Bus outbound
outbound
sends listens
listens
• Transfer protection
– Confidentiality
– Integrity and source authentication
• Access Control
– Send operation
– Listen operation
19
Security
• Transport-level protection
– SSL/TLS
– HTTPS
– Not end-to-end
• Message-level protection
– WS-Security
20
Transfer protection
• NetTcpRelayBinding and WSHttpRelayBinding
– Similar message-level security options as the standard bindings
– Service credential – certificate
– Client credential – username, certificate, issued token
• Custom binding
– WCF protocol binding elements
– Service Bus transport binding elements
21
Message-level Protection
• Access Control
– Both “listen” and “send” subject to access control
– Programmable authorization policy
• Isolation – SB is the DMZ
22
Access Control
ACS
sends listens
ACCESS CONTROL SERVICE
23
Access Control Service
24
Service Bus LiveID Google
Organizational Directory
On-premises Service
Access Control Enforcement
Access Control Decision
Identity Information
Policy
ACS
Protocols Token Formats
• Token formats
– Identity Provider → ACS: SAML and SWT
– ACS → Service: SWT
– SWT – Simple Web Token
• Protocol
– OAuth WRAP (Web Resource Authorization Protocol)
– HTTP based request-response (no SOAP)
25
ACS v1
• Simple Web Token (SWT) – Form encoded name-value pairs
– HMAC-SHA-256 symmetric signature
• WRAP token request – HTTP POST
– username+password or authentication assertion (e.g. SAML)
• WRAP protected client call – HTTP header (Authorization: WRAP access_token =
“…”)
– GET or POST parameter (wrap_access_token = “…”)
26
WRAP and SWT
Scenario
27
Membership
Access Control Service
WIF
LeadDev Alice
Listen
WIF
WS-Trust
WRAP
Service Bus
SAML
SWT
username +
password
28
Issuers
Symmetric Key
X.509 Certificate
Scope
Applies To
ACS Issuer Service Claims Claims
Rules
Listen
• Token Formats: SWT and SAML
• Protocols
– WS-Federation (passive)
– WS-Trust (active, SOAP)
– OAuth (active, HTTP)
• Identity Providers
– LiveID
29
ACS vNext
Scenario (vNext)
30
ACS labs
ASP.NET Web App
WIF
Q&A
31