aspectos de utilização do windows azure appfabric · 2010-10-15 · service instance service...
TRANSCRIPT
![Page 1: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/1.jpg)
Aspectos de Utilização do Windows Azure AppFabric
pedrofelix at cc.isel.ipl.pt
![Page 2: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/2.jpg)
• Service Bus
– Goals and scenarios
– WCF integration
• Access Control Service
– Goals and scenarios
– Configuration
– Next version (ACS Labs)
Outline
2
![Page 3: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/3.jpg)
SERVICE BUS
3
![Page 4: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/4.jpg)
• How to expose a service running on my laptop?
– Attached physical resource
– No control over the local network
• No public address, NAT, firewall denies inbound traffic
4
Problem
outbound inbound
address?
![Page 5: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/5.jpg)
“All problems in computer science can be solved by another level of indirection”
Butler Lampson
5
Intermediary
outbound outbound
SB
![Page 6: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/6.jpg)
• Service exposed via a public endpoint
• Messages relayed from public (SB) to private endpoint
6
Service Remoting
outbound Service Bus outbound
public name
Registry
DNS
sends listens
![Page 7: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/7.jpg)
WCF Architecture
7
Transport
Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Model Layer
Channel Stack Layer
Messages to Instance Calls
Message Processing and Communication
Transport
![Page 8: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/8.jpg)
WCF and SB
8
Transport Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Bus
net.tcp
http
sb
http
local endpoints
remote endpoints
![Page 9: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/9.jpg)
WCF Architecture
9
Transport
Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Model Layer
Channel Stack Layer
Binding Element
Binding Element
Binding Element
Binding Element
Binding Element
Binding Element
Binding Element
Binding Relay Binding
Binding Element
Behaviors
![Page 10: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/10.jpg)
• Windows Azure AppFabric SDK
– Microsoft.ServiceBus.dll
• Binding Elements
– Http(s)RelayTransportBindingElement
– TcpRelayTransportBindingElement
– RelayedOnewayTransportBindingElement
• Behaviors (IEndpointBehavior)
– TransportClientEndpointBehavior
– ServiceRegistrySettings
– ConnectionStatusBehavior
10
Binding Elements and Behaviors
![Page 11: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/11.jpg)
• WebHttpRelayBinding
– HTTP (Web programming model)
– Client interoperability
• BasicHttpRelayBinding e WS2007HttpRelayBinding
– SOAP over HTTP (basic profile | WS-*)
– Client interoperability
• NetTcpRelayBinding
– Similar to NetTcpBinding (request-response and duplex)
• NetOnewayRelayBinding e NetEventRelayBinding
– One- way w/buffering and multicast
11
Relay Bindings
![Page 12: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/12.jpg)
HelloCloud: the service
12
[ServiceContract] class TheService{ [OperationContract, WebGet(UriTemplate="")] Stream GetScreen(){ var stream = new MemoryStream(); new ScreenCapturer().GetEncodedBytesInto(stream); stream.Seek(0, SeekOrigin.Begin); WebOperationContext.Current.OutgoingResponse.ContentType = "image/jpeg"; return stream; } }
![Page 13: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/13.jpg)
HelloCloud: the local endpoint
13
using (var host = new WebServiceHost(typeof(TheService))){ host.AddServiceEndpoint( typeof(TheService), new WebHttpBinding(), "http://gaviao:8080/screen"); host.Open(); //... }
Host Endpoint
Contract
http://gaviao:8080/screen
WebHttpBinding
![Page 14: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/14.jpg)
HelloCloud: the remote endpoint
14
var sbTransport = new TransportClientEndpointBehavior() { CredentialType = TransportClientCredentialType.SharedSecret }; sbTransport.Credentials.SharedSecret.IssuerName = "owner"; sbTransport.Credentials.SharedSecret.IssuerSecret = “...”; host.AddServiceEndpoint( typeof(TheService), new WebHttpRelayBinding( EndToEndWebHttpSecurityMode.None, RelayClientAuthenticationType.None), "http://demos-pfelix.servicebus.windows.net/screen") .Behaviors.Add(sbTransport);
Host Endpoint
Contract
http://...servicebus...
WebHttpRelayBinding
Credentials for the SB
![Page 15: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/15.jpg)
WCF Architecture, Again
15
Transport
Encoding
Protocol
Protocol
Dispatcher
Service Instance
Service Model Layer
Channel Stack Layer
WCF Data Service
class MyDataService : DataService<MyDataModel>{...}
RelayTransport Service Bus
A Data Service (“Astoria”/OData)
exposed via the Service Bus
![Page 16: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/16.jpg)
• web.config based configuration
• IIS Message Based Activation
– Application is started on the first received message
• Azure AppFabric
– Application must start before the first message
– If not, no SB endpoint is listening
• Server AppFabric
– Auto-Start feature
16
IIS Hosting
![Page 17: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/17.jpg)
IIS Hosting
17
Service Bus
IIS App App
![Page 18: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/18.jpg)
• Eventing – multicast
– One-way messages
– Multiple listeners
– Message distribution - multicast
18
Eventing (pub-sub)
outbound Service Bus outbound
outbound
sends listens
listens
![Page 19: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/19.jpg)
• Transfer protection
– Confidentiality
– Integrity and source authentication
• Access Control
– Send operation
– Listen operation
19
Security
![Page 20: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/20.jpg)
• Transport-level protection
– SSL/TLS
– HTTPS
– Not end-to-end
• Message-level protection
– WS-Security
20
Transfer protection
![Page 21: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/21.jpg)
• NetTcpRelayBinding and WSHttpRelayBinding
– Similar message-level security options as the standard bindings
– Service credential – certificate
– Client credential – username, certificate, issued token
• Custom binding
– WCF protocol binding elements
– Service Bus transport binding elements
21
Message-level Protection
![Page 22: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/22.jpg)
• Access Control
– Both “listen” and “send” subject to access control
– Programmable authorization policy
• Isolation – SB is the DMZ
22
Access Control
ACS
sends listens
![Page 23: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/23.jpg)
ACCESS CONTROL SERVICE
23
![Page 24: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/24.jpg)
Access Control Service
24
Service Bus LiveID Google
Organizational Directory
On-premises Service
Access Control Enforcement
Access Control Decision
Identity Information
Policy
ACS
Protocols Token Formats
![Page 25: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/25.jpg)
• Token formats
– Identity Provider → ACS: SAML and SWT
– ACS → Service: SWT
– SWT – Simple Web Token
• Protocol
– OAuth WRAP (Web Resource Authorization Protocol)
– HTTP based request-response (no SOAP)
25
ACS v1
![Page 26: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/26.jpg)
• Simple Web Token (SWT) – Form encoded name-value pairs
– HMAC-SHA-256 symmetric signature
• WRAP token request – HTTP POST
– username+password or authentication assertion (e.g. SAML)
• WRAP protected client call – HTTP header (Authorization: WRAP access_token =
“…”)
– GET or POST parameter (wrap_access_token = “…”)
26
WRAP and SWT
![Page 27: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/27.jpg)
Scenario
27
Membership
Access Control Service
WIF
LeadDev Alice
Listen
WIF
WS-Trust
WRAP
Service Bus
SAML
SWT
username +
password
![Page 28: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/28.jpg)
28
Issuers
Symmetric Key
X.509 Certificate
Scope
Applies To
ACS Issuer Service Claims Claims
Rules
Listen
![Page 29: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/29.jpg)
• Token Formats: SWT and SAML
• Protocols
– WS-Federation (passive)
– WS-Trust (active, SOAP)
– OAuth (active, HTTP)
• Identity Providers
– LiveID
29
ACS vNext
![Page 30: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/30.jpg)
Scenario (vNext)
30
ACS labs
ASP.NET Web App
WIF
![Page 31: Aspectos de Utilização do Windows Azure AppFabric · 2010-10-15 · Service Instance Service Model Layer Channel Stack Layer Binding Element Binding Element Binding Element Binding](https://reader033.vdocuments.site/reader033/viewer/2022042308/5ed491cb3d6f7d64f90682d9/html5/thumbnails/31.jpg)
Q&A
31