| Groups | Blog | Home |
dotnet web services : WCF SOAP Router Including Credentials
Hello,
I've been trying to create a WCF SOAP Router Service that can forward not just the message body but also any security headers set by the originator of the message. The destination service I'm routing messages to uses WSHttpBinding, SSL with UserName/Password client credentials. Using guidance from the Technology samples I can create a router that forwards messages without security credentils but not with them. Can anybody point me in the right direction... should I be creating a custom channel to handle this? or is there a bundle of framework classes I should use? Deployment scenario : Consumer connects to a router service on a DMZ (Out of Domain). The router service is unable to authenticate the users of the service. Router determins the correct destination service and forwards SOAP message + security credentials. Destination service impersonates consumer and replys to the message. Any help or guidance would be appreciated! Thanks,
Steven, thanks for the reply. [quoted text, click to view] > From your descrpition, you're using the WCF "Intermediary Router" feature > and currently wondering how to apply security on the messages transfered in > router scenario, correct? Correct. The router should just forward the message from the client including the clients security headers. The way I've got it working at the moment is to implement a custom credentials validator on the router and store the password (encrypted). These credentials are then used to create a channel to the destination service for every operation call per user! This could be improved by having one channel per destination service which is user agnostic. The channel could then be reused without the overhead of creating a channel every time an operation is called on the router. [quoted text, click to view] > BTW, as you mentioned SSL, are you using https/ssl for transport security? > If so, this is certainly supported only in port to port case, you can not > establish ssl/https connecction across multiple nodes(client, router and > server). Yea, I've got certificates everywhere!! The router server has its own certificate and the destination server has its own certificate. IIS on the DMZ and self hosted on the destination server. The external service consumers are only aware of the router address in an attempt to shield the domain environment. Any information on a better way forward will be well received! Thanks, Jimmer [quoted text, click to view] "Steven Cheng[MSFT]" wrote:
> Hi Jimmer, > > From your descrpition, you're using the WCF "Intermediary Router" feature > and currently wondering how to apply security on the messages transfered in > router scenario, correct? > > As for the message routering in WCF, I think it is a XML Webservice/SOAP > specific feature introducted from the WSE 3.0. WSE 3.0 also support message > routering and for security, it is implemented in the following means: > > ** security header directly forwarded from client to server(ignore the > intermediate router) is not supported > > ** you need to configure the security assertion(policy) for message > transfering between > 1) client <-----> router and 2) router <-----> server > > So far, I haven't find any confirmation on the WCF which also support this > kind of security setting. I'll perform some further research to see whether > this kind of security is also supported in WCF. > > BTW, as you mentioned SSL, are you using https/ssl for transport security? > If so, this is certainly supported only in port to port case, you can not > establish ssl/https connecction across multiple nodes(client, router and > server). > > I'll update you if I get any more information on this. > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > > ================================================== > > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > -------------------- > From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> > Subject: WCF SOAP Router Including Credentials > Date: Sun, 25 Nov 2007 11:30:00 -0800 > > > Hello, > > I've been trying to create a WCF SOAP Router Service that can forward not > just the message body but also any security headers set by the originator > of > the message. The destination service I'm routing messages to uses > WSHttpBinding, SSL with UserName/Password client credentials. Using > guidance > from the Technology samples I can create a router that forwards messages > without security credentils but not with them. Can anybody point me in the > right direction... should I be creating a custom channel to handle this? or > is there a bundle of framework classes I should use? > > Deployment scenario : Consumer connects to a router service on a DMZ (Out > of > Domain). The router service is unable to authenticate the users of the > service. Router determins the correct destination service and forwards SOAP > message + security credentials. Destination service impersonates consumer > and > replys to the message. > > Any help or guidance would be appreciated! > > Thanks, > > Jimmer
Hi Jimmer,
From your descrpition, you're using the WCF "Intermediary Router" feature and currently wondering how to apply security on the messages transfered in router scenario, correct? As for the message routering in WCF, I think it is a XML Webservice/SOAP specific feature introducted from the WSE 3.0. WSE 3.0 also support message routering and for security, it is implemented in the following means: ** security header directly forwarded from client to server(ignore the intermediate router) is not supported ** you need to configure the security assertion(policy) for message transfering between 1) client <-----> router and 2) router <-----> server So far, I haven't find any confirmation on the WCF which also support this kind of security setting. I'll perform some further research to see whether this kind of security is also supported in WCF. BTW, as you mentioned SSL, are you using https/ssl for transport security? If so, this is certainly supported only in port to port case, you can not establish ssl/https connecction across multiple nodes(client, router and server). I'll update you if I get any more information on this. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> Subject: WCF SOAP Router Including Credentials Date: Sun, 25 Nov 2007 11:30:00 -0800 Hello, I've been trying to create a WCF SOAP Router Service that can forward not just the message body but also any security headers set by the originator of the message. The destination service I'm routing messages to uses WSHttpBinding, SSL with UserName/Password client credentials. Using guidance from the Technology samples I can create a router that forwards messages without security credentils but not with them. Can anybody point me in the right direction... should I be creating a custom channel to handle this? or is there a bundle of framework classes I should use? Deployment scenario : Consumer connects to a router service on a DMZ (Out of Domain). The router service is unable to authenticate the users of the service. Router determins the correct destination service and forwards SOAP message + security credentials. Destination service impersonates consumer and replys to the message. Any help or guidance would be appreciated! Thanks,
Sure. I am currently discussing with some other WCF engineers to see
whether they have any suggestion on this. Will keep you update. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> References: <ABB82F21-9CFC-4EC3-8F56-2141EE674D70@microsoft.com> <bYNmrb#LIHA.6908@TK2MSFTNGHUB02.phx.gbl> Subject: RE: WCF SOAP Router Including Credentials Date: Mon, 26 Nov 2007 03:04:01 -0800 Steven, thanks for the reply. [quoted text, click to view] > From your descrpition, you're using the WCF "Intermediary Router" feature > and currently wondering how to apply security on the messages transfered in > router scenario, correct? Correct. The router should just forward the message from the client including the clients security headers. The way I've got it working at the moment is to implement a custom credentials validator on the router and store the password (encrypted). These credentials are then used to create a channel to the destination service for every operation call per user! This could be improved by having one channel per destination service which is user agnostic. The channel could then be reused without the overhead of creating a channel every time an operation is called on the router. [quoted text, click to view] > BTW, as you mentioned SSL, are you using https/ssl for transport security? > If so, this is certainly supported only in port to port case, you can not > establish ssl/https connecction across multiple nodes(client, router and > server). Yea, I've got certificates everywhere!! The router server has its own certificate and the destination server has its own certificate. IIS on the DMZ and self hosted on the destination server. The external service consumers are only aware of the router address in an attempt to shield the domain environment. Any information on a better way forward will be well received! Thanks, Jimmer [quoted text, click to view] "Steven Cheng[MSFT]" wrote:
> Hi Jimmer, > > From your descrpition, you're using the WCF "Intermediary Router" feature > and currently wondering how to apply security on the messages transfered in > router scenario, correct? > > As for the message routering in WCF, I think it is a XML Webservice/SOAP > specific feature introducted from the WSE 3.0. WSE 3.0 also support message > routering and for security, it is implemented in the following means: > > ** security header directly forwarded from client to server(ignore the > intermediate router) is not supported > > ** you need to configure the security assertion(policy) for message > transfering between > 1) client <-----> router and 2) router <-----> server > > So far, I haven't find any confirmation on the WCF which also support this > kind of security setting. I'll perform some further research to see whether > this kind of security is also supported in WCF. > > BTW, as you mentioned SSL, are you using https/ssl for transport security? > If so, this is certainly supported only in port to port case, you can not > establish ssl/https connecction across multiple nodes(client, router and > server). > > I'll update you if I get any more information on this. > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > > ================================================== > > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > -------------------- > From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> > Subject: WCF SOAP Router Including Credentials > Date: Sun, 25 Nov 2007 11:30:00 -0800 > > > Hello, > > I've been trying to create a WCF SOAP Router Service that can forward not > just the message body but also any security headers set by the originator > of > the message. The destination service I'm routing messages to uses > WSHttpBinding, SSL with UserName/Password client credentials. Using > guidance > from the Technology samples I can create a router that forwards messages > without security credentils but not with them. Can anybody point me in the > right direction... should I be creating a custom channel to handle this? or > is there a bundle of framework classes I should use? > > Deployment scenario : Consumer connects to a router service on a DMZ (Out > of > Domain). The router service is unable to authenticate the users of the > service. Router determins the correct destination service and forwards SOAP > message + security credentials. Destination service impersonates consumer > and > replys to the message. > > Any help or guidance would be appreciated! > > Thanks, > > Jimmer
Hi Jimmer,
After some further discussing with some other engineers, I'm afraid there hasn't a direct means to make those security assertion flow from client to backend(bypass the intermedate router). The reasonable way is to implement security assertion on both stages(client <---> router and router <---> server). Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- Content-Transfer-Encoding: 7bit From: stcheng@online.microsoft.com (Steven Cheng[MSFT]) Organization: Microsoft Date: Wed, 28 Nov 2007 04:16:46 GMT Subject: RE: WCF SOAP Router Including Credentials Sure. I am currently discussing with some other WCF engineers to see whether they have any suggestion on this. Will keep you update. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> References: <ABB82F21-9CFC-4EC3-8F56-2141EE674D70@microsoft.com> <bYNmrb#LIHA.6908@TK2MSFTNGHUB02.phx.gbl> Subject: RE: WCF SOAP Router Including Credentials Date: Mon, 26 Nov 2007 03:04:01 -0800 Steven, thanks for the reply. [quoted text, click to view] > From your descrpition, you're using the WCF "Intermediary Router" feature > and currently wondering how to apply security on the messages transfered in > router scenario, correct? Correct. The router should just forward the message from the client including the clients security headers. The way I've got it working at the moment is to implement a custom credentials validator on the router and store the password (encrypted). These credentials are then used to create a channel to the destination service for every operation call per user! This could be improved by having one channel per destination service which is user agnostic. The channel could then be reused without the overhead of creating a channel every time an operation is called on the router. [quoted text, click to view] > BTW, as you mentioned SSL, are you using https/ssl for transport security? > If so, this is certainly supported only in port to port case, you can not > establish ssl/https connecction across multiple nodes(client, router and > server). Yea, I've got certificates everywhere!! The router server has its own certificate and the destination server has its own certificate. IIS on the DMZ and self hosted on the destination server. The external service consumers are only aware of the router address in an attempt to shield the domain environment. Any information on a better way forward will be well received! Thanks, Jimmer [quoted text, click to view] "Steven Cheng[MSFT]" wrote:
> Hi Jimmer, > > From your descrpition, you're using the WCF "Intermediary Router" feature > and currently wondering how to apply security on the messages transfered in > router scenario, correct? > > As for the message routering in WCF, I think it is a XML Webservice/SOAP > specific feature introducted from the WSE 3.0. WSE 3.0 also support message > routering and for security, it is implemented in the following means: > > ** security header directly forwarded from client to server(ignore the > intermediate router) is not supported > > ** you need to configure the security assertion(policy) for message > transfering between > 1) client <-----> router and 2) router <-----> server > > So far, I haven't find any confirmation on the WCF which also support this > kind of security setting. I'll perform some further research to see whether > this kind of security is also supported in WCF. > > BTW, as you mentioned SSL, are you using https/ssl for transport security? > If so, this is certainly supported only in port to port case, you can not > establish ssl/https connecction across multiple nodes(client, router and > server). > > I'll update you if I get any more information on this. > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > > ================================================== > > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > -------------------- > From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> > Subject: WCF SOAP Router Including Credentials > Date: Sun, 25 Nov 2007 11:30:00 -0800 > > > Hello, > > I've been trying to create a WCF SOAP Router Service that can forward not > just the message body but also any security headers set by the originator > of > the message. The destination service I'm routing messages to uses > WSHttpBinding, SSL with UserName/Password client credentials. Using > guidance > from the Technology samples I can create a router that forwards messages > without security credentils but not with them. Can anybody point me in the > right direction... should I be creating a custom channel to handle this? or > is there a bundle of framework classes I should use? > > Deployment scenario : Consumer connects to a router service on a DMZ (Out > of > Domain). The router service is unable to authenticate the users of the > service. Router determins the correct destination service and forwards SOAP > message + security credentials. Destination service impersonates consumer > and > replys to the message. > > Any help or guidance would be appreciated! > > Thanks, > > Jimmer
OK Steven, thanks for you time.
[quoted text, click to view] "Steven Cheng[MSFT]" wrote:
> Hi Jimmer, > > After some further discussing with some other engineers, I'm afraid there > hasn't a direct means to make those security assertion flow from client to > backend(bypass the intermedate router). The reasonable way is to implement > security assertion on both stages(client <---> router and router <---> > server). > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > -------------------- > > Content-Transfer-Encoding: 7bit > From: stcheng@online.microsoft.com (Steven Cheng[MSFT]) > Organization: Microsoft > Date: Wed, 28 Nov 2007 04:16:46 GMT > Subject: RE: WCF SOAP Router Including Credentials > > Sure. I am currently discussing with some other WCF engineers to see > whether they have any suggestion on this. Will keep you update. > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > -------------------- > From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> > References: <ABB82F21-9CFC-4EC3-8F56-2141EE674D70@microsoft.com> > <bYNmrb#LIHA.6908@TK2MSFTNGHUB02.phx.gbl> > Subject: RE: WCF SOAP Router Including Credentials > Date: Mon, 26 Nov 2007 03:04:01 -0800 > > > Steven, thanks for the reply. > > > From your descrpition, you're using the WCF "Intermediary Router" feature > > and currently wondering how to apply security on the messages transfered > in > > router scenario, correct? > > Correct. The router should just forward the message from the client > including the clients security headers. The way I've got it working at the > moment is to implement a custom credentials validator on the router and > store > the password (encrypted). These credentials are then used to create a > channel > to the destination service for every operation call per user! This could > be > improved by having one channel per destination service which is user > agnostic. The channel could then be reused without the overhead of creating > a > channel every time an operation is called on the router. > > > BTW, as you mentioned SSL, are you using https/ssl for transport > security? > > If so, this is certainly supported only in port to port case, you can not > > establish ssl/https connecction across multiple nodes(client, router and > > server). > > Yea, I've got certificates everywhere!! The router server has its own > certificate and the destination server has its own certificate. IIS on the > DMZ and self hosted on the destination server. The external service > consumers > are only aware of the router address in an attempt to shield the domain > environment. > > Any information on a better way forward will be well received! > > Thanks, > > Jimmer > > > "Steven Cheng[MSFT]" wrote: > > > Hi Jimmer, > > > > From your descrpition, you're using the WCF "Intermediary Router" feature > > and currently wondering how to apply security on the messages transfered > in > > router scenario, correct? > > > > As for the message routering in WCF, I think it is a XML Webservice/SOAP > > specific feature introducted from the WSE 3.0. WSE 3.0 also support > message > > routering and for security, it is implemented in the following means: > > > > ** security header directly forwarded from client to server(ignore the > > intermediate router) is not supported > > > > ** you need to configure the security assertion(policy) for message > > transfering between > > 1) client <-----> router and 2) router <-----> server > > > > So far, I haven't find any confirmation on the WCF which also support > this > > kind of security setting. I'll perform some further research to see > whether > > this kind of security is also supported in WCF. > > > > BTW, as you mentioned SSL, are you using https/ssl for transport > security? > > If so, this is certainly supported only in port to port case, you can not > > establish ssl/https connecction across multiple nodes(client, router and > > server). > > > > I'll update you if I get any more information on this. > > > > Sincerely, > > > > Steven Cheng > > > > Microsoft MSDN Online Support Lead > > > > > > > > ================================================== > > > > Get notification to my posts through email? Please refer to > > > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > > ications. > > > > > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent > issues > > where an initial response from the community or a Microsoft Support > > Engineer within 1 business day is acceptable. Please note that each > follow > > up response may take approximately 2 business days as the support > > professional working with you may need further investigation to reach the > > most efficient resolution. The offering is not appropriate for situations > > that require urgent, real-time or phone-based interactions or complex > > project analysis and dump analysis issues. Issues of this nature are best > > handled working with a dedicated Microsoft Support Engineer by contacting > > Microsoft Customer Support Services (CSS) at > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > > > ================================================== > > > > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > -------------------- > > From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam> > > Subject: WCF SOAP Router Including Credentials > > Date: Sun, 25 Nov 2007 11:30:00 -0800 > > > > > > Hello, > > > > I've been trying to create a WCF SOAP Router Service that can forward not > > just the message body but also any security headers set by the originator > > of > > the message. The destination service I'm routing messages to uses > > WSHttpBinding, SSL with UserName/Password client credentials. Using > > guidance > > from the Technology samples I can create a router that forwards messages > > without security credentils but not with them. Can anybody point me in > the > > right direction... should I be creating a custom channel to handle this? > or > > is there a bundle of framework classes I should use? > > > > Deployment scenario : Consumer connects to a router service on a DMZ (Out > > of > > Domain). The router service is unable to authenticate the users of the > > service. Router determins the correct destination service and forwards > SOAP > > message + security credentials. Destination service impersonates consumer > > and > > replys to the message. > > > > Any help or guidance would be appreciated!
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |