CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 163 claim.Resource.ToString(), "http://docs.oasis-open.org/wsfed/authorization/200706/claims/action", claimValue)) { if (AccessControlHelper.IsIssuedByIbn(claimSet)) { return; } } } } throw new FaultException("Access denied."); } static bool IsIssuedByIbn(ClaimSet claimSet) { foreach (Claim claim in claimSet.Issuer) { if (AccessControlHelper.CheckClaim( claim.ClaimType, claim.Resource.ToString(), "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns", "accesscontrol.windows.net")) { return true; } } return false; } static bool CheckClaim(string claimType, string claimValue, string expectedClaimType, string expectedClaimValue) { if ( StringComparer.OrdinalIgnoreCase.Equals(claimType, expectedClaimType) && StringComparer.OrdinalIgnoreCase.Equals(claimValue, expectedClaimValue) ) { return true; } return false; } } } Now let's modify the WCF service operation implementation. For all implementations of the operation in the WCF service contract we need to insert the code to demand the claim for the security token by using the previous helper class as Listing 5-18 shows. CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 164 Listing 5-18. Implementation of the WCF Service Contract using System; using System.Runtime.Serialization; using System.ServiceModel; using System.ServiceModel.Channels; using System.Collections.Generic; using System.IO; using System.Xml; using System.Xml.Serialization; using System.Text; namespace AzureForDotNetDeveloper.DotNetService.ServiceBus { [ServiceBehavior(InstanceContextMode = InstanceContextMode.Single)] public class AzureForDotNetDeveloperWCFservice : IAzureForDotNetDeveloperWCFservice { private User registeredUser = null; #region IUserRegisterService Members public string Ping() { AccessControlHelper.DemandActionClaim("UserRegister.Ping"); return string.Format(" I am here <{0}>", this.ToString()); } public void RegisterUser(string xmlString) { try { AccessControlHelper.DemandActionClaim("UserRegister.RegisterUser"); XmlDocument xmlDoc = new XmlDocument(); xmlDoc.LoadXml(xmlString); XmlSerializer serializer = new XmlSerializer(typeof(User)); StringReader reader = new StringReader(xmlString); registeredUser = (User)serializer.Deserialize(reader); } catch (Exception ex) { } } public string GetRegisteredUser() { AccessControlHelper.DemandActionClaim("UserRegister.GetRegisteredUser"); XmlSerializer serializer = new XmlSerializer(typeof(User)); StringBuilder sb = new StringBuilder(); CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 165 StringWriter writer = new StringWriter(sb); serializer.Serialize(writer, registeredUser); return writer.GetStringBuilder().ToString(); } #endregion } } Finally, update the service reference on the client project. Start running the service, and go to Visual Studio. Right-click on the Service Reference node to update the client proxy class. The App.config file is also going to be regenerated by Visual Studio to reflect the security access information with binding type ws2007FederationHttpBinding as Listing 5-19 shows. Listing 5-19. Generated Client Proxy Configuration with Security Access Claim Token Encoding <ws2007FederationHttpBinding> <binding name="UserRegisterEndpoint1" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <message algorithmSuite="Default" issuedKeyType="SymmetricKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <issuer address= "http://accesscontrol.windows.net/sts/replacewithsolutionname/issued for certificate" binding="customBinding" bindingConfiguration= "http://accesscontrol.windows.net/sts/replacewithsolutionname/issued for certificate"> <identity> <certificate encodedValue="AwAAAAEAAAAUAAAAQW5vpdmCsJaTH79CxKPc1giFbJUgAAAAAQAAADMGAAAwggYvM IIFF6ADAgECAgowSxUCAAUAAN+/MA0GCSqGSIb3DQEBBQUAMIGLMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImi ZPyLGQBGRYJbWljcm9zb2Z0MRQwEgYKCZImiZPyLGQBGRYEY29ycDEXMBUGCgmSJomT8ixkARkWB3JlZG1vbmQxKjAoB gNVBAMTIU1pY3Jvc29mdCBTZWN1cmUgU2VydmVyIEF1dGhvcml0eTAeFw0wODA5MDQyMDExMDJaFw0wOTA5MDQyMDExM DJaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0M RcwFQYDVQQLEw5Qcm9qZWN0IFp1cmljaDEiMCAGA1UEAxMZYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCBnzANBgkqh kiG9w0BAQEFAAOBjQAwgYkCgYEAreESUDU/HSaVXHmBHfBdUZW7yLlvFRiB+GX/gIEz94H6HW85Doo+0gT8GEORtite+ oREcom6euSUYarP3Rt/1rIvtJAU/+GhcupKvICZAavx9vPLrfjxgayHuSCc8QbAOnpn44f/LE37q+Y22g8uqOg3aQE7J CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 166 Olb0wW//+2yXScCAwEAAaOCAyQwggMgMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwe AYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZ QMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUaqPI5cP+U HaMNfk5i8kWU3mza84wHwYDVR0jBBgwFoAUFFXEOeA9LtFVLkiWsNh+FCIGk7wwggEKBgNVHR8EggEBMIH+MIH7oIH4o IH1hlhodHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZ XJ2ZXIlMjBBdXRob3JpdHkoNSkuY3JshlZodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljc m9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDUpLmNybIZBaHR0cDovL2NvcnBwa2kvY3JsL01pY3Jvc 29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg1KS5jcmwwgb8GCCsGAQUFBwEBBIGyMIGvMF4GCCsGAQUFB zAChlJodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlM jBBdXRob3JpdHkoNSkuY3J0ME0GCCsGAQUFBzAChkFodHRwOi8vY29ycHBraS9haWEvTWljcm9zb2Z0JTIwU2VjdXJlJ TIwU2VydmVyJTIwQXV0aG9yaXR5KDUpLmNydDA/BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiDz4lNrfIChaGfDIL6y n2B4ft0gU+Dwu2FCI6p0oVjAgFkAgEGMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDQYJK oZIhvcNAQEFBQADggEBAB3JqyYxQ80PLVFMRoE2chN0+QlA8oijsPNkEz0ycysiyQQ3zpDgJxqa2IgULzFvuKB7C1FlD SM5U6tWQcKKeJQ2sqAreR1mYec1JIpJQZG6KZDAQHqe2Rvhg54kD8MZeJCbd7Rkxl2E5ivekhbxZhKoNnsC0pEN2rEoQ urCSkzDQ1eTNp3PaiHds+6iVNsg+u8aIXkWqn7/mj9x6UJQe0vXGhy/h/tBJLrCXzBl8gDdG7ie5VNC1LzW6gjukQEJf mlEZTWW/EnMhj7cubG7/VHjk/2rvjbJS2pjxojRwyqLwyRHfSMpTP92pJ7REu91d1jReylDFdn58PfA3eYOoik=" /> </identity> </issuer> <issuerMetadata address="http://accesscontrol.windows.net/sts/replacewithsolutionname/mex"> <identity> <dns value="accesscontrol.windows.net" /> </identity> </issuerMetadata> <tokenRequestParameters> <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 </trust:TokenType> <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey </trust:KeyType> <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 256 </trust:KeySize> <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wsid:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" /> </trust:Claims> <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p </trust:KeyWrapAlgorithm> <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 167 http://www.w3.org/2001/04/xmlenc#aes256-cbc </trust:EncryptWith> <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://www.w3.org/2000/09/xmldsig#hmac-sha1 </trust:SignWith> <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://www.w3.org/2001/10/xml-exc-c14n# </trust:CanonicalizationAlgorithm> <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://www.w3.org/2001/04/xmlenc#aes256-cbc </trust:EncryptionAlgorithm> </trust:SecondaryParameters> </tokenRequestParameters> </message> </security> </binding> </ws2007FederationHttpBinding> </bindings> <client> <endpoint address="http://localhost/AzureForDotNetDeveloperWCFservice" binding="basicHttpBinding" bindingConfiguration="UserRegisterEndpoint" contract="UserRegister" name="UserRegisterEndpoint" /> <endpoint address="http://localhost/AzureForDotNetDeveloperWCFservice" binding="ws2007FederationHttpBinding" bindingConfiguration="UserRegisterEndpoint1" contract="UserRegisterService.UserRegisterService" name="UserRegisterEndpoint1"> <identity> <certificate encodedValue="AwAAAAEAAAAUAAAAASCQin4SUkWbN0uSZBQY6A0SY/wgAAAAAQAAALU BAAAwggGxMIIBX6ADAgECAhDvE+ZAuwIqhU9cQqsE44DOMAkGBSsOAwIdBQAwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3k wHhcNMDcwNDA0MjMyMTAxWhcNMzkxMjMxMjM1OTU5WjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQE BBQADgY0AMIGJAoGBAK3fOF9Q789iQiEs5FpNTOLOnraBTcoNMxK+jFasM+S8FMLSqPGRgrKearjGwAum3diRBKOngDj bJ+Vp8TxtgvhEhed9JBuWh5hg6nk0jVS7emHjwkBoacULtYTo4QC2/Bav/eK6ibO/kSknnVG45v7kNWG2gyJh+/HCJIc xQ3oFAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYI QBjdsAKoAZIoRz7jUqlw19DAJBgUrDgMCHQUAA0EAdZ/POL0NGuxU3kAoTsbSPdvi3k5PhAYLYbIL2RRHxjcV5lPHqK9 BP2QoctoRFt1Kqb30ZSrGXH5oaq3B/Vdpdg==" /> </identity> </endpoint> </client> </system.serviceModel> </configuration> Start the server and enter the Azure solution name. The server will retrieve the certificate information from the system as Figure 5-18 shows. . "http://accesscontrol .windows. net/sts/replacewithsolutionname/issued for certificate" binding="customBinding" bindingConfiguration= "http://accesscontrol .windows. net/sts/replacewithsolutionname/issued. <issuerMetadata address="http://accesscontrol .windows. net/sts/replacewithsolutionname/mex"> <identity> <dns value="accesscontrol .windows. net" /> </identity>. "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns", "accesscontrol .windows. net")) { return true; } } return false; } static bool CheckClaim(string