Setting Security on a REST-based Service Bus Application
There are two types of REST-based applications that interact with the Windows Azure Service Bus: those that use a traditional Windows Communication Foundation (WCF)-style contract and binding, and those that use a message buffer. For more information about message buffers, see Working with an AppFabric Service Bus Message Buffer. Instead, this topic assumes that your application interacts with the Service Bus via the Microsoft.ServiceBus.dll assembly and the authentication features available through the Windows Azure. In particular, this topic covers applications that use the WebHttpRelayBinding binding, which is the default binding for Web applications.
In the current Windows Azure release, the relay authentication options for Web clients that are accessing services built on the WebHttpRelayBinding binding have been created to fit the most common scenarios. Most frequently, Web-style clients communicate with services that decide to accept all incoming traffic. These clients perform only lightweight authentication using a variety of custom techniques to enable and enrich AJAX-style user experiences. You can achieve the same result and provide similar fidelity by setting the Security.Transport.RelayAuthenticationType property on the WebHttpRelayBinding binding to None. You can see this option in the Service Bus WebNoAuth relay authentication sample in the Windows Azure SDK. A simplified procedure for setting this option is described later in this section.
To set authentication in a Service Bus Web application to None
In the service, configure the authentication as required:
Console.Write("Your Issuer Name: "); string issuerName = Console.ReadLine(); Console.Write("Your Issuer Secret: "); string issuerSecret = Console.ReadLine(); … TransportClientEndpointBehavior clientBehavior = new TransportClientEndpointBehavior(); clientBehavior.CredentialType = TransportClientCredentialType.SharedSecret; clientBehavior.Credentials.SharedSecret.IssuerName = issuerName; clientBehavior.Credentials.SharedSecret.IssuerSecret = issuerSecret;
As with other applications, you can configure the authentication in an App.config file or programmatically.
Set the RelayClientAuthenticationType field to None.
<bindings> <!-- Application Binding --> <webHttpRelayBinding> <binding name="default"> <security relayClientAuthenticationType="None" /> </binding> </webHttpRelayBinding> </bindings>
This allows the service to authenticate with the Service Bus (as required), but also enables any client to connect, without authentication required. In this scenario, the App.config file defines the type of security to use for the whole scenario, but the programmatic configuration (in step 1) overrides the App.config file – which is necessary, because it is impossible to have “None” for service authentication.
If you use the RelayAccessToken option for the RelayClientAuthenticationType property, the Service Bus provides a security layer over plain HTTP services that require authentication and authorization to be performed before any HTTP traffic is forwarded to the listening service. If Relay authentication is enabled on the Service Bus, the required security token can be provided through programmatic credentials.
If you decide to implement programmatic credentials, you can use any of the authentication options available to Service Bus through the Access Control service, such as shared secret or simple Web tokens. For more information, see How to: Set Security and Authentication on a Service Bus Application. The following procedure shows a simplified procedure for creating a Web token.
To programmatically create a simple Web token
Retrieve the issuer name and secret from the user:
Console.Write("Your Issuer Name: "); string issuerName = Console.ReadLine(); Console.Write("Your Issuer Secret: "); string issuerSecret = Console.ReadLine();
Define the transport client credential type as SimpleWebToken:
TransportClientEndpointBehavior behavior = new TransportClientEndpointBehavior(); behavior.CredentialType = TransportClientCredentialType.SimpleWebToken;
Compute and initialize the Web token with a call to ComputeSimpleWebTokenString:
behavior.Credentials.SimpleWebToken.SimpleWebToken = SharedSecretCredential.ComputeSimpleWebTokenString(issuerName, issuerSecret);
When you have created the Web token, you can add the behavior to the endpoint, create the channel factory, and open a channel to the Service Bus.