Web Services and Interop » Rob Sanders: Sanders Technology

Building a Claims Aware Environment using ADFS 2.0 and WCF

Build and Config, Design Concepts and Code, Infrastructure, Programming, Security, Technology, Web Development, Web Services and Interop No Responses »

Dec 062012

Introduction

This is going to be a multi-part series of articles with the end goal of producing a solution which handles security/identity claims across domain boundaries using WCF services and Active Directory Federation Services 2.0 (with a federation trust) and Active Directory. In order to demonstrate an approach to handling claims, we need an environment which is capable of supporting the infrastructure configuration we require.

Network Design

I strongly recommend that you put the time and effort into understanding the network topography. When designing a key foundation of your approach to security, it’s critical that you have a working knowledge of the kind of trust you are placing in your trusted sub-systems. For the next few articles, I’m going to rely on the following network design, which you can (not without some effort) establish for yourself using virtual machines:

Basic Network Design

Host Configuration

To keep resource usage to a minimum, I’ve designed my test environment to reuse hosts for key roles. In practice, you might not normally mix roles in a production environment – refer to the appropriate ‘best practices’ to properly plan your infrastructure and deployment of critical roles! Here’s a view of what is on each host:

Host Configuration

Installation and Configuration

You’ll need a minimum of two server installs to make this happen, although I’m using four to separate ADFS 2.0 and to configure an Enterprise Certificate Authority rather than a standalone CA. You’ll also need the Windows Identity Foundation (WIF) SDK installed with your copy of Visual Studio (Visual Studio can be installed elsewhere – not on your test servers).

I’ll be using Visual Studio 2010 for this, but I’m sure there’s a solution for Visual Studio 2012. To streamline your configuration, I’ve provided links two some excellent walkthroughs on the MSDN blog site – the one you need to pay attention to is the ADFS 2.0 installation and configuration.

My Mobile Configuration

Since this is a fairly intensive number of operating systems, I’ve put together a fairly decent local configuration which I can take with me. I’m using a 480 GB SanDisk SSD in an eSATA external enclosure (my laptop does not support USB 3 at the moment). I’m running VM images off the SSD and getting very respectable performance. No problems running four VMs in parallel.

How to Get Up and Running

My best advise is to follow the links below. You’ll need a fair amount of stuff downloaded, so better jump on that. Once you have some clean OSes and the installation packages, my best advise is to follow the walkthroughs. Be careful not to accidentally skip anything, the configuration is a bit tricky at times, but if you follow the walkthrough closely you should have a working environment in about half a day or less. My configuration varies to the walkthrough (as I have two domains), but if you duplicate the configuration for two different directories you should have something which can work.

Links Galore

If you’re going to build a test environment (frankly, just do it – it’s the best way) budget at least a day to get everything configured properly. Don’t cut corners, it’ll only hurt you later.
Check back soon for the next article, where we’ll start to get familiar with the environment, and build a claims-aware application.

Important Downloads

.NET Framework 4.0 Runtime
http://www.microsoft.com/en-au/download/details.aspx?id=17718

.NET Framework 4.0.3 Update
http://www.microsoft.com/en-au/download/details.aspx?id=29053
Update 4.0.3 for Microsoft .NET Framework 4 – Design-time Update for Visual Studio 2010 SP1
http://www.microsoft.com/en-au/download/details.aspx?id=29054

Active Directory Federation Services 2.0 (RTW)
http://www.microsoft.com/en-us/download/details.aspx?id=10909&hash=Hx4OGpwvFzmf7%2bC7rR1nq18CYhcY%2bSE4ok1ifL%2fvSkYIpezfAxg6ePR2zpfAplmm6g%2fUyL1VU7RtmnuR6T4NWg%3d%3d

Windows Identity Foundation (Runtime)
http://www.microsoft.com/en-us/download/details.aspx?id=17331

Windows Identity Federation SDK
http://www.microsoft.com/en-us/download/details.aspx?id=4451

Installation and Configuration Walkthroughs

ADFS 2.0 Installation Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/installing-a-stand-along-adfs-service.aspx
Establishing a Federation Trust Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/establish-federation-trust.aspx

Building a Claims-aware Web Application Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx

These walkthroughs really helped!

Finally.. If you hit problems with your STS certificate – check the HTTPS bindings of your local IIS:

http://www.shutuplaura.com/journal/2010/1/5/adfsv2-rc-iis-certificates.html

Common Functionality across WCF Web Service Operations

Programming, Tips and Tricks, Web Services and Interop No Responses »

Aug 022012

Introduction

Recently, I started building up a WCF Service Application from scratch to implement a specific set of operations from an existing WSDL.

This was a little cumbersome, but gave me an excellent opportunity to extend and play around with a concept I’ve been trying to perfect for a couple of years now. In a nutshell, what I wanted was the ability to just focus on implementing the specific functionality of a Web Service operation, yet reuse common validation, logging and exception handling.

This required each web service to inherit from a common base class. Each request is a class which inherits from a base class also (containing properties which are required for every request).

Class Object View

Let’s take a look at my web service:

As you can see, the FormsManager class derives from the obviously named ServiceBase. Now, as I stated previously, my intention was to move as much “common functionality” into the base as possible. To do this, let’s take a look at one of the operations:

A Sample Web Service Operation

/// 
/// Submit a form (i.e. lodge a form)
/// 
/// 
/// 
public SubmitFormResponse SubmitForm(SubmitFormRequest request)
{
    return base.ExecuteRequest<SubmitFormRequest, SubmitFormResponse>
	(request, delegate
    {
        AuthoriseAccountId(request.AccountId, request.FormType, 
				FormTypeAuthorisationEnum.Submit);

        if (!String.IsNullOrEmpty(request.ReferenceId))
        {
            AuthoriseAccountId(request.AccountId, 
				request.ReferenceId, 
				FormAuthorisationEnum.Manage);
        }
     
        FormsProvider.SubmitForm(request);

        SubmitFormResponse response = new SubmitFormResponse();
        response.Reference = request.ReferenceId;
        return response;
    });
}

In this scenario, SubmitFormRequest inherits from RequestBase and SubmitFormResponse inherits from ResponseBase. This will make more sense in the next block of code.

As you can see, this operation only has to worry about implementing functionality specific to it’s requirements – common validation, exception handling and logging can be moved into the ‘ExecuteRequest’ function in the base class like so:

The Base Class

        
/// 
/// Execute a Request where the delegate returns a value
/// 
/// 
protected Z ExecuteRequest<T, Z>(T request, Func<Z> operation)
    where T : RequestBase
    where Z : ResponseBase 
{
    try
    {
        TraceLogger.Log.Trace(
		String.Format("Execute Request: {0}", 
				TraceHelper.GetPreviousMethod()));

        if (request == null)
        {
            throw new 
	    ArgumentNullException("Specified Request Parameter was NULL");
        }
        if (String.IsNullOrEmpty(request.AccountId))
        {
            throw new 
            RequiredArgumentException("Account ID was not specified");
        }

        // Validate the identity of the request
        ValidateAccountId(request);

        return operation();
    }
    catch (Exception ex)
    {
         //Log the exception
        if (ex is ICustomException)
        {
            throw ex;
        }
        throw ex; //TODO: Sanitise the Exception
    }
}

This is still a work in progress, but what it does demonstrate is how to embed a consistent and reusable set of functionality into a base class (reducing code duplication) and allowing you to add code to each web service operation which is specific to the nature of the operation; without the need to explicitly add try/catch or logging.

How does this work?

We’re making use of the Func<> (and in other base functions where no return value is required, Action<>) delegate functionality. In this instance, Func<Z> defines a delegate which returns a value of type Z. In the example here, Z is defined as SubmitFormResponse.

Therefore, the pseudo code for executing a SubmitForm request is as follows:

Call base class
Try

Trace (calling function name)
Is Request NULL?
Is AccountId Null or Empty?
Is AccountId Valid?
return Call delegate()

Is AccountId Authorised?
Is ReferenceId Null or Empty?
Is AccountId Authorised to Manage this Reference?
SubmitForm
Create new SubmitFormResponse
return response

Catch
Log exception
Is Custom Exception? (throw)
Sanitise Exception (throw)

The try/catch block in the ExecuteRequest implementation will also catch any unhandled exceptions thrown by the delegate. This gives you the potential for automatic exception management – no more uncaught exceptions thrown back to the caller. You can also make use of standardised logging as well.

Note that the type restriction on the base class function could easily have been defined as the following:

        
/// 
/// Execute a Request where the delegate returns a value
/// 
/// 
protected Z ExecuteRequest<T, Z>(T request, Func<Z> operation)
    where T : RequestBase
    where Z : class
{

Which would allow the delegate to return any class. Alternatively, you could remove the restriction altogether if you wanted to return value types as well, for example:

/// 
/// Execute a Request where the delegate returns a value
/// 
/// 
protected Z ExecuteRequest<T, Z>(T request, Func<Z> operation)
    where T : RequestBase

//-------------------------------------------------------------------------

return base.ExecuteRequest<SaveDraftFormRequest, int>(request, delegate
{
    return -1;
});

Should your base class be required to handle a delegate which does not return a value, simply replace Func<> with Action<>.

Summary

What I’ve covered off here is just some simple usages of generics and delegates which may help to improve the maintainability and consistency of your WCF web service operations.

There are limitations (such as the granularity of properties you would be compelled to put into a base class), but the wins are (IMHO) worth the time to implement.

Perhaps you have designed or implemented something similar?

Please leave a comment.

Quick Sequence Diagram Editor

Design Concepts and Code, Free and Fun Stuff, Web Services and Interop No Responses »

Feb 192012

Not long ago, I posed a question to the Stack Overflow community – (is there a) “Good Visio Template (or alternative) for SOA/Distributed Systems?”. Surprisingly, there was only one response!

Since then, I have been recently introduced to, of all things, a Java based tool called the ‘Quick Sequence Diagram Editor’ which can be used to produce really useful UML Call Sequence Diagrams. Using this tool, you can effectively call out the interface definitions of your distributed services or service library.

The tool uses a pseudo code syntax to produce (render) the sequence diagrams. Services (or classes) are declared first , and then subsequent code calls out the service behaviour (request/response, arguments). It also supports inline annotations (comments) as well as conditional (branching) IF/ELSE logic.

Code is evaluated/rendered as you add the code so that it is impossible to model a sequence with invalid object names.

From the site, here are the principal features:

The diagram changes as you type.
Diagram code is instantly checked, errors are pointed at.
Diagrams can be exported and zoomed.
Long diagrams can be paginated.
There are constraints imposed on diagram specifications, so one cannot model something that is impossible to implement.

All it requires is Java (for your platform), the downloadable is an executable .jar file which consumes the specification files (which can be used with other UML document tools as well).

Enjoy

Download: http://sourceforge.net/projects/sdedit/

Older Entries

Featured Articles

A quick and dirty Rules Engine using Windows Workflow (Part 2)
Hi there and happy new year. 2011 promises to be quite an interesting year, and I hope that I can continue to contribute here at Sanders Technology. To kick off the new year, I decided to revisit the Windows Workflow article I started late last year. A little while ago I wrote a post at entitled “A quick and dirty Rules Engine using Windows Workflow (Part 1)” which has evidently been fairly popular. Unfortunately, it seems that I forgot to follow it up with a part 2! Now, welcoming in the new year, I’m putting together the second part. Honestly though, folks, this could easily be a multi part mini project, because the uses of this Windows Workflow Foundation (WF) [...]
A quick and dirty Rules Engine using Windows Workflow (Part 1)
Recently I put my mind towards developing a fairly light rules based utility for applying various logical patterns on top of some linear business data. Honestly, my initial thoughts were “oh no, not another boring rules based implementation” because we (ought to) know how boring that can be – and convoluted – but this time I decided to try something a little different. Through no fault of my own, I’ve actually had very little to do with Windows Workflow Foundation – WF, not WWF which stands for World Wildlife Foundation, and not to be confused with the World Wrestling Federation, just to avoid confusion! Most of the project I’ve worked on previously have used some other workflow product, usually something [...]
The ADO.Net Entity Framework, POCO Objects and You
Introduction Now if you are like me, you’ve probably had some interest in POCO (plain old CLR objects) objects for at least some time. They are an invaluable tool in the distributed systems and service oriented architecture areas, but up until now they’ve been inaccessible for those designs. In a nutshell, both LINQ to SQL and Entity Framework (v1) class entities did not support serialization for the purpose of stateless transport(such as web service communication). This stems from the embedded context tracking attributes, and the design which stipulates a fairly poor experience for those daring enough to detach entities and “pass them around”. Enter the ADO.net Entity Framework v2.. ahem, version 4 which shipped in the early part of this [...]
A Dynamic Data Website with SQL Azure and the Entity Framework
This is part of a series of entries written about Microsoft’s new SQL Azure database service and the Entity Framework v4. Following on from my previous posts (check them out before continuing) – this article assumes you have followed steps outlined in the previous posts to create various models and accounts etc. Part 1 – Working with Entity Framework v4 and SQL Azure Part 2 – Next Steps with SQL Azure Part 3 – Putting it all together – SQL Azure Part 4 – A Dynamic Data Website with SQL Azure and the Entity Framework (this post) Addendum – Getting a SQL Azure Database Continuing along.. Our next step is to create a Dynamic Data website. If you haven’t come [...]
Putting it all together – SQL Azure
Happy Australia Day to you! Following on from my previous posts (check them out before continuing) – this article assumes you have followed steps outlined in the previous posts to create various models and accounts etc. Part 1 – Working with Entity Framework v4 and SQL Azure Part 2 – Next Steps with SQL Azure Part 3 – Putting it all together – SQL Azure (this post) Part 4 – A Dynamic Data Website with SQL Azure and the Entity Framework Addendum – Getting a SQL Azure Database Now we should have a working data model which has been created in your SQL Azure (Cloud) database. Taking lessons learned from Part 2, we’re going to create an Entity Framework (v4) [...]
Working with Entity Framework v4 and SQL Azure
This post is the first in a series of posts on this topic. The following is a summary of the various parts. Part 1 – Working with Entity Framework v4 and SQL Azure (this post) Part 2 – Next Steps with SQL Azure Part 3 – Putting it all together – SQL Azure Part 4 – A Dynamic Data Website with SQL Azure and the Entity Framework Addendum – Getting a SQL Azure Database Introduction Well, it’s been “out there” for a while, and now it is time I gave you a taste of how to combine some of the “Next Generation” data access technologies, today. SQL Azure is Microsoft’s “Database in the Cloud” and represents a complete makeover (replacement) [...]
Functional Transparency: Part 2
This is a little late – but I feel it is worth going into and you can catch up be reading (or re-reading) Part 1 located here. Just in case you are wondering “what on Earth is he babbling on about?” which is a fair and often under asked question, here’s a brief summary to refresh your memory. The objective is to implement additional (background) functionality which is not seen by calling/consuming code – hence, transparent. In fact, it’s even possible to enforce execution of certain functionality no matter how a DataContext is manipulated – neat, huh? So let us look at a simple database table and let us further assume you have generated a LINQ to SQL Model: SQL [...]
Functional Transparency with LINQ to SQL (Part 1)
I’m going to coin the phrase ‘Functional Transparency’ because it fits the definition. I’ve been working with functional transparency in LINQ to SQL for a few weeks now, and it seems to be working well enough to write about. The objective is to implement additional (background) functionality which is not seen by calling/consuming code – hence, transparent. In fact, it’s even possible to enforce execution of certain functionality no matter how a DataContext is manipulated – neat, huh? In other words, we implement additional functionality between the DataContext, its entities and the Database itself. Our objective may be to modify the data returned from a query (or data saved to a database), might be to audit operations or even check [...]
Intelligent Paging using LINQ to SQL and the LinqDataSource control
Undoubtedly, anyone who has evaluated LINQ to SQL has fond it a fairly powerful yet lightweight ORM technology which is less complex than the ADO Entity Framework yet utilizes the strength and power of Language Integrated Queries. One problem with LINQ to SQL is the auto paging feature of the LinqDataSource. Below is a rough GridView which displays three columns, UserName, FirstName and LastName. This is just a rough demo, so we’re looking at paging. If you simply drop a GridView and a LinqDataSource control onto a Web Form and configure the LinqDataSource (using Smart Tags) without specifying a Group By field or Order By field (Figure 1) then you will get fairly optimal database querying (Figure 2) although [...]

« Previous Post Pause Next Post »