RE: WCF SOAP Router Including Credentials
by Steven Cheng[MSFT] on 11/26/2007 4:43:00 AM
------=_NextPart_0001_133288C9
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi Jimmer,
From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered in
router scenario, correct?
As for the message routering in WCF, I think it is a XML Webservice/SOAP
specific feature introducted from the WSE 3.0. WSE 3.0 also support message
routering and for security, it is implemented in the following means:
** security header directly forwarded from client to server(ignore the
intermediate router) is not supported
** you need to configure the security assertion(policy) for message
transfering between
1) client <-----> router and 2) router <-----> server
So far, I haven't find any confirmation on the WCF which also support this
kind of security setting. I'll perform some further research to see whether
this kind of security is also supported in WCF.
BTW, as you mentioned SSL, are you using https/ssl for transport security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).
I'll update you if I get any more information on this.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
Subject: WCF SOAP Router Including Credentials
Date: Sun, 25 Nov 2007 11:30:00 -0800
Hello,
I've been trying to create a WCF SOAP Router Service that can forward not
just the message body but also any security headers set by the originator
of
the message. The destination service I'm routing messages to uses
WSHttpBinding, SSL with UserName/Password client credentials. Using
guidance
from the Technology samples I can create a router that forwards messages
without security credentils but not with them. Can anybody point me in the
right direction... should I be creating a custom channel to handle this? or
is there a bundle of framework classes I should use?
Deployment scenario : Consumer connects to a router service on a DMZ (Out
of
Domain). The router service is unable to authenticate the users of the
service. Router determins the correct destination service and forwards SOAP
message + security credentials. Destination service impersonates consumer
and
replys to the message.
Any help or guidance would be appreciated!
Thanks,
Jimmer
------=_NextPart_0001_133288C9
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Jimmer,
\par
\par From your descrpition, you're using the WCF "Intermediary Router" feature and currently wondering how to apply security on the messages transfered in router scenario, correct?
\par
\par As for the message routering in WCF, I think it is a XML Webservice/SOAP specific feature introducted from the WSE 3.0. WSE 3.0 also support message routering and for security, it is implemented in the following means:
\par
\par ** security header directly forwarded from client to server(ignore the intermediate router) is not supported
\par
\par ** you need to configure the security assertion(policy) for message transfering between
\par 1) client <-----> router and 2) router <-----> server
\par
\par So far, I haven't find any confirmation on the WCF which also support this kind of security setting. I'll perform some further research to see whether this kind of security is also supported in WCF.
\par
\par BTW, as you mentioned SSL, are you using https/ssl for transport security? If so, this is certainly supported only in port to port case, you can not establish ssl/https connecction across multiple nodes(client, router and server).
\par
\par I'll update you if I get any more information on this.
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par
\par ==================================================
\par
\par Get notification to my posts through email? Please refer to
\par http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par ications.
\par
\par
\par
\par Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
\par where an initial response from the community or a Microsoft Support
\par Engineer within 1 business day is acceptable. Please note that each follow
\par up response may take approximately 2 business days as the support
\par professional working with you may need further investigation to reach the
\par most efficient resolution. The offering is not appropriate for situations
\par that require urgent, real-time or phone-based interactions or complex
\par project analysis and dump analysis issues. Issues of this nature are best
\par handled working with a dedicated Microsoft Support Engineer by contacting
\par Microsoft Customer Support Services (CSS) at
\par http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par
\par ==================================================
\par \tab
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par \pard\li720 --------------------
\par From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
\par Subject: WCF SOAP Router Including Credentials
\par Date: Sun, 25 Nov 2007 11:30:00 -0800
\par
\par
\par Hello,
\par
\par I've been trying to create a WCF SOAP Router Service that can forward not
\par just the message body but also any security headers set by the originator of
\par the message. The destination service I'm routing messages to uses
\par WSHttpBinding, SSL with UserName/Password client credentials. Using guidance
\par from the Technology samples I can create a router that forwards messages
\par without security credentils but not with them. Can anybody point me in the
\par right direction... should I be creating a custom channel to handle this? or
\par is there a bundle of framework classes I should use?
\par
\par Deployment scenario : Consumer connects to a router service on a DMZ (Out of
\par Domain). The router service is unable to authenticate the users of the
\par service. Router determins the correct destination service and forwards SOAP
\par message + security credentials. Destination service impersonates consumer and
\par replys to the message.
\par
\par Any help or guidance would be appreciated!
\par
\par Thanks,
\par
\par Jimmer
\par \pard
\par
\par }
------=_NextPart_0001_133288C9--
RE: WCF SOAP Router Including Credentials
by Steven Cheng[MSFT] on 11/28/2007 4:17:00 AM
------=_NextPart_0001_1D66CA37
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Sure. I am currently discussing with some other WCF engineers to see
whether they have any suggestion on this. Will keep you update.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
References: <ABB82F21-9CFC-4EC3-8F56-2141EE674D70@microsoft.com>
<bYNmrb#LIHA.6908@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: WCF SOAP Router Including Credentials
Date: Mon, 26 Nov 2007 03:04:01 -0800
Steven, thanks for the reply.
> From your descrpition, you're using the WCF "Intermediary Router" feature
> and currently wondering how to apply security on the messages transfered
in
> router scenario, correct?
Correct. The router should just forward the message from the client
including the clients security headers. The way I've got it working at the
moment is to implement a custom credentials validator on the router and
store
the password (encrypted). These credentials are then used to create a
channel
to the destination service for every operation call per user! This could
be
improved by having one channel per destination service which is user
agnostic. The channel could then be reused without the overhead of creating
a
channel every time an operation is called on the router.
> BTW, as you mentioned SSL, are you using https/ssl for transport
security?
> If so, this is certainly supported only in port to port case, you can not
> establish ssl/https connecction across multiple nodes(client, router and
> server).
Yea, I've got certificates everywhere!! The router server has its own
certificate and the destination server has its own certificate. IIS on the
DMZ and self hosted on the destination server. The external service
consumers
are only aware of the router address in an attempt to shield the domain
environment.
Any information on a better way forward will be well received!
Thanks,
Jimmer
"Steven Cheng[MSFT]" wrote:
> Hi Jimmer,
>
> From your descrpition, you're using the WCF "Intermediary Router" feature
> and currently wondering how to apply security on the messages transfered
in
> router scenario, correct?
>
> As for the message routering in WCF, I think it is a XML Webservice/SOAP
> specific feature introducted from the WSE 3.0. WSE 3.0 also support
message
> routering and for security, it is implemented in the following means:
>
> ** security header directly forwarded from client to server(ignore the
> intermediate router) is not supported
>
> ** you need to configure the security assertion(policy) for message
> transfering between
> 1) client <-----> router and 2) router <-----> server
>
> So far, I haven't find any confirmation on the WCF which also support
this
> kind of security setting. I'll perform some further research to see
whether
> this kind of security is also supported in WCF.
>
> BTW, as you mentioned SSL, are you using https/ssl for transport
security?
> If so, this is certainly supported only in port to port case, you can not
> establish ssl/https connecction across multiple nodes(client, router and
> server).
>
> I'll update you if I get any more information on this.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
>
> ==================================================
>
> Get notification to my posts through email? Please refer to
>
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
>
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each
follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --------------------
> From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
> Subject: WCF SOAP Router Including Credentials
> Date: Sun, 25 Nov 2007 11:30:00 -0800
>
>
> Hello,
>
> I've been trying to create a WCF SOAP Router Service that can forward not
> just the message body but also any security headers set by the originator
> of
> the message. The destination service I'm routing messages to uses
> WSHttpBinding, SSL with UserName/Password client credentials. Using
> guidance
> from the Technology samples I can create a router that forwards messages
> without security credentils but not with them. Can anybody point me in
the
> right direction... should I be creating a custom channel to handle this?
or
> is there a bundle of framework classes I should use?
>
> Deployment scenario : Consumer connects to a router service on a DMZ (Out
> of
> Domain). The router service is unable to authenticate the users of the
> service. Router determins the correct destination service and forwards
SOAP
> message + security credentials. Destination service impersonates consumer
> and
> replys to the message.
>
> Any help or guidance would be appreciated!
>
> Thanks,
>
> Jimmer
>
------=_NextPart_0001_1D66CA37
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Sure. I am currently discussing with some other WCF engineers to see whether they have any suggestion on this. Will keep you update.
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par \pard\li720 --------------------
\par From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
\par References: <ABB82F21-9CFC-4EC3-8F56-2141EE674D70@microsoft.com> <bYNmrb#LIHA.6908@TK2MSFTNGHUB02.phx.gbl>
\par Subject: RE: WCF SOAP Router Including Credentials
\par Date: Mon, 26 Nov 2007 03:04:01 -0800
\par
\par
\par Steven, thanks for the reply.
\par
\par > From your descrpition, you're using the WCF "Intermediary Router" feature
\par > and currently wondering how to apply security on the messages transfered in
\par > router scenario, correct?
\par
\par Correct. The router should just forward the message from the client
\par including the clients security headers. The way I've got it working at the
\par moment is to implement a custom credentials validator on the router and store
\par the password (encrypted). These credentials are then used to create a channel
\par to the destination service for every operation call per user! This could be
\par improved by having one channel per destination service which is user
\par agnostic. The channel could then be reused without the overhead of creating a
\par channel every time an operation is called on the router.
\par
\par > BTW, as you mentioned SSL, are you using https/ssl for transport security?
\par > If so, this is certainly supported only in port to port case, you can not
\par > establish ssl/https connecction across multiple nodes(client, router and
\par > server).
\par
\par Yea, I've got certificates everywhere!! The router server has its own
\par certificate and the destination server has its own certificate. IIS on the
\par DMZ and self hosted on the destination server. The external service consumers
\par are only aware of the router address in an attempt to shield the domain
\par environment.
\par
\par Any information on a better way forward will be well received!
\par
\par Thanks,
\par
\par Jimmer
\par
\par
\par "Steven Cheng[MSFT]" wrote:
\par
\par > Hi Jimmer,
\par >
\par > From your descrpition, you're using the WCF "Intermediary Router" feature
\par > and currently wondering how to apply security on the messages transfered in
\par > router scenario, correct?
\par >
\par > As for the message routering in WCF, I think it is a XML Webservice/SOAP
\par > specific feature introducted from the WSE 3.0. WSE 3.0 also support message
\par > routering and for security, it is implemented in the following means:
\par >
\par > ** security header directly forwarded from client to server(ignore the
\par > intermediate router) is not supported
\par >
\par > ** you need to configure the security assertion(policy) for message
\par > transfering between
\par > 1) client <-----> router and 2) router <-----> server
\par >
\par > So far, I haven't find any confirmation on the WCF which also support this
\par > kind of security setting. I'll perform some further research to see whether
\par > this kind of security is also supported in WCF.
\par >
\par > BTW, as you mentioned SSL, are you using https/ssl for transport security?
\par > If so, this is certainly supported only in port to port case, you can not
\par > establish ssl/https connecction across multiple nodes(client, router and
\par > server).
\par >
\par > I'll update you if I get any more information on this.
\par >
\par > Sincerely,
\par >
\par > Steven Cheng
\par >
\par > Microsoft MSDN Online Support Lead
\par >
\par >
\par >
\par > ==================================================
\par >
\par > Get notification to my posts through email? Please refer to
\par > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par > ications.
\par >
\par >
\par >
\par > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
\par > where an initial response from the community or a Microsoft Support
\par > Engineer within 1 business day is acceptable. Please note that each follow
\par > up response may take approximately 2 business days as the support
\par > professional working with you may need further investigation to reach the
\par > most efficient resolution. The offering is not appropriate for situations
\par > that require urgent, real-time or phone-based interactions or complex
\par > project analysis and dump analysis issues. Issues of this nature are best
\par > handled working with a dedicated Microsoft Support Engineer by contacting
\par > Microsoft Customer Support Services (CSS) at
\par > http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par >
\par > ==================================================
\par > \tab
\par >
\par > This posting is provided "AS IS" with no warranties, and confers no rights.
\par >
\par > --------------------
\par > From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
\par > Subject: WCF SOAP Router Including Credentials
\par > Date: Sun, 25 Nov 2007 11:30:00 -0800
\par >
\par >
\par > Hello,
\par >
\par > I've been trying to create a WCF SOAP Router Service that can forward not
\par > just the message body but also any security headers set by the originator
\par > of
\par > the message. The destination service I'm routing messages to uses
\par > WSHttpBinding, SSL with UserName/Password client credentials. Using
\par > guidance
\par > from the Technology samples I can create a router that forwards messages
\par > without security credentils but not with them. Can anybody point me in the
\par > right direction... should I be creating a custom channel to handle this? or
\par > is there a bundle of framework classes I should use?
\par >
\par > Deployment scenario : Consumer connects to a router service on a DMZ (Out
\par > of
\par > Domain). The router service is unable to authenticate the users of the
\par > service. Router determins the correct destination service and forwards SOAP
\par > message + security credentials. Destination service impersonates consumer
\par > and
\par > replys to the message.
\par >
\par > Any help or guidance would be appreciated!
\par >
\par > Thanks,
\par >
\par > Jimmer
\par >
\par \pard
\par
\par }
------=_NextPart_0001_1D66CA37--
RE: WCF SOAP Router Including Credentials
by Steven Cheng[MSFT] on 11/30/2007 3:43:00 AM
------=_NextPart_0001_3816EF06
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi Jimmer,
After some further discussing with some other engineers, I'm afraid there
hasn't a direct means to make those security assertion flow from client to
backend(bypass the intermedate router). The reasonable way is to implement
security assertion on both stages(client <---> router and router <--->
server).
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Content-Transfer-Encoding: 7bit
From: stcheng@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Wed, 28 Nov 2007 04:16:46 GMT
Subject: RE: WCF SOAP Router Including Credentials
Sure. I am currently discussing with some other WCF engineers to see
whether they have any suggestion on this. Will keep you update.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
References: <ABB82F21-9CFC-4EC3-8F56-2141EE674D70@microsoft.com>
<bYNmrb#LIHA.6908@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: WCF SOAP Router Including Credentials
Date: Mon, 26 Nov 2007 03:04:01 -0800
Steven, thanks for the reply.
> From your descrpition, you're using the WCF "Intermediary Router" feature
> and currently wondering how to apply security on the messages transfered
in
> router scenario, correct?
Correct. The router should just forward the message from the client
including the clients security headers. The way I've got it working at the
moment is to implement a custom credentials validator on the router and
store
the password (encrypted). These credentials are then used to create a
channel
to the destination service for every operation call per user! This could
be
improved by having one channel per destination service which is user
agnostic. The channel could then be reused without the overhead of creating
a
channel every time an operation is called on the router.
> BTW, as you mentioned SSL, are you using https/ssl for transport
security?
> If so, this is certainly supported only in port to port case, you can not
> establish ssl/https connecction across multiple nodes(client, router and
> server).
Yea, I've got certificates everywhere!! The router server has its own
certificate and the destination server has its own certificate. IIS on the
DMZ and self hosted on the destination server. The external service
consumers
are only aware of the router address in an attempt to shield the domain
environment.
Any information on a better way forward will be well received!
Thanks,
Jimmer
"Steven Cheng[MSFT]" wrote:
> Hi Jimmer,
>
> From your descrpition, you're using the WCF "Intermediary Router" feature
> and currently wondering how to apply security on the messages transfered
in
> router scenario, correct?
>
> As for the message routering in WCF, I think it is a XML Webservice/SOAP
> specific feature introducted from the WSE 3.0. WSE 3.0 also support
message
> routering and for security, it is implemented in the following means:
>
> ** security header directly forwarded from client to server(ignore the
> intermediate router) is not supported
>
> ** you need to configure the security assertion(policy) for message
> transfering between
> 1) client <-----> router and 2) router <-----> server
>
> So far, I haven't find any confirmation on the WCF which also support
this
> kind of security setting. I'll perform some further research to see
whether
> this kind of security is also supported in WCF.
>
> BTW, as you mentioned SSL, are you using https/ssl for transport
security?
> If so, this is certainly supported only in port to port case, you can not
> establish ssl/https connecction across multiple nodes(client, router and
> server).
>
> I'll update you if I get any more information on this.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
>
> ==================================================
>
> Get notification to my posts through email? Please refer to
>
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
>
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each
follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --------------------
> From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
> Subject: WCF SOAP Router Including Credentials
> Date: Sun, 25 Nov 2007 11:30:00 -0800
>
>
> Hello,
>
> I've been trying to create a WCF SOAP Router Service that can forward not
> just the message body but also any security headers set by the originator
> of
> the message. The destination service I'm routing messages to uses
> WSHttpBinding, SSL with UserName/Password client credentials. Using
> guidance
> from the Technology samples I can create a router that forwards messages
> without security credentils but not with them. Can anybody point me in
the
> right direction... should I be creating a custom channel to handle this?
or
> is there a bundle of framework classes I should use?
>
> Deployment scenario : Consumer connects to a router service on a DMZ (Out
> of
> Domain). The router service is unable to authenticate the users of the
> service. Router determins the correct destination service and forwards
SOAP
> message + security credentials. Destination service impersonates consumer
> and
> replys to the message.
>
> Any help or guidance would be appreciated!
>
> Thanks,
>
> Jimmer
>
------=_NextPart_0001_3816EF06
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Jimmer,
\par
\par After some further discussing with some other engineers, I'm afraid there hasn't a direct means to make those security assertion flow from client to backend(bypass the intermedate router). The reasonable way is to implement security assertion on both stages(client <---> router and router <---> server).
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par \pard\li720 --------------------
\par
\par Content-Transfer-Encoding: 7bit
\par From: stcheng@online.microsoft.com (Steven Cheng[MSFT])
\par Organization: Microsoft
\par Date: Wed, 28 Nov 2007 04:16:46 GMT
\par Subject: RE: WCF SOAP Router Including Credentials
\par
\par Sure. I am currently discussing with some other WCF engineers to see whether they have any suggestion on this. Will keep you update.
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par \pard\li1440 --------------------
\par From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
\par References: <ABB82F21-9CFC-4EC3-8F56-2141EE674D70@microsoft.com> <bYNmrb#LIHA.6908@TK2MSFTNGHUB02.phx.gbl>
\par Subject: RE: WCF SOAP Router Including Credentials
\par Date: Mon, 26 Nov 2007 03:04:01 -0800
\par
\par
\par Steven, thanks for the reply.
\par
\par > From your descrpition, you're using the WCF "Intermediary Router" feature
\par > and currently wondering how to apply security on the messages transfered in
\par > router scenario, correct?
\par
\par Correct. The router should just forward the message from the client
\par including the clients security headers. The way I've got it working at the
\par moment is to implement a custom credentials validator on the router and store
\par the password (encrypted). These credentials are then used to create a channel
\par to the destination service for every operation call per user! This could be
\par improved by having one channel per destination service which is user
\par agnostic. The channel could then be reused without the overhead of creating a
\par channel every time an operation is called on the router.
\par
\par > BTW, as you mentioned SSL, are you using https/ssl for transport security?
\par > If so, this is certainly supported only in port to port case, you can not
\par > establish ssl/https connecction across multiple nodes(client, router and
\par > server).
\par
\par Yea, I've got certificates everywhere!! The router server has its own
\par certificate and the destination server has its own certificate. IIS on the
\par DMZ and self hosted on the destination server. The external service consumers
\par are only aware of the router address in an attempt to shield the domain
\par environment.
\par
\par Any information on a better way forward will be well received!
\par
\par Thanks,
\par
\par Jimmer
\par
\par
\par "Steven Cheng[MSFT]" wrote:
\par
\par > Hi Jimmer,
\par >
\par > From your descrpition, you're using the WCF "Intermediary Router" feature
\par > and currently wondering how to apply security on the messages transfered in
\par > router scenario, correct?
\par >
\par > As for the message routering in WCF, I think it is a XML Webservice/SOAP
\par > specific feature introducted from the WSE 3.0. WSE 3.0 also support message
\par > routering and for security, it is implemented in the following means:
\par >
\par > ** security header directly forwarded from client to server(ignore the
\par > intermediate router) is not supported
\par >
\par > ** you need to configure the security assertion(policy) for message
\par > transfering between
\par > 1) client <-----> router and 2) router <-----> server
\par >
\par > So far, I haven't find any confirmation on the WCF which also support this
\par > kind of security setting. I'll perform some further research to see whether
\par > this kind of security is also supported in WCF.
\par >
\par > BTW, as you mentioned SSL, are you using https/ssl for transport security?
\par > If so, this is certainly supported only in port to port case, you can not
\par > establish ssl/https connecction across multiple nodes(client, router and
\par > server).
\par >
\par > I'll update you if I get any more information on this.
\par >
\par > Sincerely,
\par >
\par > Steven Cheng
\par >
\par > Microsoft MSDN Online Support Lead
\par >
\par >
\par >
\par > ==================================================
\par >
\par > Get notification to my posts through email? Please refer to
\par > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par > ications.
\par >
\par >
\par >
\par > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
\par > where an initial response from the community or a Microsoft Support
\par > Engineer within 1 business day is acceptable. Please note that each follow
\par > up response may take approximately 2 business days as the support
\par > professional working with you may need further investigation to reach the
\par > most efficient resolution. The offering is not appropriate for situations
\par > that require urgent, real-time or phone-based interactions or complex
\par > project analysis and dump analysis issues. Issues of this nature are best
\par > handled working with a dedicated Microsoft Support Engineer by contacting
\par > Microsoft Customer Support Services (CSS) at
\par > http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par >
\par > ==================================================
\par > \tab
\par >
\par > This posting is provided "AS IS" with no warranties, and confers no rights.
\par >
\par > --------------------
\par > From: =?Utf-8?B?SmltbWVy?= <Jimmer@community.nospam>
\par > Subject: WCF SOAP Router Including Credentials
\par > Date: Sun, 25 Nov 2007 11:30:00 -0800
\par >
\par >
\par > Hello,
\par >
\par > I've been trying to create a WCF SOAP Router Service that can forward not
\par > just the message body but also any security headers set by the originator
\par > of
\par > the message. The destination service I'm routing messages to uses
\par > WSHttpBinding, SSL with UserName/Password client credentials. Using
\par > guidance
\par > from the Technology samples I can create a router that forwards messages
\par > without security credentils but not with them. Can anybody point me in the
\par > right direction... should I be creating a custom channel to handle this? or
\par > is there a bundle of framework classes I should use?
\par >
\par > Deployment scenario : Consumer connects to a router service on a DMZ (Out
\par > of
\par > Domain). The router service is unable to authenticate the users of the
\par > service. Router determins the correct destination service and forwards SOAP
\par > message + security credentials. Destination service impersonates consumer
\par > and
\par > replys to the message.
\par >
\par > Any help or guidance would be appreciated!
\par >
\par > Thanks,
\par >
\par > Jimmer
\par >
\par \pard\li720
\par
\par \pard
\par
\par }
------=_NextPart_0001_3816EF06--