Thursday, May 17, 2012

Secure your ASMX WebServices with SWT and Claims

I was recently involved into interesting project, that was using the plain old ASMX web services. We wanted to migrate it to the Windows Azure Access Control Service and make use of Claims.

The way we achieved that is to add additional Soap Header to the client requests that includes Simple Web Token (SWT). On the server side, we make a check for this specific header existence, then extract the token, perform some validation checks and inject a fresh new Claims Identity into the Service instance. One thing to look out for is that you have to think of a workaround, if your ASMX WebService is a Singleton object. My implementation works with non-singleton implementations. And I currently get my Simple Web Tokens from Windows Azure Access Control Service’s WRAP endpoint. I have configured a “Password” service identities and I play with the RuleGroups to add additional claims, based on identity used. It is pretty flexible!

The result is on … GitHub. I initially wanted to be on CodePlex, because I have other projects there and am more used to TFS style of working. But CodePlex’s TFS is down for quite some time, which was a good excuse to use GitHub. There is some explanations in the Readme.txt file, as well as comments in the code. So feel free to get the code, play around with it, ping me if it is not working for some reason, and so on!

The project makes extensive use of SWT Implementation, done by the Two10Degrees’ team. But I added a compiled assembly reference for convenience.

No comments: