Thursday, May 17, 2012

Secure your ASMX WebServices with SWT and Claims

I was recently involved into interesting project, that was using the plain old ASMX web services. We wanted to migrate it to the Windows Azure Access Control Service and make use of Claims.

The way we achieved that is to add additional Soap Header to the client requests that includes Simple Web Token (SWT). On the server side, we make a check for this specific header existence, then extract the token, perform some validation checks and inject a fresh new Claims Identity into the Service instance. One thing to look out for is that you have to think of a workaround, if your ASMX WebService is a Singleton object. My implementation works with non-singleton implementations. And I currently get my Simple Web Tokens from Windows Azure Access Control Service’s WRAP endpoint. I have configured a “Password” service identities and I play with the RuleGroups to add additional claims, based on identity used. It is pretty flexible!

The result is on … GitHub. I initially wanted to be on CodePlex, because I have other projects there and am more used to TFS style of working. But CodePlex’s TFS is down for quite some time, which was a good excuse to use GitHub. There is some explanations in the Readme.txt file, as well as comments in the code. So feel free to get the code, play around with it, ping me if it is not working for some reason, and so on!

The project makes extensive use of SWT Implementation, done by the Two10Degrees’ team. But I added a compiled assembly reference for convenience.

Posted by Anton Staykov at 14:29 0 comments
Labels: , , ,

Wednesday, May 16, 2012

MEET Windows Azure on June the 7th

I’m following Windows Azure since its first public CTP at PDC’2008. It was amazing then, it is even more amazing now, and more exciting to come (I’m really, really excited!) …

Get ready to MEET Windows Azure live on June the 7th. Register to watch live (June the 7th 1PM PDT) here. Be informed by following the conversation @WindowsAzure, #MEETAzure, #WindowsAzure

And, if you want to be more social, register for the Social meet up on Twitter event, organized by fellow Azure MVP Magnus Martensson.

What I can tell you for sure, without breaking my NDA, is that you don’t want to miss that event!

See you there!

MEET Windows Azure Blog Relay:

Posted by Anton Staykov at 21:01 0 comments
Labels: , ,

Tuesday, May 1, 2012

Introduction to Claims

It is 21st century! We live in a digital world where we can do almost everything online. While you might think this is an amazing, let me ask you a question: How many online identities do you have? And here I don’t only mean your Google or FaceBook account. I mean every single username and password you had to ever create. I personally, have about 8 (eight!) that I actively use (including a digital signature), another 10 or even more that are used fairly rare and maybe over 20, which I had to create by some reason, and then abandon. For me, as a consumer this drives me crazy. Just couple a weeks ago, I rejected an invitation to the next business social networking site, from a person who I really trust, just because that new network did not offer me an option to use any of mine existing identities. They required from me to create another user name, another minimum 6 symbols password containing upper and lowercase characters and numbers. No thanks. I’m done with creating online identities!

As being a developer, I also know that the easiest way to go with a site, which offers some kind personalization, is to use my own authentication and authorization mechanism! But this thinking I have left behind me. I decided to step into the present (not even the future!) and pay attention to terms like Identity Provider, Claims, Trust, Relying party application, and similar. Fortunately for me, there is the Windows Azure Access Control Service (or just ACS) on the market, that really helps me build applications that respond to the needs of the customers. Combining the power of ACS with Windows Identity Foundation (or WIF) I can easily create applications that would offer the consumers, the option to use some of their existing online identities (such as Microsoft Live ID, Google, Yahoo, Facebook and others).

If you want to join me, let me first list out the terms which you will begin working with on a daily basis:

Take a closer look to the following sentence: “I claim that my name is Anton Staykov, and I can prove it by showing you my personal Identification card, issued by the Bulgarian Government”. It represents almost all the terms and objects you will work with, when working with ACS.

Claim – this is an assertion about an object issued by an Identity Provider. In the given sentence, the Claim is “Name” and it value is “Anton Staykov”

Identity Provider – an authority, which issues security tokes, that contain claims. Bulgarian or any Government is an Identity Provider, which issues Passports. And the passports are

Security Tokens – this is a digitally signed object, which contains claims. A Token may contain one or more claims.

And last, but not least, you, dear reader are the Relying Party to which I present my token that contains claims.

There is one more player on the scene, and it is the Federation Provider. This, in essence is an Identity provider. It stays as mediator between mine application and your Facebook identity. When I want to give you the chance of using your FaceBook account to identify in front of mine application, I don’t want to bother with implementation details, which might (or might not) be very different from the details I need to know when I give you the option to sign with your Live ID. In my application I have a piece of code, where I say – look, I only trust Tokens and Claims that come from that federation provider. And that very federation provider takes care of implementation details around FaceBook, Live ID, Google, OpenID, WS-Federation, etc. And not only it takes care of these details, but even more. If, one day I decide that I no longer trust Google as Identity Provider, I just uncheck a checkbox, do nothing in my code, and you will no longer be able to use your Google account to present yourself in front of mine application.

As some final words, I want to share with you details from some studies conducted amongst online users about their perceptions about online shopping experience.

· 3 out 4 online shoppers avoid creating new user accounts

· 76% of online shoppers admit to have given incomplete or wrong information when required to create new user account

· 24 % of online shoppers abandon the site, when it requires a registration

With this said, I hope I made you believe (at least a bit) that Claims is the way to identify online user. And if you happen to be a developer, I really hope I have lighted up a small fire, which will drive you to at least investigate a bit more about Claims and social sign-in.

Posted by Anton Staykov at 21:34 0 comments
Labels: , ,

Thursday, March 15, 2012

Windows Azure Basics (part 2 of n)–networking

In my previous post on Windows Azure Basics, I tried to introduce you the cloud computing concept and explain the Windows Azure Platform with not so technical terms. It is time now to get over the networking. What is happening behind the scenes? What we can or cannot (currently) use?
Lets first take a look at the following picture, which tries to show almost complete Windows Azure hosted service:

Here are the terms/abbreviations you see on the illustration:
  • LB – Load Balancer. It is the Windows Azure software Load Balancer, which routes the Internet traffic to and from your hosted service;
  • VIP – virtual IP address. This is the internet facing public IPv4 (currently) network address for your hosted service. You have to pay attention to it, as you only have one single internet facing IP address per hosted service;
  • DIP – direct IP address. This is an internal subnet IPv4 network address that each single instance of your roles has. You have one of these DIPs for every single instance, and there is only one per instance. This IP address in internal subnet and cannot be used to directly access a specific instance from outside the Windows Azure hosted service. You can, however use this address for internal communication between instances of your roles within the whole Windows Azure deployment (hosted service)t;
Any Windows Azure Hosted service is considered a closed environment, meaning that no Internet traffic is routed to your service, unless you explicitly say so (we will later understand how)! And not only that, but any single instance is considered a closed environment. That means two things:
  1. The LB (Load Balancer) will not route any Internet traffic to the instances of your roles;
  2. The Windows Firewall of all your instances is set to default block everything (Effectively blocking even communication between different instances in a single deployment);
Of course the hosted service can access the Internet.
Couple of words on protocols. Currently the Windows Azure hosted service only supports the TCP/IP stack of protocols. Meaning that you can only have TCP traffic to/from/within your instances. UDP is not currently supported (thus excluding  IPSec also). What about web roles? Well, web roles are using HTTP protocol, which essentially lives over TCP. HTPS is also supported, because it also relies on TCP/IP. I very often see questions on whether sending/receiving mails is supported in Windows Azure, and the answer is yes. Before all, SMTP, POP(3), IMAP protocol families are all stacked over TCP. So we can have everything within the TCP stack, and (yet) nothing on the UDP stack (no SMB, no IPSec, no RTMP, etc).
Now, how can we route the Internet traffic to our instances in Windows Azure. The platform introduces an entity called Endpoint.
Endpoint is a combination of protocol type + port number, which effectively expose your instance to the internet at the given port number. What about protocol types? Well, currently you can only choose from “tcp” and “http/https”. There are two kind of endpoints: Input Endpoint and Internal Endpoint.  While the Input Endpoint will expose your instance to the Internet, by routing all Internet traffic on selected port to your instance, the Internal Endpoint will only open communication between instances in a single deployment.
Side note: you maybe already noticed that I am using “instances” more often then “roles”. I hope that you’ve read my first post and already know the difference. The key difference is that the instance is the actual VM (Virtual Machine) where your code lives, while the Role only defines the “footprint” for what to be instantiated on the Virtual Machine.
The catch. There is always a catch, and the current one is on the constraints put on the Endpoints:
  • You can have a maximum of 25 Endpoints per hosted service (Input + Internal);
  • You define your endpoints by a Role! Meaning that two different roles cannot share a single Endpoint;
  • All your Endpoints within a Hosted Service must be unique. Meaning that you cannot have an Input Endpoint (i.e. “EndpointWeb") serving HTTP protocol on port 80 for one Role and have another Input Endpoint (i.e. EndpointWebMVC) serving again HTTP protocol on port 80 for another Role. Here I stress that we define Endpoints at Role level, so every instance of this role will have the endpoints defined;
Behind the scenes: When you add a Web Role in your cloud project, the Visual Studio Tools for Windows Azure automatically create an HTTP endpoint on port 80 for your WebRole. It is named “Endpoint1” (but this might change in the future). Having in mind last of the constraints, if you add a second WebRole to your cloud project, a new Endpoint (Endpoint2) will be automatically created with protocol HTTP and port 8080! So be aware of that fact and do not let it surprise you Winking smile
Something more on Windows Azure networking – the LB (Load Balancers) do not use sticky sessions. That means that every single request is routed on its own. So and end user can open a page on your website hitting Instance 0 of Web Role (check the illustration at the top), that page may create several AJAX requests and all AJAX request will go on their own route. Any of the requests may either hit Instance 0, but they may also Instance 1, and so on. That requires us to build a fully stateless applications. The application logic shall be fully operational and aware that some user’s requests may end up in one instance, other in other instances. So we have to always use a common storage (Azure Storage or SQL Azure or AppFabric Caching service) for all the data that needs to be persisted across user’s requests.
Remote Desktop? Yes, it is supported! Remote desktop operates on port 3389 over TCP protocol. Again the catch: Be aware that enabling a Remote Desktop for all your roles in your deployment (which just a checkbox), will automatically create an Input Endpoint for your service. This affects the total number of Endpoints per service (remember, it is 25)!.
What about sending mails, again? As I already wrote, the common mailing protocols are supported (SMTP, POP, IMAP), however Windows Azure does not provide a “Email-as-a-service” service. Luckily enough, a great collaboration was announced, and every Windows Azure subscription receives a complimentary free account on SendGrid with a limit of 10000 e-mails monthly (I think, this you can check Winking smile). So you can use the SendGrid service to send your application / service e-mails. You get it for free for the first 10k e-mails in the month. If your needs exceed this limit, you can upgrade your account for a very reasonable price!
Posted by Anton Staykov at 18:23 0 comments

Saturday, December 17, 2011

Windows Azure basics (part 1 of n)

We live in dynamic times. Buzzwords such as cloud computing, elastic scale, reliability and their synonyms are taking more and more space in our daily life. People (developers) want to move to the cloud. They are often confused by all the new terms. In this part 1 of [we-will-see-at-the-end-how-many] articles I will try to explain with non-geeky words the Windows Azure terms.

First of all, what is Cloud Computing before all? This is when Computing power (namely CPU, RAM, Storage, Networking) is delivered as a service via a network (usually internet), and not as a product (a server that we buy).

Cloud computing is a marketing term for technologies that provide computation, software, data access, and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services. A parallel to this concept can be drawn with the electricity grid, wherein end-users consume power without needing to understand the component devices or infrastructure required to provide the service.

So what is Windows Azure? Is it the new server operating system from Microsoft? Is it the new hosting solution? Is it the new workstation OS? Well, Windows Azure is the Microsoft’s Cloud Computing platform. It delivers various cloud services. Compute, Database, Storage, CDN, Caching, Access Control to name few.

Next part of the article will be focusing on Windows Azure Compute services.

Windows Azure Guest OS? When we talk about cloud computing, inevitably we talk about virtualization. Virtualization at very big degree. And when we talk about virtualization, we have a Host OS and Guest OS. When we talk about Windows Azure OS, we talk about Windows Azure Guest OS. This is the operating system that is installed on the Virtual Machines that run in the cloud. Windows Azure Guest OS has 2 families – OS Family 1 and OS Family 2. Windows Azure Guest OS Family 1 is based on Windows Server 2008 SP 1 x64, and Family 2 is based on Windows Server 2008 R2. All and any guest OS is 64 bits. You can get the full list of Windows Azure Guest OS here.

Windows Azure Cloud Service, or Hosted Service. The Hosted Service is the essence of your Cloud application:

A hosted service in Windows Azure consists of an application that is designed to run in the hosted service and XML configuration files that define how the hosted service should run

A hosted service can have one or more Roles.

Now it comes to the Roles. Our cloud application can be a Web Based application, or a background processing application, or some legacy application which is hard to migrate. Or mix of the three. In order to make things easy for developers, Microsoft has defined 3 distinguished types of “Roles” – Web Role, Worker Role and VM Role. You can read a bit more for the “Role”s here. But the main idea is that a Role defines an application living environment. The Role contains all the code that our application consists of. It defines the environment where our application will live – how many CPUs will be installed; the amount of RAM installed; volume of local storages; will it be a full IIS or a background worker; will it be Windows Azure Guest OS 1.x or 2.x; will it has open ports for communication with outer world (i.e. tcp port 80 for Web Role); will it has some internal TCP ports open for internal communication between roles; what certificates will the environment has; environment variables; etc.

The Role is like a template for our cloud application. When we configure our Cloud Service (or Azure Hosted Service), we set the number of instances involved for each Role.

Instance is a single Virtual Machine (VM), which has all the properties defined by the Role and has our application code deployed. When I mentioned that the Role defines the number of CPUs, RAM, local storage, I was referring the configuration for each VM where our code will be deployed. There are couple (5) of predefined VM configuration which we can use:

Virtual Machine Size CPU Cores Memory Cost Per Hour
Extra Small Shared 768 MB $0.04
Small 1 1.75 GB $0.12
Medium 2 3.5 GB $0.24
Large 4 7 GB $0.48
Extra Large 8 14 GB $0.96

More information on Virtual Machine sizes can be found here.

And here comes the beauty of the Cloud. We code once. We set the overall parameters once. And we deploy once! If it comes that we need more servers – we just set the number of instances for our role. We do it live. There is no downtime. Windows Azure automatically will launch as many VMs as we requested. Will configure them for our application and will deploy our code in each and every one of them and will finally join them to the cluster of our highly available and reliable cloud application. When we don’t need (let’s say) 10 servers anymore, then we can easily instruct Windows Azure that we only need 2 from now on and that’s it. The cloud will automatically shutdown 8 servers and remove them, so we won’t be paying any more extra money.

It is important to note, though, that the Role defines the size of the VM for all the Instances of it. We cannot have instances of same Role but different VM size. This is by design. If we defined our Role to use Extra Large VM, then all the instances we have will be running on that size of VM.

Key takeaways

I hope that this article helped you understand couple of basic terms about Windows Azure. You shall be able to confidently answer the following questions:

  • What is Windows Azure ?
  • What is Windows Azure Hosted Service (or just Hosted Service)?
  • What is a Role?
  • What is a Role Instance (or just Instance)?
Posted by Anton Staykov at 15:42 3 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)