I have implemented a custom IDispatchMessageInspector, in order to parse one custom token type. After parsing the token I assign:
ServiceSecurityContext.Current.AuthorizationContext.Properties["ClaimsPrincipal"] = claimsPrincipal;
ServiceSecurityContext.Current.AuthorizationContext.Properties["Identities"] = identities;
Thread.CurrentPrincipal = claimsPrincipal;
I thought after ClaimsPrincipal got assigned in my IDispatchMessageInspector, It should have been available in my service method, unfortunately I've got a WindowsPrincipal(IsAuthentificated = false) there.
var currentIdentity = Thread.CurrentPrincipal as ClaimsPrincipal;
any thoughts?
Edit:
My web.config:
<services>
<service name="EchoService.TestEchoService">
<endpoint address="api" bindingConfiguration="secured" binding="webHttpBinding" behaviorConfiguration="rest" contract="EchoService.IEchoService"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials useIdentityConfiguration="true">
</serviceCredentials>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="rest">
<webHttp helpEnabled="true" automaticFormatSelectionEnabled="true"/>
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment>
<serviceActivations>
<add relativeAddress="echo.svc" factory="System.ServiceModel.Activation.ServiceHostFactory" service="EchoService.TestEchoService"/>
</serviceActivations>
</serviceHostingEnvironment>
</system.serviceModel>
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<clear/>
<add type="EchoService.Host.Tokens.SimpleWebTokenHandler,EchoService.Host"></add>
</securityTokenHandlers>
<audienceUris>
<clear/>
<add value="http://securitytestrealm/"/>
</audienceUris>
<issuerTokenResolver type="System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver,System.IdentityModel.Tokens.Jwt">
<securityKey symmetricKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=" name="YYYYYYYYYYYYYYYYYYY" />
</issuerTokenResolver>
</identityConfiguration>
Edit2:
Call sequence:
Contructor => GetTokenTypeIdentifiers => TokenType
In GetTokenTypeIdentifiers I return:
return new string[] { "http://schemas.microsoft.com/2009/11/identitymodel/tokens/swt" };
This sequence takes only place if I call my service first time.
The interesting thing that none of Handlers methods are being called when it is called after that.
Tokens should not be handled in IDispatchMessageInspector.
You need to implement SecurityTokenHandler that will allow you to read Token and extract whatever it carries => convert it to collection of claims and then return that collection. Provided claims collection will automatically be used to create ClaimsPrincipal by the WCF pipeline.
Check the link below:
http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.securitytokenhandler.validatetoken.aspx
EDIT:
You have two possible approaches to add token handler to pipeline. One is to implement custom service host:
public class CustomServiceHost : ServiceHost
{
protected override void OnOpening()
{
base.OnOpening();
IdentityConfiguration identityConfiguration = new IdentityConfiguration();
identityConfiguration.SecurityTokenHandlers.Clear();
identityConfiguration.SecurityTokenHandlers.AddOrReplace(new CustomSecurityTokenHandler());
}
}
or via same xml segments in web.config:
http://msdn.microsoft.com/en-us/library/hh568671.aspx
EDIT:
ServiceCredentials credentials = this.Description.Behaviors.Find<ServiceCredentials>();
if (credentials == null)
{
credentials = new ServiceCredentials();
this.Description.Behaviors.Add(credentials);
}
credentials.UseIdentityConfiguration = true;
I was able to sort this thing out.
The only thing that was missing is one setting in web.config.
<serviceBehaviors>
<behavior>
<serviceAuthorization principalPermissionMode="None" />
Now it works as expected. Is there any security flaws?
Sorry, that's not how authentication in WCF works. You cannot simply assign Thread.CurrentPricipal from somewhere in the WCF processing pipeline and assume that WCF will automagically pickup that as a fact proving the user is authenticated.
You will need to hook into the right place of the pipeline. Which would be a serviceCredentials behavior.
Related
Long story short:
My WCF clients should be able to provide both username and certificate to a service hosted in IIS, where I should use that information to validate requests using a custom policies.
Complete story:
I have the need to authenticate some WCF clients to verify if they can execute operations.
We have two kinds of clients: WPF applications and a web application. We would like to do the following:
The web application uses a certificate trusted by the service so that it is recognized as a special user with all permissions (the web application already verifies permissions by itself and we wouldn't like to touch it by now)
The WPF clients authenticate themselves with username/password provided by the user
In the implementation of the operations, I would like to verify if the certificate was provided (then I recognize the "super user"), otherwise fallback to username/password authentication.
Services are hosted in IIS 7 and we need to use NetTcpBinding.
I was able to implement the username validation, but the problem is that the AuthorizationContext inspected by the service contains only identity information, and not the certificate.
The following code is used on the client side to initialize the creation of channels (from a spike I'm using to test the solution):
var factory = new ChannelFactory<T>(this.Binding, address);
var defaultCredentials = factory.Endpoint.Behaviors.Find<ClientCredentials>();
factory.Endpoint.Behaviors.Remove(defaultCredentials);
var loginCredentials = new ClientCredentials();
loginCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
loginCredentials.UserName.UserName = username;
loginCredentials.UserName.Password = password;
if (useCertificate)
{
loginCredentials.SetCertificate();
}
factory.Endpoint.Behaviors.Add(loginCredentials);
return factory.CreateChannel();
With the SetCertificate extension being implemented like this:
public static void SetCertificate(this ClientCredentials loginCredentials)
{
loginCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "SecureWcfClient");
}
This is the configuration of the web application hosting the services:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="SecureBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="Test"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="AuthenticationProtectedService.Security.CertificateValidator, AuthenticationProtectedService.Security"/>
</clientCertificate>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="AuthenticationProtectedService.Security.UserNamePassValidator, AuthenticationProtectedService.Security" />
</serviceCredentials>
<serviceAuthorization serviceAuthorizationManagerType="AuthenticationProtectedService.Security.CertificateAuthorizationManager, AuthenticationProtectedService.Security"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding>
<security mode="None"/>
</binding>
<binding name="SecureNetTcp">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<service
name="AuthenticationProtectedService.Services.OneWayServiceB"
behaviorConfiguration="SecureBehavior">
<endpoint
address=""
binding="wsHttpBinding"
contract="AuthenticationProtectedService.ServiceModel.IOneWayServiceB">
</endpoint>
</service>
<service
name="AuthenticationProtectedService.Services.DuplexServiceB" behaviorConfiguration="SecureBehavior">
<endpoint
address=""
binding="netTcpBinding"
bindingConfiguration="SecureNetTcp"
contract="AuthenticationProtectedService.ServiceModel.IDuplexServiceB">
</endpoint>
<endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange"/>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
Finally, this is the implementation of the custom authorization manager (I also tried with a custom certificate validator but the function was never run)
public class CertificateAuthorizationManager : ServiceAuthorizationManager
{
protected override bool CheckAccessCore(OperationContext operationContext)
{
if (!base.CheckAccessCore(operationContext))
{
return false;
}
string thumbprint = GetCertificateThumbprint(operationContext);
// I'd need to verify the thumbprint, but it is always null
return true;
}
private string GetCertificateThumbprint(OperationContext operationContext)
{
foreach (var claimSet in operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
{
foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Thumbprint, Rights.Identity))
{
string tb = BitConverter.ToString((byte[])claim.Resource);
tb = tb.Replace("-", "");
return tb;
}
}
return null;
}
}
I think that the problem could be in the clientCredentialType property of the nettcpbinding.Security.Message node on the service configuration, but I don't see the option to use both Certificate and Username withing the Message security.
Any help appreciated, thanks
Remark: a specific goal of the project is to have very low level impact on server setup and in general in the system, so also SSL should be avoided if possible.
try out this link http://msdn.microsoft.com/en-us/library/ms733099.aspx ...it might resolve your issue where in you can have different binding configuration for same binding type and associate the same to different endpoints as per your need.
Following code adds ParameterInspector to the endpoint.
ChannelFactory<ITest> factory = new ChannelFactory<ITest>("BasicHttpBinding_ITest");
OperationProfilerManager clientProfilerManager = new OperationProfilerManager();
factory.Endpoint.Behaviors.Add(new OperationProfilerEndpointBehavior(clientProfilerManager));
ITest proxy = factory.CreateChannel();
As a good practice, We are attempting to move all this code to Web.config. So that merely creating factory like this
ChannelFactory<ITest> factory = new ChannelFactory<ITest>("BasicHttpBinding_ITest");
or this -
ChannelFactory<ITest> factory = new ChannelFactory<ITest>();
should fetch the extension elements from configuration. With following configurations, BeforeCall or AfterCall methods of IParameterInspector is not being triggered. Can you please point out our mistake in following Web.config -
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ITest" />
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://n1:8000/Service" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_ITest" contract="ServiceReference1.ITest"
name="BasicHttpBinding_ITest" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="todo">
</behavior>
</endpointBehaviors>
</behaviors>
<extensions>
<behaviorExtensions>
<add name="OperationProfilerEndpointBehavior" type="SelfHostedServiceClient.OperationProfilerEndpointBehavior, SelfHostedServiceClient"/>
</behaviorExtensions>
</extensions>
</system.serviceModel>
Thank you for your help.
Reference: Carlos blog
EDIT: Resolution
Based on Carlos answer, I took following steps to resolve the issue.
Step 1. Created OperationProfilerBehaviorElement class derived from BehaviorExtensionElement. This class is responsible for instantiating the class implementing IEndpointBehavior
class OperationProfilerBehaviorElement : BehaviorExtensionElement {
public override Type BehaviorType
{
get {
return typeof(OperationProfilerEndpointBehavior);
}
}
protected override object CreateBehavior()
{
OperationProfilerManager clientProfilerManager = new OperationProfilerManager();
return new OperationProfilerEndpointBehavior(clientProfilerManager);
} }
Step 2. This class had to be declared in Web.config as below,
<extensions>
<behaviorExtensions>
<add name="OperationProfilerBehavior" type="SelfHostedServiceClient.OperationProfilerBehaviorElement, SelfHostedServiceClient"/>
</behaviorExtensions>
</extensions>
Step 3. Added Endpoint behavior as below,
<behaviors>
<endpointBehaviors>
<behavior name="**InspectParameters**">
<OperationProfilerBehavior/>
</behavior>
</endpointBehaviors>
</behaviors>
Step 4. Set behaviorConfiguration attribute of the endpoint equal to InspectParameters as below,
<endpoint address="http://localhost:8000/Service" behaviorConfiguration="InspectParameters"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ITest"
contract="ServiceReference1.ITest" name="BasicHttpBinding_ITest" />
Now I was able to initialize factory in a single C# line and parameter inspector was added by default from Web.config
ChannelFactory factory = new ChannelFactory("BasicHttpBinding_ITest");
The type OperationProfilerEndpointBehavior which is referenced in the <extensions> / <behaviorExtensions> section of the config should not be a class implementing IEndpointBehavior - it should be a type which inherits from BehaviorElementExtension, and that class is the one which should create the behavior.
See more information about behavior extensions at http://blogs.msdn.com/b/carlosfigueira/archive/2011/06/28/wcf-extensibility-behavior-configuration-extensions.aspx.
I'm new to .net and knows very little about WCF, so bear with me if any silly questions asked. I'm wondering how WCF handles simultaneous calls in SELF-HOST scenario if my code doesn't explicitly spawn any thread. So after read a lot on the stackoverflow, I created a test app but it seems not working. Please advise. Thanks a lot.
Please note ...
My question is only about WCF SELF HOSTING, so please don't refer to any IIS related.
I'm using webHttpBinding.
I understand there are maxConnection and service throttling settings, but I'm only interested in 2 simultaneous calls in my research setup. So there should be no max conn or thread pool concern.
My test service is NOT using session.
Code as below ...
namespace myApp
{
[ServiceContract(SessionMode = SessionMode.NotAllowed)]
public interface ITestService
{
[OperationContract]
[WebGet(UriTemplate="test?id={id}")]
string Test(int id);
}
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall,
ConcurrencyMode = ConcurrencyMode.Multiple)]
public class TestService : ITestService
{
private static ManualResetEvent done = new ManualResetEvent(false);
public string Test(int id)
{
if (id == 1)
{
done.Reset();
done.WaitOne();
}
else
{
done.Set();
}
}
}
}
app.config ...
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name = "TestEndpointBehavior">
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
<services>
<service name = "myApp.TestService">
<endpoint address = "" behaviorConfiguration="TestEndpointBehavior"
binding = "webHttpBinding"
contract = "myApp.ITestService">
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080/test/"/>
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
<system.web>
<sessionState mode = "Off" />
</system.web>
How I tested ...
Once had the application running, I opened my browser, FF in case, made one call to http://localhost:8080/test/test?id=1 . This request put the app to suspend waiting for signal, i.e. WaitOne. Then made another call in another browser tab to http://localhost:8080/test/test?id=2. What's expected is that this request will set the signal and thus the server will return for both requests.
But I saw the app hang and the Test function never got entered for the 2nd request. So apparently my code doesn't support simultaneous/concurrent calls. Anything wrong?
You can use single class to setup your wcf service and discard interface. You need to add global.asax file also. After you make the second call, all of them will return "finished".
This configuration does what you want.
Create TestService.cs with :
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall,
ConcurrencyMode = ConcurrencyMode.Multiple)]
[ServiceContract(SessionMode = SessionMode.NotAllowed)]
public class TestService
{
private static ManualResetEvent done = new ManualResetEvent(false);
[OperationContract]
[WebGet(UriTemplate = "test?id={id}")]
public string Test(int id)
{
if (id == 1)
{
done.Reset();
done.WaitOne();
}
else
{
done.Set();
}
return "finished";
}
}
web.config:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<system.serviceModel>
<standardEndpoints>
<webHttpEndpoint>
<!--
Configure the WCF REST service base address via the global.asax.cs file and the default endpoint
via the attributes on the <standardEndpoint> element below
-->
<standardEndpoint name="" helpEnabled="false" > </standardEndpoint>
</webHttpEndpoint>
</standardEndpoints>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
</configuration>
Global.asax file:
public class Global : System.Web.HttpApplication
{
protected void Application_Start(object sender, EventArgs e)
{
RouteTable.Routes.Add(new ServiceRoute("testservice", new WebServiceHostFactory(), typeof(TestService)));
}
}
I have made a Azure web app that has a ASP.NET web that also contains some JSON WCF services. I really don't know enough about WCF service models to be sure that I'm doing it right, does this look correct to you? Are there other service model configurations that is better for scalability, more maximum concurrent connections, etc?
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
</system.serviceModel>
<system.net>
<settings>
<!-- See http://social.msdn.microsoft.com/Forums/en-US/windowsazuredata/thread/d84ba34b-b0e0-4961-a167-bbe7618beb83 -->
<servicePointManager expect100Continue="false" />
</settings>
</system.net>
This works but I occasionally get unexpected connection drops (timeouts) with no HTTP error codes in my development environment which worries me.
Update # 24. Nov. 2011
web.config
<system.net>
<connectionManagement>
<!-- See http://social.msdn.microsoft.com/Forums/en-US/windowsazuredata/thread/d84ba34b-b0e0-4961-a167-bbe7618beb83 -->
<add address="*" maxconnection="48" />
</connectionManagement>
</system.net>
I'm suspecting that it may be the Visual Studio web server that causes the Ajax calls to get timeouts, after some minutes the service starts to accept requests again. Here is my complete setup, can you see what the problem is? I only have a single Ajax call to the service.
Inferface
IExample.cs:
using System.ServiceModel;
using System.ServiceModel.Web;
namespace WebPages.Interfaces
{
[ServiceContract]
public interface IExample
{
[OperationContract]
[WebInvoke(Method = "GET",
ResponseFormat = WebMessageFormat.Json)]
string GetSomething(string id);
}
}
ExampleService.svc.cs markup
<%# ServiceHost Language="C#" Debug="true" Service="WebPages.Interfaces.ExampleService" CodeBehind="ExampleService.svc.cs" Factory="System.ServiceModel.Activation.WebServiceHostFactory" %>
ExampleService.svc.cs codebehind
namespace WebPages.Interfaces
{
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class ExampleService : IExample
{
string JsonSerializeSomething(Something something)
{
var serializer = new DataContractJsonSerializer(something.GetType());
var memoryStream = new MemoryStream();
serializer.WriteObject(memoryStream, something);
return Encoding.Default.GetString(memoryStream.ToArray());
}
public string GetSomething(string id)
{
var something = DoSomeBusinessLogic(id);
return JsonSerializeSomething(something);
}
}
}
jQuery call from client
function _callServiceInterface(id, delegate) {
var restApiCall = "Interfaces/ExampleService.svc/GetSomething?id="
+ escape(id);
$.getJSON(restApiCall, delegate);
}
function _getSomethingFromService() {
_callServiceInterface('123',
function (result) {
var parsedResult = $.parseJSON(result);
$('#info').html(result.SomethingReturnedFromServiceCall);
}
);
}
Update
I think I know what the problem is now; it seems that WCF services are single threaed by default ( source: http://msdn.microsoft.com/query/dev10.query?appId=Dev10IDEF1&l=EN-US&k=k(SYSTEM.SERVICEMODEL.SERVICEBEHAVIORATTRIBUTE.CONCURRENCYMODE);k(TargetFrameworkMoniker-%22.NETFRAMEWORK%2cVERSION%3dV4.0%22);k(DevLang-CSHARP)&rd=true ) . That explain why my Ajax calls get timeouts, its blocked by another thread. This code should work a lot better:
ExampleService.svc.cs
[ServiceBehavior(ConcurrencyMode = ConcurrencyMode.Multiple, InstanceContextMode = InstanceContextMode.PerSession,
IncludeExceptionDetailInFaults = false, MaxItemsInObjectGraph = Int32.MaxValue)]
//[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class ExampleService : IExample
web.config
<system.serviceModel>
<protocolMapping>
<add scheme="http" binding="webHttpBinding" bindingConfiguration="" />
</protocolMapping>
<behaviors>
<endpointBehaviors>
<behavior name="">
<webHttp defaultOutgoingResponseFormat="Json" />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
ExampleService.svc
<%# ServiceHost Language="C#" Debug="true" Service="WebPages.Interfaces.TagService" CodeBehind="TagService.svc.cs" %>
Update # 9. Oct. 2011
I think I got the answer I needed here Locking with ConcurrencyMode.Multiple and InstanceContextMode.PerCall
aspNetCompatibilityEnabled="false" means not being able to access HttpContext, ASP.NET Sessions, etc. in my WCF code.
I think I got the answer I needed here Locking with ConcurrencyMode.Multiple and InstanceContextMode.PerCall
aspNetCompatibilityEnabled="false" means not being able to access HttpContext, ASP.NET Sessions, etc. in my WCF code.
I have a WCF service that is hosted in IIS. I want to use my own IAuthorizationPolicy, and have it configured in the web.config file on the server. I have my auth policy:
namespace MyLib.WCF
{
public class CustomAuthorizationPolicy : IAuthorizationPolicy
{
public CustomAuthorizationPolicy()
{
this.Id = Guid.NewGuid().ToString();
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
throw new ApplicationException("Testing custom auth");
}
...
}
}
And in my web.config:
<service behaviorConfiguration="Behavior" name="MyService">
<endpoint address="" binding="wsHttpBinding" contract="IMyService"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
<serviceBehaviors>
<behavior name="Behavior">
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="MyLib.WCF.CustomAuthorizationPolicy, MyLib.WCF, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</authorizationPolicies>
</serviceAuthorization>
</behavior>
</serviceBehaviors>
But my CustomAuthorizationPolicy.Evaluate() method never fires. What am I missing?
Well, the obvious (silly) question is: in your <service>, do you actually reference your behavior configuration??
I.e. do you have:
<system.serviceModel>
....
<service name="YourService" behaviorConfiguration="Behavior">
....
</service>
....
</system.serviceModel>
Just defining all your stuff is nice and well - but unless you've actually referenced it, it won't do you any good (been there, done that myself, too! :-) )
Second (almost as silly) question would be: what binding and security config do you use?? Have you even turned on security at all? If you have <security mode="None">, then your service authorization will obviously never be used, either (since no credentials are being passed to the service at all).
Marc