We Keep Coding

IDispatchMessageInspector and Thread.CurrentPrincipal

I have implemented a custom IDispatchMessageInspector, in order to parse one custom token type. After parsing the token I assign:
ServiceSecurityContext.Current.AuthorizationContext.Properties["ClaimsPrincipal"] = claimsPrincipal;
ServiceSecurityContext.Current.AuthorizationContext.Properties["Identities"] = identities;
Thread.CurrentPrincipal = claimsPrincipal;
I thought after ClaimsPrincipal got assigned in my IDispatchMessageInspector, It should have been available in my service method, unfortunately I've got a WindowsPrincipal(IsAuthentificated = false) there.
var currentIdentity = Thread.CurrentPrincipal as ClaimsPrincipal;
any thoughts?
Edit:
My web.config:
<services>
<service name="EchoService.TestEchoService">
<endpoint address="api" bindingConfiguration="secured" binding="webHttpBinding" behaviorConfiguration="rest" contract="EchoService.IEchoService"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials useIdentityConfiguration="true">
</serviceCredentials>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="rest">
<webHttp helpEnabled="true" automaticFormatSelectionEnabled="true"/>
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment>
<serviceActivations>
<add relativeAddress="echo.svc" factory="System.ServiceModel.Activation.ServiceHostFactory" service="EchoService.TestEchoService"/>
</serviceActivations>
</serviceHostingEnvironment>
</system.serviceModel>
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<clear/>
<add type="EchoService.Host.Tokens.SimpleWebTokenHandler,EchoService.Host"></add>
</securityTokenHandlers>
<audienceUris>
<clear/>
<add value="http://securitytestrealm/"/>
</audienceUris>
<issuerTokenResolver type="System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver,System.IdentityModel.Tokens.Jwt">
<securityKey symmetricKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=" name="YYYYYYYYYYYYYYYYYYY" />
</issuerTokenResolver>
</identityConfiguration>
Edit2:
Call sequence:
Contructor => GetTokenTypeIdentifiers => TokenType
In GetTokenTypeIdentifiers I return:
return new string[] { "http://schemas.microsoft.com/2009/11/identitymodel/tokens/swt" };
This sequence takes only place if I call my service first time.
The interesting thing that none of Handlers methods are being called when it is called after that.

Tokens should not be handled in IDispatchMessageInspector.
You need to implement SecurityTokenHandler that will allow you to read Token and extract whatever it carries => convert it to collection of claims and then return that collection. Provided claims collection will automatically be used to create ClaimsPrincipal by the WCF pipeline.
Check the link below:
http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.securitytokenhandler.validatetoken.aspx
EDIT:
You have two possible approaches to add token handler to pipeline. One is to implement custom service host:
public class CustomServiceHost : ServiceHost
{
protected override void OnOpening()
{
base.OnOpening();
IdentityConfiguration identityConfiguration = new IdentityConfiguration();
identityConfiguration.SecurityTokenHandlers.Clear();
identityConfiguration.SecurityTokenHandlers.AddOrReplace(new CustomSecurityTokenHandler());
}
}
or via same xml segments in web.config:
http://msdn.microsoft.com/en-us/library/hh568671.aspx
EDIT:
ServiceCredentials credentials = this.Description.Behaviors.Find<ServiceCredentials>();
if (credentials == null)
{
credentials = new ServiceCredentials();
this.Description.Behaviors.Add(credentials);
}
credentials.UseIdentityConfiguration = true;

I was able to sort this thing out.
The only thing that was missing is one setting in web.config.
<serviceBehaviors>
<behavior>
<serviceAuthorization principalPermissionMode="None" />
Now it works as expected. Is there any security flaws?

Sorry, that's not how authentication in WCF works. You cannot simply assign Thread.CurrentPricipal from somewhere in the WCF processing pipeline and assume that WCF will automagically pickup that as a fact proving the user is authenticated.
You will need to hook into the right place of the pipeline. Which would be a serviceCredentials behavior.

Setting binding in WCF service

This may seem like a really easy question but I can't seem to figure it out at all.
I'm trying to create a new WCF service, and I'm new to having to secure them. I'm using a custom username/password for authentication. The problem [right now anyways] that I seem to be running into is that I can't figure out how to define the service to use the WSHttpBinding (on the service side, not the client side).
Am I missing something incredibly simple? Any pointers and/or recommendations would be greatly appreciated!
EDIT
Here's my code so far:
IAccountService
[ServiceContract]
public interface IAccountService
{
[OperationContract]
bool IsCardValid(string cardNumber);
[OperationContract]
bool IsAccountActive(string cardNumber);
[OperationContract]
int GetPointBalance(string cardNumber);
}
Service web.config
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
<StructureMapServiceBehavior />
</behavior>
</serviceBehaviors>
</behaviors>
<extensions>
<behaviorExtensions>
<add name="StructureMapServiceBehavior" type="Marcus.Loyalty.WebServices.Setup.StructureMapServiceBehavior, Marcus.Loyalty.WebServices, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
</behaviorExtensions>
</extensions>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
<services>
<service name="Marcus.Loyalty.WebServices.Account.IAccountService">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_Config"
contract="Marcus.Loyalty.WebServices.Account.IAccountService"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_Config"/>
</wsHttpBinding>
</bindings>
</system.serviceModel>
Testing app (console app)
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Please enter card number");
var number = Console.ReadLine();
var endPoint = new EndpointAddress("http://localhost:59492/Account/AccountService.svc");
var binding = new WSHttpBinding(SecurityMode.Message);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic;
var cf = new ChannelFactory<IAccountService>(binding, endPoint);
cf.Credentials.UserName.UserName = "testuser";
cf.Credentials.UserName.Password = "Password1!";
var service = cf.CreateChannel();
var balance = service.IsAccountActive(number);
Console.WriteLine("\nBALANCE: {0:#,#}", balance);
Console.Write("\n\nPress Enter to continue");
Console.Read();
}
}
Testing app app.config
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="BasicHttpBinding_IAccountService" />
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:59492/Account/AccountService.svc"
binding="wsHttpBinding" bindingConfiguration="BasicHttpBinding_IAccountService"
contract="ServiceReference1.IAccountService" name="BasicHttpBinding_IAccountService" />
</client>
</system.serviceModel>
</configuration>

You need to define the abc (address, binding, contract) configuration into de web.config file (you can also do it programmatically. the b part, the binding, you can specify the wsHttpBinding
<system.serviceModel>
<services>
<service name = "MyNamespace.MyService">
<endpoint
address = "http://localhost:8000/MyService"
binding = "wsHttpBinding"
contract = "MyNamespace.IMyContract" />
</service>
</services>
</system.serviceModel>
If you wish to enable security in a proper way, there is a lot of literature and options. You can use certificates, windows based, tokens, ... passing a username & password like a parameter could not be the best way to do it.

There is an extensive sample on MSDN (How to: Specify a Service Binding in code) - but basically, you need to have:
your service contract (IMyService)
an implementation of that service (MyService)
a code where you create your ServiceHost to host your service
You got all of that? Great!
In that case, just do something like this:
// Specify a base address for the service
string baseAddress = "http://YourServer/MyService";
// Create the binding to be used by the service.
WsHttpBinding binding1 = new WsHttpBinding();
using(ServiceHost host = new ServiceHost(typeof(MyService)))
{
host.AddServiceEndpoint(typeof(IMyService), binding1, baseAddress);
host.Open();
Console.ReadLine();
}
and now you should have your service host up and running, on your chosen base address and with the wsHttpBinding defined in code.

How do I set bindingNamespace when using fileless activation?

I'm attempting to eliminate tempuri.org from my WCF service, hosted in IIS using fileless activation. I've followed the instructions here, and I'm stuck when it comes to the bindingNamespace attribute in Web.config, because I'm using fileless activation.
My Web.config merely contains:
<serviceActivations>
<add relativeAddress="Foo.svc"
service="BigCorp.Services.Foo, BigCorp.Services"
/>
</serviceActivations>
I therefore don't have an <endpoint> node on which to set bindingNamespace.
What to do?

You can still use the <services> and hence <endpoint> nodes with WCF File-less activation. Take a look at the following example, where I even modify the default wsHttpBinding to add transport security and enable default behaviors as well; all for the file-less activation of the "Module1.DES.ExternalDataService" service.
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding messageEncoding="Mtom">
<security mode="Transport"/>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Module1.DES.ExternalDataService">
<endpoint binding="wsHttpBinding" bindingNamespace="" contract="Module1.DES.IExternalDataService"/>
</service>
</services>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true">
<serviceActivations>
<add relativeAddress="ExternalDataService.svc" service="Module1.DES.ExternalDataService"/>
</serviceActivations>
</serviceHostingEnvironment>
</system.serviceModel>
Hope this helps.

To change the binding namespace you can use a custom factory (instead of the default one provided) where you can change all the properties of the binding:
<serviceActivations>
<add relativeAddress="Foo.svc"
service="BigCorp.Services.Foo, BigCorp.Services"
factory="BigCorp.Services.FooHostFactory, BigCorp.Services"/>
</serviceActivations>
And the factory:
public class FooHostFactory : ServiceHostFactory
{
protected override ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
{
return new FooServiceHost(serviceType, baseAddresses);
}
}
public class FooServiceHost : ServiceHost
{
public FooServiceHost(Type serviceType, params Uri[] baseAddresses)
: base(serviceType, baseAddresses) { }
protected override void OnOpening()
{
base.OnOpening();
foreach (ServiceEndpoint endpoint in host.Description.Endpoints)
{
if (!endpoint.IsSystemEndpoint)
{
endpoint.Binding.Namespace = "http://services.bigcorp.com/foo";
}
}
}
}

In your service code, you specify:
[ServiceContract(Namespace="http://your-url")]
public interface IMyInterface { ... }
and you can also specify it for data contracts:
[DataContract(Namespace="http://your-url/data")]
public class MyData { ... }

Besides the obvious change of service/data contract namespaces, you can also set a namespace on the Binding object itself, as well as a namespace on the service description:
Binding binding = new BasicHttpBinding();
binding.Namespace = "urn:binding_ns";
ServiceHost host = new ServiceHost(typeof(MyService), address);
var endpoint = host.AddServiceEndpoint(typeof(IMyService), binding, "");
host.Description.Namespace = "urn:desc_ns";
The latter one is what controls the targetNamespace of the WSDL document itself.

In the end, I used a custom BindingNamespaceAttribute, derived from this example.

If you are using the fileless service activation feature of WCF 4.0 via the serviceActivations config element, then you can override the AddDefaultEndpoints base method in your ServiceHost implementation.
using System;
using System.ServiceModel;
using System.ServiceModel.Description;
namespace MyApp.WS.WCFServiceHost
{
public class MyHostFactory : ServiceHostFactory
{
protected override ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
{
return new EDOServiceHost(serviceType, baseAddresses);
}
}
public class MyServiceHost : ServiceHost
{
public EDOServiceHost(Type serviceType, params Uri[] baseAddresses)
: base(serviceType, baseAddresses) { }
public override System.Collections.ObjectModel.ReadOnlyCollection<ServiceEndpoint> AddDefaultEndpoints()
{
var endpoints = base.AddDefaultEndpoints();
foreach (ServiceEndpoint endpoint in endpoints)
{
if (!endpoint.IsSystemEndpoint)
{
endpoint.Binding.Namespace = NamespaceConstants.MyNamespace;
}
}
return endpoints;
}
}
}
Or you could just use config only, the only down side to that is you violate the DRY principle slightly since you now have two points to maintain the namespace string, one in your constants and one in the config file.
In the following example im using the WCFExtrasPlus behaviour to 'flatten' the WSDL. You don't need this if your deploying to a .net 4.5 IIS7 server as you will have access to a flat WSDL anyway which is a new feature built into the 4.5 framework, I digress.
The example also assumes two service contracts and two service behaviour implementations of those contracts.
<system.serviceModel>
<services>
<service name ="MyApp.WS.ServiceBehaviour.Enquiries">
<endpoint bindingNamespace="MyApp.WS" binding="basicHttpBinding" contract="MyApp.WS.ServiceContract.IEnquiries" />
</service>
<service name ="MyApp.WS.ServiceBehaviour.CallLogging">
<endpoint bindingNamespace="MyApp.WS" binding="basicHttpBinding" contract="MyApp.WS.ServiceContract.ICallLogging" />
</service>
</services>
<serviceHostingEnvironment>
<serviceActivations>
<add relativeAddress="Enquiries.svc"
service="MyApp.WS.ServiceBehaviour.Enquiries"
/>
<add relativeAddress="CallLogging.svc"
service="MyApp.WS.ServiceBehaviour.CallLogging"
/>
</serviceActivations>
</serviceHostingEnvironment>
<extensions>
<behaviorExtensions> <!-- The namespace on the service behaviour, the service contract, the data contract and the binding must all be set to the same.-->
<add name="wsdlExtensions" type="WCFExtrasPlus.Wsdl.WsdlExtensionsConfig, WCFExtrasPlus, Version=2.3.1.8201, Culture=neutral, PublicKeyToken=f8633fc5451b43fc" />
</behaviorExtensions>
</extensions>
<behaviors>
<endpointBehaviors>
<behavior>
<wsdlExtensions singleFile="true" />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="True"/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="True"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
For reference the service contracts;
[ServiceBehavior(Namespace = NamespaceConstants.MyNamespace)]
public class CallLogging : ICallLogging
{
}
[ServiceBehavior(Namespace = NamespaceConstants.MyNamespace)]
public class Enquiries : IEnquiries
{
}
NB: A namespace does not need http:// in its name. It can be the namespace of your project if you like i.e. MyApp.MyProject.Somthing . See URN

My IIS does not recognize my WCF custom binding

Today, I have a problem with hosting my custom service host using custom binding. I have tried to implement ServiceHostFactory but when i right click to view with in browser, the error appeared as IIS does not recognize my custom binding (duplexHttpBinding).
My web.config is here:
<services>
<service name="TestWcf.Service1"
behaviorConfiguration="Service1Behavior">
<host>
<baseAddresses>
<add baseAddress="http://localhost:8888/Service1"/>
</baseAddresses>
</host>
<endpoint
address="http://localhost:9999/Service1"
binding="duplexHttpBinding"
bindingConfiguration="binding1"
contract="TestWcf.IService" />
</service>
</services>
<bindings>
<duplexHttpBinding>
<binding name="binding1"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="24.20:31:23.6470000"
sendTimeout="02:01:00"
session="ReliableSession"
sessionTimeout="00:10:00"
maxUndeliveredMessages="100"
maxMessagesInBatch="10"
maxPollingReplyInterval="00:02:00">
</binding>
</duplexHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Service1Behavior">
<serviceMetadata httpGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
</behaviors>
and code in dervied class is here:
public class CustomServiceHost : ServiceHostFactory
{
public override ServiceHostBase CreateServiceHost(string service, Uri[] baseAddresses)
{
DuplexHttpBinding binding = new DuplexHttpBinding();
binding.Name = "binding1";
Uri baseAddress = new Uri("http://localhost:8888/Service1");
Uri address = new Uri("http://localhost:9999/Service1");
ServiceHost serviceHost = new ServiceHost(typeof(Service1), baseAddresses);
serviceHost.AddServiceEndpoint(typeof(IService1), binding, address);
return serviceHost;
}
}
and in SVC file
<%# ServiceHost Language="C#" Debug="true" Service="TestWcf.Service1" Factory="TestWcf.CustomServiceHost" %>
Do I miss something in the context?
Thank you.

You must register new binding as binding extension in your configuration file.

How to declaratively implement custom IAuthorizationPolicy in WCF?

I have a WCF service that is hosted in IIS. I want to use my own IAuthorizationPolicy, and have it configured in the web.config file on the server. I have my auth policy:
namespace MyLib.WCF
{
public class CustomAuthorizationPolicy : IAuthorizationPolicy
{
public CustomAuthorizationPolicy()
{
this.Id = Guid.NewGuid().ToString();
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
throw new ApplicationException("Testing custom auth");
}
...
}
}
And in my web.config:
<service behaviorConfiguration="Behavior" name="MyService">
<endpoint address="" binding="wsHttpBinding" contract="IMyService"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
<serviceBehaviors>
<behavior name="Behavior">
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="MyLib.WCF.CustomAuthorizationPolicy, MyLib.WCF, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</authorizationPolicies>
</serviceAuthorization>
</behavior>
</serviceBehaviors>
But my CustomAuthorizationPolicy.Evaluate() method never fires. What am I missing?

Well, the obvious (silly) question is: in your <service>, do you actually reference your behavior configuration??
I.e. do you have:
<system.serviceModel>
....
<service name="YourService" behaviorConfiguration="Behavior">
....
</service>
....
</system.serviceModel>
Just defining all your stuff is nice and well - but unless you've actually referenced it, it won't do you any good (been there, done that myself, too! :-) )
Second (almost as silly) question would be: what binding and security config do you use?? Have you even turned on security at all? If you have <security mode="None">, then your service authorization will obviously never be used, either (since no credentials are being passed to the service at all).
Marc