By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
448,967 Members | 1,625 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 448,967 IT Pros & Developers. It's quick & easy.

WCF SOAP Router Including Credentials

P: n/a
Hello,

I've been trying to create a WCF SOAP Router Service that can forward not
just the message body but also any security headers set by the originator of
the message. The destination service I'm routing messages to uses
WSHttpBinding, SSL with UserName/Password client credentials. Using guidance
from the Technology samples I can create a router that forwards messages
without security credentils but not with them. Can anybody point me in the
right direction... should I be creating a custom channel to handle this? or
is there a bundle of framework classes I should use?

Deployment scenario : Consumer connects to a router service on a DMZ (Out of
Domain). The router service is unable to authenticate the users of the
service. Router determins the correct destination service and forwards SOAP
message + security credentials. Destination service impersonates consumer and
replys to the message.

Any help or guidance would be appreciated!

Thanks,

Jimmer
Nov 25 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Hi Jimmer,

From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered in
router scenario, correct?

As for the message routering in WCF, I think it is a XML Webservice/SOAP
specific feature introducted from the WSE 3.0. WSE 3.0 also support message
routering and for security, it is implemented in the following means:

** security header directly forwarded from client to server(ignore the
intermediate router) is not supported

** you need to configure the security assertion(policy) for message
transfering between
1) client <-----router and 2) router <-----server

So far, I haven't find any confirmation on the WCF which also support this
kind of security setting. I'll perform some further research to see whether
this kind of security is also supported in WCF.

BTW, as you mentioned SSL, are you using https/ssl for transport security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).

I'll update you if I get any more information on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
Subject: WCF SOAP Router Including Credentials
Date: Sun, 25 Nov 2007 11:30:00 -0800
Hello,

I've been trying to create a WCF SOAP Router Service that can forward not
just the message body but also any security headers set by the originator
of
the message. The destination service I'm routing messages to uses
WSHttpBinding, SSL with UserName/Password client credentials. Using
guidance
from the Technology samples I can create a router that forwards messages
without security credentils but not with them. Can anybody point me in the
right direction... should I be creating a custom channel to handle this? or
is there a bundle of framework classes I should use?

Deployment scenario : Consumer connects to a router service on a DMZ (Out
of
Domain). The router service is unable to authenticate the users of the
service. Router determins the correct destination service and forwards SOAP
message + security credentials. Destination service impersonates consumer
and
replys to the message.

Any help or guidance would be appreciated!

Thanks,

Jimmer

Nov 26 '07 #2

P: n/a

Steven, thanks for the reply.
From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered in
router scenario, correct?
Correct. The router should just forward the message from the client
including the clients security headers. The way I've got it working at the
moment is to implement a custom credentials validator on the router and store
the password (encrypted). These credentials are then used to create a channel
to the destination service for every operation call per user! This could be
improved by having one channel per destination service which is user
agnostic. The channel could then be reused without the overhead of creating a
channel every time an operation is called on the router.
BTW, as you mentioned SSL, are you using https/ssl for transport security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).
Yea, I've got certificates everywhere!! The router server has its own
certificate and the destination server has its own certificate. IIS on the
DMZ and self hosted on the destination server. The external service consumers
are only aware of the router address in an attempt to shield the domain
environment.

Any information on a better way forward will be well received!

Thanks,

Jimmer
"Steven Cheng[MSFT]" wrote:
Hi Jimmer,

From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered in
router scenario, correct?

As for the message routering in WCF, I think it is a XML Webservice/SOAP
specific feature introducted from the WSE 3.0. WSE 3.0 also support message
routering and for security, it is implemented in the following means:

** security header directly forwarded from client to server(ignore the
intermediate router) is not supported

** you need to configure the security assertion(policy) for message
transfering between
1) client <-----router and 2) router <-----server

So far, I haven't find any confirmation on the WCF which also support this
kind of security setting. I'll perform some further research to see whether
this kind of security is also supported in WCF.

BTW, as you mentioned SSL, are you using https/ssl for transport security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).

I'll update you if I get any more information on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
Subject: WCF SOAP Router Including Credentials
Date: Sun, 25 Nov 2007 11:30:00 -0800
Hello,

I've been trying to create a WCF SOAP Router Service that can forward not
just the message body but also any security headers set by the originator
of
the message. The destination service I'm routing messages to uses
WSHttpBinding, SSL with UserName/Password client credentials. Using
guidance
from the Technology samples I can create a router that forwards messages
without security credentils but not with them. Can anybody point me in the
right direction... should I be creating a custom channel to handle this? or
is there a bundle of framework classes I should use?

Deployment scenario : Consumer connects to a router service on a DMZ (Out
of
Domain). The router service is unable to authenticate the users of the
service. Router determins the correct destination service and forwards SOAP
message + security credentials. Destination service impersonates consumer
and
replys to the message.

Any help or guidance would be appreciated!

Thanks,

Jimmer
Nov 26 '07 #3

P: n/a
Sure. I am currently discussing with some other WCF engineers to see
whether they have any suggestion on this. Will keep you update.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
References: <AB**********************************@microsoft.co m>
<bY**************@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: WCF SOAP Router Including Credentials
Date: Mon, 26 Nov 2007 03:04:01 -0800
Steven, thanks for the reply.
From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered
in
router scenario, correct?
Correct. The router should just forward the message from the client
including the clients security headers. The way I've got it working at the
moment is to implement a custom credentials validator on the router and
store
the password (encrypted). These credentials are then used to create a
channel
to the destination service for every operation call per user! This could
be
improved by having one channel per destination service which is user
agnostic. The channel could then be reused without the overhead of creating
a
channel every time an operation is called on the router.
BTW, as you mentioned SSL, are you using https/ssl for transport
security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).
Yea, I've got certificates everywhere!! The router server has its own
certificate and the destination server has its own certificate. IIS on the
DMZ and self hosted on the destination server. The external service
consumers
are only aware of the router address in an attempt to shield the domain
environment.

Any information on a better way forward will be well received!

Thanks,

Jimmer
"Steven Cheng[MSFT]" wrote:
Hi Jimmer,

From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered
in
router scenario, correct?

As for the message routering in WCF, I think it is a XML Webservice/SOAP
specific feature introducted from the WSE 3.0. WSE 3.0 also support
message
routering and for security, it is implemented in the following means:

** security header directly forwarded from client to server(ignore the
intermediate router) is not supported

** you need to configure the security assertion(policy) for message
transfering between
1) client <-----router and 2) router <-----server

So far, I haven't find any confirmation on the WCF which also support
this
kind of security setting. I'll perform some further research to see
whether
this kind of security is also supported in WCF.

BTW, as you mentioned SSL, are you using https/ssl for transport
security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).

I'll update you if I get any more information on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
>
--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
Subject: WCF SOAP Router Including Credentials
Date: Sun, 25 Nov 2007 11:30:00 -0800
Hello,

I've been trying to create a WCF SOAP Router Service that can forward not
just the message body but also any security headers set by the originator
of
the message. The destination service I'm routing messages to uses
WSHttpBinding, SSL with UserName/Password client credentials. Using
guidance
from the Technology samples I can create a router that forwards messages
without security credentils but not with them. Can anybody point me in
the
right direction... should I be creating a custom channel to handle this?
or
is there a bundle of framework classes I should use?

Deployment scenario : Consumer connects to a router service on a DMZ (Out
of
Domain). The router service is unable to authenticate the users of the
service. Router determins the correct destination service and forwards
SOAP
message + security credentials. Destination service impersonates consumer
and
replys to the message.

Any help or guidance would be appreciated!

Thanks,

Jimmer
Nov 28 '07 #4

P: n/a
Hi Jimmer,

After some further discussing with some other engineers, I'm afraid there
hasn't a direct means to make those security assertion flow from client to
backend(bypass the intermedate router). The reasonable way is to implement
security assertion on both stages(client <---router and router <--->
server).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Wed, 28 Nov 2007 04:16:46 GMT
Subject: RE: WCF SOAP Router Including Credentials

Sure. I am currently discussing with some other WCF engineers to see
whether they have any suggestion on this. Will keep you update.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
References: <AB**********************************@microsoft.co m>
<bY**************@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: WCF SOAP Router Including Credentials
Date: Mon, 26 Nov 2007 03:04:01 -0800
Steven, thanks for the reply.
From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered
in
router scenario, correct?
Correct. The router should just forward the message from the client
including the clients security headers. The way I've got it working at the
moment is to implement a custom credentials validator on the router and
store
the password (encrypted). These credentials are then used to create a
channel
to the destination service for every operation call per user! This could
be
improved by having one channel per destination service which is user
agnostic. The channel could then be reused without the overhead of creating
a
channel every time an operation is called on the router.
BTW, as you mentioned SSL, are you using https/ssl for transport
security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).
Yea, I've got certificates everywhere!! The router server has its own
certificate and the destination server has its own certificate. IIS on the
DMZ and self hosted on the destination server. The external service
consumers
are only aware of the router address in an attempt to shield the domain
environment.

Any information on a better way forward will be well received!

Thanks,

Jimmer
"Steven Cheng[MSFT]" wrote:
Hi Jimmer,

From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered
in
router scenario, correct?

As for the message routering in WCF, I think it is a XML Webservice/SOAP
specific feature introducted from the WSE 3.0. WSE 3.0 also support
message
routering and for security, it is implemented in the following means:

** security header directly forwarded from client to server(ignore the
intermediate router) is not supported

** you need to configure the security assertion(policy) for message
transfering between
1) client <-----router and 2) router <-----server

So far, I haven't find any confirmation on the WCF which also support
this
kind of security setting. I'll perform some further research to see
whether
this kind of security is also supported in WCF.

BTW, as you mentioned SSL, are you using https/ssl for transport
security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).

I'll update you if I get any more information on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
>
--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
Subject: WCF SOAP Router Including Credentials
Date: Sun, 25 Nov 2007 11:30:00 -0800
Hello,

I've been trying to create a WCF SOAP Router Service that can forward not
just the message body but also any security headers set by the originator
of
the message. The destination service I'm routing messages to uses
WSHttpBinding, SSL with UserName/Password client credentials. Using
guidance
from the Technology samples I can create a router that forwards messages
without security credentils but not with them. Can anybody point me in
the
right direction... should I be creating a custom channel to handle this?
or
is there a bundle of framework classes I should use?

Deployment scenario : Consumer connects to a router service on a DMZ (Out
of
Domain). The router service is unable to authenticate the users of the
service. Router determins the correct destination service and forwards
SOAP
message + security credentials. Destination service impersonates consumer
and
replys to the message.

Any help or guidance would be appreciated!

Thanks,

Jimmer


Nov 30 '07 #5

P: n/a
OK Steven, thanks for you time.

"Steven Cheng[MSFT]" wrote:
Hi Jimmer,

After some further discussing with some other engineers, I'm afraid there
hasn't a direct means to make those security assertion flow from client to
backend(bypass the intermedate router). The reasonable way is to implement
security assertion on both stages(client <---router and router <--->
server).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Wed, 28 Nov 2007 04:16:46 GMT
Subject: RE: WCF SOAP Router Including Credentials

Sure. I am currently discussing with some other WCF engineers to see
whether they have any suggestion on this. Will keep you update.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
References: <AB**********************************@microsoft.co m>
<bY**************@TK2MSFTNGHUB02.phx.gbl>
Subject: RE: WCF SOAP Router Including Credentials
Date: Mon, 26 Nov 2007 03:04:01 -0800
Steven, thanks for the reply.
From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered
in
router scenario, correct?

Correct. The router should just forward the message from the client
including the clients security headers. The way I've got it working at the
moment is to implement a custom credentials validator on the router and
store
the password (encrypted). These credentials are then used to create a
channel
to the destination service for every operation call per user! This could
be
improved by having one channel per destination service which is user
agnostic. The channel could then be reused without the overhead of creating
a
channel every time an operation is called on the router.
BTW, as you mentioned SSL, are you using https/ssl for transport
security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).

Yea, I've got certificates everywhere!! The router server has its own
certificate and the destination server has its own certificate. IIS on the
DMZ and self hosted on the destination server. The external service
consumers
are only aware of the router address in an attempt to shield the domain
environment.

Any information on a better way forward will be well received!

Thanks,

Jimmer
"Steven Cheng[MSFT]" wrote:
Hi Jimmer,

From your descrpition, you're using the WCF "Intermediary Router" feature
and currently wondering how to apply security on the messages transfered
in
router scenario, correct?

As for the message routering in WCF, I think it is a XML Webservice/SOAP
specific feature introducted from the WSE 3.0. WSE 3.0 also support
message
routering and for security, it is implemented in the following means:

** security header directly forwarded from client to server(ignore the
intermediate router) is not supported

** you need to configure the security assertion(policy) for message
transfering between
1) client <-----router and 2) router <-----server

So far, I haven't find any confirmation on the WCF which also support
this
kind of security setting. I'll perform some further research to see
whether
this kind of security is also supported in WCF.

BTW, as you mentioned SSL, are you using https/ssl for transport
security?
If so, this is certainly supported only in port to port case, you can not
establish ssl/https connecction across multiple nodes(client, router and
server).

I'll update you if I get any more information on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
From: =?Utf-8?B?SmltbWVy?= <Ji****@community.nospam>
Subject: WCF SOAP Router Including Credentials
Date: Sun, 25 Nov 2007 11:30:00 -0800
Hello,

I've been trying to create a WCF SOAP Router Service that can forward not
just the message body but also any security headers set by the originator
of
the message. The destination service I'm routing messages to uses
WSHttpBinding, SSL with UserName/Password client credentials. Using
guidance
from the Technology samples I can create a router that forwards messages
without security credentils but not with them. Can anybody point me in
the
right direction... should I be creating a custom channel to handle this?
or
is there a bundle of framework classes I should use?

Deployment scenario : Consumer connects to a router service on a DMZ (Out
of
Domain). The router service is unable to authenticate the users of the
service. Router determins the correct destination service and forwards
SOAP
message + security credentials. Destination service impersonates consumer
and
replys to the message.

Any help or guidance would be appreciated!

Thanks,

Jimmer


Dec 4 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.