Listing 4 shows the code for the TokenValidator constructor.
Example 4. TokenValidator Constructor
public TokenValidator(string acsHostName, string trustedSolution, string trustedAudienceValue, byte[] trustedSigningKey) { this.acsHostName = acsHostName; this.trustedSigningKey = trustedSigningKey;
this.trustedTokenIssuer = new Uri(string.Format( CultureInfo.InvariantCulture, "https://{0}.{1}/WRAPv0.8", trustedSolution, acsHostName));
this.trustedAudienceValue = new Uri(trustedAudienceValue); }
|
In Listing 4,
trustedSolution represents your ACS service namespace,
trustedAudienceValue represents the destination URL where the ACS token
will be sent, and trustedSigningKey represents the token policy key
associated with the token issuer your trust. In this case, the
authority is ACS. Listing 5 shows the code for the Validate() method used to validate the token issued by ACS.
Example 5. TokenValidator Validate Method
public bool Validate(string token) { if (!this.IsHMACValid(token, this.trustedSigningKey)) { return false; }
if (this.IsExpired(token)) { return false; }
if (!this.IsIssuerTrusted(token)) { return false; }
if (!this.IsAudienceTrusted(token)) { return false; }
return true; }
|
The Validate() method
checks the token validity, token expiration, issuer validity, and
intended audience for the token. If all the checks pass, the method
returns true. The utility functions IsHMACValid(), IsExpired(),
IsIssuerTrusted(), and IsAudienceTrusted() drill down into the SWT
token format to examine the respective validity of the token.
The Program.cs file in the Service project includes the startup logic for the web service. Listing 6 shows the web service startup code.
Example 6. Web Service Startup Code
class Program { const string serviceNamespace = "proazure-1"; const string trustedTokenPolicyKey = "peCRAARL9t/oji4/CWvVKLNcS2KOMiRnHscdcw5HDJQ=";
const string acsHostName = "accesscontrol.windows.net"; const string trustedAudience = "http://localhost/acsexample"; const string requiredClaimType = "action";
static void Main() { WebHttpBinding binding = new WebHttpBinding(WebHttpSecurityMode.None);
Uri address = new Uri(trustedAudience);
WebServiceHost host = new WebServiceHost(typeof(ACSExample)); host.AddServiceEndpoint(typeof(IACSExample), binding, address);
host.Authorization.ServiceAuthorizationManager = new ACSAuthorizationManager( acsHostName, serviceNamespace, trustedAudience, Convert.FromBase64String(trustedTokenPolicyKey), requiredClaimType);
host.Open();
Console.WriteLine("The ACSExample Service is listening"); Console.WriteLine("Press <ENTER> to exit"); Console.ReadLine();
host.Close(); } }
|
In Listing 6,
trustedTokenPolicyKey is the token policy key created when you create
the token policy. requiredClaimType is the claim type that the web
service expects from the SWT issued by ACS. Note that the
ServiceAuthorizationManager property of the host.Authorization object
is set to the custom class ACSAuthorizationManager. When you set this
property, the method call to the web service is automatically
intercepted for validation purposes. The web service is now ready to
accept and process SWT tokens from ACS. Listing 7 shows the interface of the web service.
Example 7. ACSMachineInfo Interface
[ServiceContract] public interface IACSExample { [OperationContract] [WebGet(UriTemplate = "getmachinename")] string GetMachineName();
[OperationContract] [WebGet(UriTemplate = "getuserdomainname")] string GetUserDomainName();
[OperationContract] [WebGet(UriTemplate = "getosversion")] string GetOSVersion();
[OperationContract] [WebGet(UriTemplate = "encodestring?data={data}")] byte[] EncodeString(string data);
}
|
The UriTemplate property
represents the value that is returned when you call the
WebOperationContext.Current.IncomingRequest.UriTemplateMatch.RelativePathSegments.First()
method in the TokenValidator.CheckAccessCore() method.