![Page 1: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/1.jpg)
An introduction to the
Azure AppFabricWebDay, Porto, Feb. 2, 2010
Pedro Félix
(pedrofelix em cc.isel.ipl.pt)
![Page 2: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/2.jpg)
Azure AppFabric
• Set of services
– Service Bus (SB)
– Access Control Service (ACS)
• Running in the cloud
– Based on Windows Azure Platform
• Providing
– SB : Service Connectivity, Addressability and Discoverability
– ACS : Service Access Control
2
![Page 3: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/3.jpg)
A Motivating Scenario
CloudTrack
.
FabrikamContoso
Create/view issuesView/manage issues
3
• Issue Tracker web app.• Cloud-based• Multi-tenant
![Page 4: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/4.jpg)
Connectivity challenges
CloudTrack
.
Notify new issue
4
Fetch trace data
FW, NAT, …FW, NAT, …
Create new issue
![Page 5: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/5.jpg)
Challenges
• Addressability and discoverability
– Private addresses and Network Address Translation (NAT)
– Dynamic addresses (e.g. ISP)
• Connectivity
– Firewalls (denial of inbound connections)
– Event distribution
– Transient connectivity
5
![Page 6: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/6.jpg)
Service Bus
6
outbound inbound
address?
![Page 7: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/7.jpg)
Service Bus
7
“All problems in computer science can be solved by another level of indirection”
Butler Lampson
inboundService Busoutbound
![Page 8: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/8.jpg)
Connectivity and addressability
8
outboundService Bus
• Relay
– Service “listens” on the SB via outbound connection
– Client “sends” to the SB
– SB relays between client and service
sends
public address
listens
![Page 9: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/9.jpg)
Naming and discovery
9
outboundService Bus
• Naming
– Service is exposed via a public name
– Local DNS binds these public names to IP addresses
– Local registry describes available public names
outbound
public name
Registry
DNS
sends listens
![Page 10: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/10.jpg)
Naming and discovery
• Naming
– Public service namespaces
– One Azure project – multiple service namespaces
– {scheme}://{namespace}.servicebus.windows.net/{relpath}
• Registry
– Mapping between URIs and services
– Readable via HTTP+ATOM
10
![Page 11: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/11.jpg)
Buffering
11
outbound
• Buffering
– One-way messaging
– Temporal decoupling
outbound
public name
sends listens
![Page 12: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/12.jpg)
Eventing (pub-sub)
12
outboundService Bus
• Eventing – multicast
– One-way messages
– Multiple listeners
– Message distribution - multicast
outbound
outbound
sends listens
listens
![Page 13: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/13.jpg)
Security
13
outboundService Bus
• Access Control
– Both “listen” and “send” subject to access control
– Programmable authorization policy, defined by ACS
• Isolation – SB is the DMZ
outbound
ACS
sends listens
![Page 14: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/14.jpg)
WCF architecture
14
Transport
Client
User code
Encoding
Protocol
Protocol
Transport
Dispatcher
Service Impl.
Encoding
Protocol
Protocol
Binding element
Binding element
Binding element
Binding element
Binding
• Channel stack with transport and protocol channels
• Channels described by binding elements
• One binding contains several binding elements
![Page 15: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/15.jpg)
WCF and SB
15
Transport
Client
User code
Encoding
Protocol
Protocol
Transport
Dispatcher
Service Impl.
Encoding
Protocol
Protocol
Binding element
Binding element
Binding element
Binding element
Binding
ServiceBus
• New bindings
– New transport channels and binding elements
• New behaviors
![Page 16: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/16.jpg)
Bindings
• WebHttpRelayBinding
– HTTP (Web programming model)
– Client interoperability
• BasicHttpRelayBinding e WS2007HttpRelayBinding
– SOAP over HTTP (basic profile | WS-*)
– Client interoperability
• NetTcpRelayBinding
– Similar to NetTcpBinding (request-response and duplex)
• NetOnewayRelayBinding e NetEventRelayBinding
– One- way w/buffering and multicast
16
![Page 17: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/17.jpg)
Binding elements
• Http(s)RelayTransportBindingElement
• TcpRelayTransportBindingElement
• RelayedOnewayTransportBindingElement
17
![Page 18: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/18.jpg)
Demo
http://demos-pfelix.servicebus.windows.net/webday
18
![Page 19: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/19.jpg)
Access Control Service
• Identity and access control
• Distributed systems
– Decentralized authority
– Heterogeneous technologies
• Claims-based model
• SB integration
19
![Page 20: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/20.jpg)
Identity and Authorization
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
20
![Page 21: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/21.jpg)
webapp (IssueTracker)
Centralized Solution
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
21
MembershipProvider
RoleProvider
IPrincipal.IsInRole(...)
![Page 22: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/22.jpg)
webapp (IssueTracker)
Decentralized Authority
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
22
Contoso Authority
![Page 23: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/23.jpg)
Contoso Identity ProviderContoso Identity Provider webapp
Decentralized Authority
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
23
IdentityDirectory
![Page 24: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/24.jpg)
Contoso webapp
Decision Enforcement
credsContoso::
Alicewebapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
24
ServiceServiceBuswebapp::
SB.Listen
AuthorizationDecision
AuthorizationEnforcementAuthorizationEnforcement
IdentityInformation
![Page 25: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/25.jpg)
webappwebappAccess Control ServiceAccess Control ServiceContoso
Access Control Service
credsContoso::LeadDev
Alice
webapp::IssueView
SB
webapp::SB.Listen
25
Identity Provider Authorization Decision
Authorization Enforcement
![Page 26: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/26.jpg)
Access Control Service
• Claims-based Identity and Access Control
• Claims transformer (“claims in, claims out”)
– Consumes claims from federated issuers
– Provides claims to applications and services
• Rule based issuance policy
– Rule: If has claim1 then output claim2
• Not an identity provider
– Does not manage user’s identities
26
![Page 27: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/27.jpg)
Protocols and technologies
• AppFabric 1.0
– OAuth WRAP (Web Resource Authorization Protocol)
– Simple Web Token
• Future (and past)?
– WS-Federation – “passive” (browser based) federation
– WS-Trust – “active” (SOAP based) federation
– LiveID integration
27
![Page 28: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/28.jpg)
WRAP
28
ClientProtected Resource
IdentityProvider
Bearer Token with Bearer Token with authorization claims API
Authorization Server
![Page 29: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/29.jpg)
WRAP and SWT
• Simple Web Token (SWT)
– Form encoded name-value pairs
– HMAC-SHA-256 symmetric signature
• WRAP token request
– HTTP POST
– username+password or authentication assertion (e.g. SAML)
• WRAP protected client call
– HTTP header (Authorization: WRAP access_token = “…”)
– GET or POST parameter (wrap_access_token = “…”)
29
![Page 30: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/30.jpg)
Demo
30
Membership
Access Control Service
WIF
LeadDevAlice
Listen
WIF
WS-Trust
WRAP
Service Bus
SAML
SWT
username+
password
![Page 31: pedrofelix em cc.isel.ipl.pt)pfelix.files.wordpress.com/2010/02/webday-porto-10-appfabric-slides.pdfNaming and discovery 9 Service Bus outbound •Naming ... WCF architecture 14 Transport](https://reader034.vdocuments.mx/reader034/viewer/2022050115/5f4bffec520fbe0b8f615dc8/html5/thumbnails/31.jpg)
Finally …
• Service Bus
– Connectivity
– Addressability and discoverability
– Eventing
– Buffering
• Access Control Service
– Authorization Decision Point• For Service Bus
• For other services, both cloud or on-premises
– Flexible claims based policy
31