Archive for the ‘wcf behaviors’ Category
How to add custom policy assertions to a WCF service without using a custom binding
Leave a CommentRecently I have been trying to work with the ws policy standard to add information to our service WSDLs. WCF has an extension point for doing just that, you can read a really good example of this WCF extension here. One limitation of this method is that you must use a binding of type ‘custom’.
It is worth mentioning at this point there is a really confusing issue with WCF bindings in that there is a pre-defined binding called ‘customBinding’ that gives you control over all the binding elements that make up a WCF binding. This allows you to completely tailor the binding at configuration time. You can also create your own binding type (in code) and allow this to be used at configuration time (the method explained in this post).
So what is the problem with using a ‘customBinding’? – Well we also require our services to use 2 possible bindings either basicHttpBinding or WSHttpBinding. We could create a ‘customBinding’ that mimics basic (or ws respectively) with the addition of a ‘PolicyExporter’ Binding element. However without digging down into the details of these 2 bindings how do we know what settings to use for the ‘customBinding’. This would also lead to even more complicated web.config files. We could also easily break the service at configuration time by changing part of the customBinding.
So what do we do? – Create 2 new bindings in code, each of which derives from either basicHttpBinding or WsHttpBinding, as well as adding a ‘PolicyExporter’ binding element (or any other custom binding elements we want). We then create some other classes that allow this binding to be used at configuration time. It is possible to manually create these classes, but there is also a tool that creates these classes based on a binding (saving time etc).
Step 1 – Create the binding
In a class library that can be referenced from the web.config (we have a dll for all our WCF extensions). Define a class that inherits from the binding, and overrides ‘CreateBindingElements’ like so:
public class CustomBasicBinding:BasicHttpBinding
{
public CustomBasicBinding():base()
{
//you can even define standard binding settings here!
base.Security.Mode = BasicHttpSecurityMode.Transport;
base.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
}
public override BindingElementCollection CreateBindingElements()
{
BindingElementCollection bindingEls = base.CreateBindingElements();
//note that PolicyExporterBindingElement is a custom type defined elsewhere
bindingEls.Insert(0,new PolicyExporterBindingElement(new GetPoliciesFromConfig()));
return bindingEls;
}
}
Step 2 – Use the tool to generate the other classes
The WCF samples download includes a useful tool to create these other classes. Download the samples, locate the source for the tool (TechnologySamples\Tools\ConfigurationCodeGenerator\CS), build the .exe, copy the exe to wherever the .dll for your custom binding is, use a command line and run the tool:
ConfigurationCodeGenerator.exe /sb:CustomBasicBinding /dll:<dll filename>
Step 3 – Copy generated code
navigate to the location of the dll, there should be one file ‘CodeToAddTo<BindingName>‘ copy the contents of this file into your binding code. Copy the remaining generated files to your project location.
Step 4 – Use the new binding for your service
Modify the web.config for your service (either manually or using the WCF configuration tool). Add a ‘binding extension’, using the WCF config tool you can use a wizard to locate the dll and find the binding type (if you can’t see it in the dialog you’ve done something wrong!). Choose a name for the binding (used elsewhere in the config).
For any service endpoint that should use this binding, choose your new binding type as the binding for the service. If necessary you should also be able to create a BindingConfiguration (thanks to the generated code).
<extensions> <bindingExtensions> <add name="CustomBasic" type="Namespace.CustomBasicBindingCollectionElement, namespace, Version=1.0.0.1, Culture=neutral, PublicKeyToken='KEY'" /> </bindingExtensions> </extensions> ... ... <services> <service code cut for clarity> <endpoint binding="CustomBasicBinding" ... > </service> </services>
An idea for exposing additional data and fault contracts for a WCF service through behaviours
Comments (1)Although I am not working on this at the moment I’ve just stumbled across something that I thought I should capture as a potential solution for an existing problem.
The problem: We are using WCF behaviours to provide common functionality for all our WCF services. As part of these behaviours we need to throw specific fault contracts. However unless these are explicitly included in the service contract they are not exposed in the WSDL and so they are not visible to the client (proxy generator). It seems odd for all services to have to include these fault contract references when their own code does not actually use them at all.
Potential Solution: Use the ‘KnownType’ attribute in the WCF behaviour. I believe this tells WCF to include the specified type during serialization. So by putting this in the behaviour dll will the type appear in the WSDL?
Consuming a WCF Service with an unmanaged C++ client with credential passing
Filed under: C++, Security, development, interoperability, unmanaged, wcf, wcf behaviors, web service |
Comments (3) After much hassle I eventually got this working. This post explains how I got it to work and will try and pull together several information sources I found during the investigation.
Service, Step 1 – Bindings and Security
To maximize the interoperability of the WCF service, whilst maintaining credential flow, the WCF service needs to be setup in a particular way. The most critical issue is choosing the correct bindings and security settings; I spent ages trying to get a basicHttpbinding with security mode “TransportWithMessageCredentials” to work. This turned out to be the wrong way to do it (in our scenario). The eventual security mode was “Transport” with the transport clientCredentialType set to “Windows”
<basicHttpBinding> <binding name="basic"> <security mode="Transport"> <transport clientCredentialType="Windows" /> </security> </binding> </basicHttpBinding>
This basically says that the security should be provided by the transport layer (SSL with http – https), with windows credentials being passed at the transport layer (http headers – I think). The next problem is getting the service hosted in IIS.
Service, Step 2 – IIS setup
The credentials in IIS must match the service’s binding configuration. In this case this means setting the security settings to disable anonymous access and enable Windows authentication. Note that the service must be hosted on a SSL site (see this post for how to set this up). Try to build and view the service
If you see an error message saying that the service requires anonymous access this probably means there is something wrong with your bindings. In my case this was due to the fact that I had a mex endpoint for the service (as it was automatically generated), but as this was not using the same bindingconfiguration it was causing problems later on as it demanded anonymous access (in IIS). It is important that all the endpoints for the service have compatible security settings.
If you see an error message saying that the service requires windows authentication this may be due to an error with IIS. (See this blog entry for a possible resolution – note that in my case due to a complex IIS setup the instructions weren’t quite right, basically make sure that for the <IISWebService> section that relates to your site, the line ‘NTAuthenticationProviders=”Negotiate,NTLM” ‘ is included.
By this point you should be able to view the service in your web browser and view the wsdl.
Service, Step 3 – Improving WSDL interoperability
The default behaviour of WCF allows for wsdl documents and xsd schemas to be imported into the overall wsdl (using the wsdl=wsdl0, xsd=xsd0 syntax). Some client side proxy generation tools are unable to handle these imports. Therefore to improve the interoperability you can do the following:
Use a WSDLExportExtension to include XSD inline
WCF behaviours allow services to override how WSDLs are generated. A custom behaviour can remove all imported xsds and place them inline. Details can be found at http://www.winterdom.com/weblog/2006/10/03/InlineXSDInWSDLWithWCF.aspx
Make all WSDLs appear inline
It may also be possible to use a custom behaviour to inline and imported wsdls, however as far as I am aware no-one has created this. On the plus side as long as all contract types (data, fault, service) share the same xml namespace then no wsdls are imported anyway.
Client, Step 1 – Prepare the WSDL for consumption
Even with the improvements to WSDL interoperability the C++ proxy generation tool (sproxy) will fail with the current WSDL due to the security settings being included using ws-policy sections. To get around this, take a local copy of the wsdl by saving the wsdl from your web browser. Then remove any mentions to policy as detailed here
Client, Step 2 – Generate a C++ proxy using sproxy
Open a visual studio command prompt (note you should be able to do this from Visual Studio using “Add Web Reference” however in practice there seems to be some differences). Navigate to the location where you stored your modified wsdl, and type the following command:
>sproxy /wsdl wsdlfileLocation.wsdl
Client, Step 3 – Include the proxy in your C++ project
Simply take the contents of the file generated in the previous step and paste into a standard C++ header file.
Client, Step 4 – Make the call to the web service
The standard sproxy generated proxies use CSoapSocketClientT, to make the web service calls. However you can specify a different type (as long as it conforms to the ATL SOAP Client Archetype), this means that we can use CSoapWininetClient, this type has built in capabilities to using secured communication and so the client credentials will be automatically included. As yet my client is a simple console app, and at the moment it crashes (I’m not a C++ expert!), it does, however, successully call the service and receives a response.
int _tmain(int argc, _TCHAR* argv[])
{
CoInitialize(NULL);
{
CTestInterfaceT<CSoapWininetClient> cli;
int te;
HRESULT res= cli.MyOperation(&te);
cli.Cleanup();
}
Uninitialize();
return 0;
}
And there we have it ladies and gentlemen! An unmanaged C++ client calling a WCF service with transport level security and authentication.
