The Azure platform is being rapidly upgraded as new features are rolled in it. In this blog article, I would like to review the applications of Azure AppFabric to the existing problems of the enterprise software companies. The article includes:
- Overview of existing problems of enterprise companies when developing web distributed apps.
- Overview of Azure AppFabric
- Detailed review of Access Control Service
- Detailed review of Azure Service Bus
Existing Problems of Enterprise Software Companies
Software applications are not new in today’s world, there are tons of good quality software solutions created by generations of developers. Today, we create distributed applications centered on integration with existing software systems, components over various platforms, protocols, and standards. We see at least the following problems:
- Connectivity challenges. The software applications have low interoperability because they often exist in different networks, platforms, etc. How can your client connect to a service endpoint if a service is in a different network behind a firewall?
- Authentication challenges. Most of the systems of the past came with their own security model. In order to work with such systems, the user has to maintain various sets of credentials. Maintaining increasing number of logins presents a threat as it increases the chance of compromising the security credentials.
- Authorization challenges. The dispersed security landscape presents a problem as now it is increasingly difficult to administration user authorization.
Azure AppFabric presents possible solutions to the above mentioned problems. The article below will review the AppFabric with concentration on Access Control Service and Service Bus.
Overview of Windows Azure AppFabric
Windows Azure AppFabric presents a set of middleware services. The middleware services target to increase interoperability between the components of your software solution. The services of Azure ApFabric are presented in Fig. 1. The pricing for Azure AppFabric is reasonably cheap and could be looked up at http://www.microsoft.com/windowsazure/pricing/.
Fig.1 Services provided by Azure AppFabric
Service Bus Service – provides connectivity between the services and its consumers. The Service Bus Service is commercially available.
Access Control Service – allows to de-couple the security management from application logic. The Access Control Service is commercially available.
AppFabric Caching Service – allows centralized caching of your application data. The AppFabric Caching Service is available within the CTP since October 2010.
Integration Services – “AppFabric Connect” – is your BizTalk-like service in the cloud. The service will be available sometime in 2011.
Composite App and AppFabric Scale Out Infrastructure. Later this year (2011), Azure AppFabric will introduce the ability to define a Composite App and upload the definitions to AppFabric Container. The Composite App represents your distributed applications with cloud- and on premises- based services. The AppFabric provides an environment to host your Composite App through AppFabric Container’s Multi-tenant host and Composition Runtime. The AppFabric container is responsible for the lifecycle of your Composite App.
AppFabric Access Control Service
Let us see how AppFabric Access Control Service solves the problem of dealing with multiple identity providers. The idea is to de-couple the identity management logic from the application logic. The identity management is not a concern of the new application. To do so, AppFabric uses the Claims Based Security Pattern.
Let us take a look at the concept of Claims Based Security Pattern, which you have to use in order to get a beer in Sloppy Joe’s, Key West (inspired by Vittorio Bertocci).
Fig. 2 Claims Based Security in Key West
- User submits the request for the Drivers License
- User receives the Drivers License authorized by the State of Florida
- User presents the Drivers License to the bartender of Sloppy Joe’s
- User gets his beer
Now let us look at what occurs in the AppFabric. First, we need to get clear on the terminology:
- Relying Party – A service with application logic which expects a security token and relies on the Issuer to generate such token.
- Issuer – A service which is responsible for evaluating the user credentials and generate a token which contains a set of Claims.
- Claim – An attribute of the user.
- Security Token – A set of Claims signed by the Issuer.
Having defined the terminology, I would like to proceed with the explanation of the AppFabric’s Access Control Service. The interaction between the Client, the Issuer, and the Relying Party is described in the Fig. 3 below.
Fig.3 Interactions in the AppFabric Access Control Service
According to the Fig.3, the Client obtains the Security Token from the Security Token Service (STS) which in turn accesses the Identity Store. Once the client has the token, he or she can submit the Security Token as a part of the request to the Relying Party. The identity layer of the Relying Party validates the Token, extracts the claims from it. If your Security Token is valid and your claims set allow the access to the application, the user gets the requested data.
When you create a Service Namespace, the Azure AppFabric provides following build-in service endpoints (Fig.4):
- STS Endpoint
- Management Endpoint
- Management STS Endpoint
Fig.4 Endpoints created with Azure AppFabric Service Namespace
As seen in Fig.4, besides the STS, the STS Management service and the STS for the Management Service are created. All endpoints expose RESTful services could be accessed by clients of various platforms including JAVA, PHP, etc. The STS is configured through the Management Service and could be configured to use other Identity Providers, for example Active Directory (through ADFS v2). As seen in Fig. 5, the STS can federate over existing Identity Providers, Active Directory, Facebook, Google, etc.
Fig.5 ACS with federated Identity Providers
As we may see, Access Control Services allows several key benefits:
- Security is no longer a concern of the application
- Existing Identity Providers are re-used
- Cross-platform interoperability via Restful services
To see how Access Control works:
- Download the Windows Azure Training Kit http://www.microsoft.com/downloads/en/details.aspx?FamilyID=413e88f8-5966-4a83-b309-53b7b77edf78&displaylang=en)
- Go through the
IntroAppFabricAccessControl Lab.
Service Bus Service
The Azure Service Bus allows bridging the possible networks and firewalls which may exist between the client and the server. You may imagine a common situation with the client and the service in located in different networks behind the firewalls. Let’s say the firewalls have only port 80 opened for outbound. Let us take a look at how the Azure Service Bus works.
As described in Fig.6, there are following steps:
- Service initiates a connection with the Relay Service via port 80 outbound.
- The Client initiates a connection with the Relay Service via port 80 outbound.
- The Client can send messages to the Relay Service and the Relay Service forwards the messages to the Service.
Fig.6 Interactions within Azure Service Bus
Generally speaking, I just described the Service Remoting scenario, however there are more scenarios with Azure Service Bus including Eventing and Protocol Tunneling.
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.
Submit an article or tip
