在Windows Azure服务总线中使用默认发行者和默认密钥是什么？钥匙需要安全吗？ [英] What is the use of Default Issuer and Default Key in Windows Azure Service Bus? Does the key need to be secured?

问题描述

我们创建了一个下载客户端 - 服务模型应用程序，其中WCF服务托管在我们的一个服务器上，客户端应用程序分布在合作伙伴之间。
合作伙伴提供了唯一的pin使用，他们可以使用WCF服务验证自己，并可以请求下载到WCF服务。

客户端连接到通过Windows Azure Service Bus的WCF服务，在其中我们创建了一个命名空间，客户端应用程序可以使用该命名空间连接到服务。
每个命名空间都有默认发布者和默认密钥。在连接到服务总线时，我们在代码中嵌入了此默认键。
有人告诉我，密钥需要保护，您需要获得应用程序签名，以保护嵌入式密钥。是真的吗？

我们真的需要保护这个密钥吗？
如果是，那么如何？是否有一种方法，我们可以简单地在服务总线中提供身份验证，从其引脚标识客户端，并只允许一组人访问服务总线命名空间？
OR
我无用地在这些点上担心？ ：）

我们使用服务总线中继。
我一直在阅读关于SAS和ACS，根据文档，似乎SAS不支持继电器。以下是链接：
将在不久的将来添加对Service Bus中继的支持。
http://msdn.microsoft.com/en-us/library/windowsazure/dn170477.aspx

我无法理解如何使用ACS来验证客户端。 Windows Azure文档中提供的信息对我来说都是保镖，我无法将它们与任何事情联系起来。无论我多么努力。

如果有人为我的任何信息

编辑!!!!!!!!!!!!!!!!!!!!!!
我一直在搜索，并且以下链接提供了一种创建未认证客户端的方法：
http://msdn.microsoft.com/en-us/library/microsoft.servicebus.nettcprelaybinding.aspx

在客户端App.Config中使用以下标记

 < security relayClientAuthenticationType =None /> 
 

我试过这个，但得到以下错误：
Generic：授权失败请确保您指定了正确的SharedSecret，SimpleWebToken，SharedAccessSignature或Saml传输客户端凭据。MissingToken：需要中继安全令牌。

更多关于这个错误。但是很少有问题出现。

解决方案

如果我们不经验证就可以访问天蓝色服务总线， blockquote>

我们真的需要保护这个密钥吗？

侧。
要在Azure服务总线上授权，服务总线WCF端点使用颁发者和默认密钥创建一个令牌，将使用默认密钥签名，这意味着默认密钥永远不会发送到Azure。

有一种方法，我们可以简单地在服务总线
中提供身份验证，从其引脚标识客户端，并且只允许一组
的人访问服务总线的命名空间？或者我无用的
在这样的点上担心了？

据我所知你已经实现了某种安全在WCF一边。
还有另一种方法。您可以使用ACS验证客户端。默认情况下Azure中继服务提供对简单Web令牌的支持。

这是工作流程：

1. 客户端发送UserName / / Key）到ACS。


2. ACS验证凭据是否有效。


3. ACS将SWT令牌发送回客户端。 >
   
4. 客户端将SWT令牌打包到HTTP请求上（例如，转换为
   头文件）


5. 客户端向Web服务发送请求


6. WCF网络服务接收令牌并使用从ACS命名空间提供的
   安全共享密钥验证令牌（注意
   此密钥不是在通信期间发送，必须手动将
   从ACS门户复制到Web服务配置文件）


7. 如果令牌有效，则Web服务会向客户端发送数据。 / li>
   

We have created a downloading client-service model application in which a WCF service is hosted on one of our servers and the client application is distributed among the partners. Partners are provided with unique pin using which they can authenticate themselves with the WCF service and can place requests for downloading to the WCF Service.

The clients connect to the WCF Service through Windows Azure Service Bus within which we have created a namespace using which client applications can connect to the service. Every namespace has a Default Issuer and Default Key. We have embedded this Default key in our code when connecting to the service bus. Somebody told me that the key needs to be secured and you need to get the application signed in order to protect the embedded key. Is that true?

Do we really need to secure this key? If yes then how? and Is there a way we can simply provide authentication in Service Bus which identifies the clients from their pins and and allows only a set of people to access the service bus namespace? OR I'm uselessly getting worried on such points? :)

We are using Service Bus Relay. I have been reading about SAS and ACS and it seems according to the documentation that SAS is not supported for Relays. Following is the link: "Support for Service Bus relays will be added in the near future." http://msdn.microsoft.com/en-us/library/windowsazure/dn170477.aspx

I am unable to understand how to use ACS for authenticating clients. The information provided in the Windows Azure documentation are all bouncers for me and I can not relate them to anything no matter how hard I try.

If somebody has any information for my concerns then please help me with proper links and guidance.

Thanks!

EDIT!!! I have been searching on this and the following link provides a methodology for creating an unauthenticated client: http://msdn.microsoft.com/en-us/library/microsoft.servicebus.nettcprelaybinding.aspx

by using following tag in my client App.Config

<security relayClientAuthenticationType="None" />

I have tried this, but getting the below error: "Generic: There was an authorization failure. Make sure you have specified the correct SharedSecret, SimpleWebToken, SharedAccessSignature, or Saml transport client credentials. MissingToken: Relay security token is required."

I'm looking more about this error. But few questions arise. If we make the azure service bus accessible without authentication, can somebody simply misuse the service bus for their own advantage?

解决方案

Do we really need to secure this key?

You store Issuer and Default Key on your server side. To authorize on the Azure service bus, Service Bus WCF endpoint uses the Issuer and Default Key to create a token that will be signed with the Default Key that means that Default Key will never be sent to Azure.

Is there a way we can simply provide authentication in Service Bus which identifies the clients from their pins and and allows only a set of people to access the service bus namespace? OR I'm uselessly getting worried on such points?

As far as I understood you have already implemented some kind of security on the WCF side. There is another one way of doing that. You can use ACS to authentificate Clients. By Default Azure relay Service provides Support for the Simple Web Tokens.

Here is the workflow:

1. Client send UserName/Password( or UserName/Key) to the ACS.
2. ACS validates whether the credentials are valid.
3. ACS send the SWT token back to the Client.
4. Client packs the SWT token onto the HTTP request(for instance into headers)
5. Client sends a request to the Web Service with the token in Header.
6. WCF web Service recieves the token and validates the token with the secured shared key that was provided from ACS Namespace.(note that this key is not sent during the communication it has to be manually copied from the ACS Portal to the web Service config file)
7. If token is valid then web Service sends data to the Client.

这篇关于在Windows Azure服务总线中使用默认发行者和默认密钥是什么？钥匙需要安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！