The Workflow Foundation Security Pack CTP 1 provides a set of Windows Workflow Foundation Activities (both code-based and declarative) to augment the Service Model support in Workflow Foundation 4.0. In this recipe, we will explore the new set of Activities being introduced in the updated version of the CTP that allow .NET developers to leverage WIF and build secure WCF Workflow Service applications.
Windows Identity Foundation Runtime, .NET Framework 4.0, and Visual Studio 2010 are standard prerequisites. To set up the Workflow Foundation Activities, download the Workflow Foundation Security Pack CTP 1 installer from http://wf.codeplex.com/releases/view/48114 and install it. A set of WF Client and Service Activities is available with the WF designer for a new Visual Studio 2010 WCF Workflow Service Application project, once the installation is successful:
If you are not familiar with the WCF Workflow Service Application, then you can learn more about it in the Visual Design of Workflows with WCF and WF 4 article on MSDN, by Leon Welicki, at the following URL:
To implement Role-based security in a WCF Workflow Service Application, follow these steps:
Service1
Workflow Service designer, drag-and-drop a PrincipalPermissionScope activity from the Security tab to the toolbox inside the Sequential Service scope, as shown in the following screenshot: Web.config
file and create a protocolMapping
element under the serviceModel
section and set it to wsHttpBinding
(see the following screenshot): Program.cs
file in the Console Application project and add the following code in the Main
method:static void Main(string[] args) { ServiceClient client = new ServiceClient(); Console.WriteLine(client.GetData(10)); Console.ReadLine(); }
Compile the solution and run the client console. The desired echo result 10 will be displayed in the window.
The code block in the Main
method of the Program.cs
file under the client's Console Application project will execute fine and display the desired result in the console window, once the client identity is checked against the principal permission value specified in the Role expression textbox in the Workflow Service designer, under the PrincipalPermissionScope activity. This is synonymous to using the PrincipalPermission
class (System.Security.Permissions) to check against the active principal in code. In case the incoming client credentials don't contain the appropriate role, a SecurityAccessDeniedException
will be thrown (see the following screenshot):
You have now successfully implemented Role-based security in the WCF Workflow Service.
In addition to WindowsIdentity
, Role-based security can also be implemented using ASP.NET Role Providers, by specifying the roleManager
configuration element in the WCF Workflow Service's Web.config
file. You can find the detailed steps for configuring an ASP.NET Role Provider for a WCF service in an MSDN article at the following URL:
http://msdn.microsoft.com/library/aa702542
In addition to the Service Activities, the Workflow Foundation Security Pack CTP 1 also provides WF Client Activities that can be used in claims-based identity delegation scenarios. The TokenFlowScope
activity is used in conjunction with the GetUserNamePasswordToken, GetBootstrapToken
or GetSamlSecurityToken
. This allows the Send
activities to utilize security tokens for consuming services of a secure WCF service. For more information on this topic, see the Securing WF4 Workflow Services article on MSDN, by Zulfiqar Ahmed, at the following URL:
The complete source code for this recipe can be found in the Chapter 7Recipe 1
folder. To learn more about how WCF Workflow Services can be used as an STS using WIF see the Securing Workflow Services with Windows Identity Foundation article by Zoiner Tejada at the following URL: