The Workflow Foundation Security Pack CTP 1 provides a set of Windows Workflow Foundation Activities (both code-based and declarative) to augment the Service Model support in Workflow Foundation 4.0. In this recipe, we will explore the new set of Activities being introduced in the updated version of the CTP that allow .NET developers to leverage WIF and build secure WCF Workflow Service applications.
Windows Identity Foundation Runtime, .NET Framework 4.0, and Visual Studio 2010 are standard prerequisites. To set up the Workflow Foundation Activities, download the Workflow Foundation Security Pack CTP 1 installer from http://wf.codeplex.com/releases/view/48114 and install it. A set of WF Client and Service Activities is available with the WF designer for a new Visual Studio 2010 WCF Workflow Service Application project, once the installation is successful:
If you are not familiar with the WCF Workflow Service Application, then you can learn more about it in the Visual Design of Workflows with WCF and WF 4 article on MSDN, by Leon Welicki, at the following URL:
To implement Role-based security in a WCF Workflow Service Application, follow these steps:
- Create a Visual Studio 2010 C# WCF Workflow Service Application project and name it RoleBasedWorkflowService, as shown in the following screenshot:
- In the
Service1Workflow Service designer, drag-and-drop a PrincipalPermissionScope activity from the Security tab to the toolbox inside the Sequential Service scope, as shown in the following screenshot:
- In the PrincipalPermissionScope activity, keep the Name expression empty and under the Role expression textbox, enter a valid role in quotes.
- Drag-and-drop the ReceiveRequest activity inside the Body section of the PrincipalPermissionScope activity (see the following screenshot):
- Right-click on the ReceiveRequest activity and click on Properties. You will get the Properties window:
- Click on the CorrelatesOn collection property and set the correlation handle in the CorrelatesOn Definition window, as shown in the following screenshot:
- Next, select the correlation key under the XPath Queries section in the CorrelatesOn Definition window:
- Open the
Web.configfile and create aprotocolMappingelement under theserviceModelsection and set it towsHttpBinding(see the following screenshot):
- Next, create a Visual Studio 2010 C# Console Application to test the WCF Workflow Service. As shown in the following screenshot, add a reference to the Service1.xamlx service:
- Open the
Program.csfile in the Console Application project and add the following code in theMainmethod:static void Main(string[] args) { ServiceClient client = new ServiceClient(); Console.WriteLine(client.GetData(10)); Console.ReadLine(); }Compile the solution and run the client console. The desired echo result 10 will be displayed in the window.
The code block in the Main method of the Program.cs file under the client's Console Application project will execute fine and display the desired result in the console window, once the client identity is checked against the principal permission value specified in the Role expression textbox in the Workflow Service designer, under the PrincipalPermissionScope activity. This is synonymous to using the PrincipalPermission class (System.Security.Permissions) to check against the active principal in code. In case the incoming client credentials don't contain the appropriate role, a SecurityAccessDeniedException will be thrown (see the following screenshot):
You have now successfully implemented Role-based security in the WCF Workflow Service.
In addition to WindowsIdentity, Role-based security can also be implemented using ASP.NET Role Providers, by specifying the roleManager configuration element in the WCF Workflow Service's Web.config file. You can find the detailed steps for configuring an ASP.NET Role Provider for a WCF service in an MSDN article at the following URL:
http://msdn.microsoft.com/library/aa702542
In addition to the Service Activities, the Workflow Foundation Security Pack CTP 1 also provides WF Client Activities that can be used in claims-based identity delegation scenarios. The TokenFlowScope activity is used in conjunction with the GetUserNamePasswordToken, GetBootstrapToken or GetSamlSecurityToken. This allows the Send activities to utilize security tokens for consuming services of a secure WCF service. For more information on this topic, see the Securing WF4 Workflow Services article on MSDN, by Zulfiqar Ahmed, at the following URL:
The complete source code for this recipe can be found in the Chapter 7Recipe 1 folder. To learn more about how WCF Workflow Services can be used as an STS using WIF see the Securing Workflow Services with Windows Identity Foundation article by Zoiner Tejada at the following URL: