Sajay : WinFX

Musings on Workflow Terminated and Exception Handling

Sajay — Wed, 02 May 2007 07:29:25 GMT

When a workflow runs an activity and that activity throws some kind of unhandled exception you would notice that your workflow get terminated. I have see in many articles that explain how the termination happens. Now this is fine only for a rare set of hello world scenarios. When it comes to an enterprise application we usually expect to notify that some error has happened and probably redo our work.

Now if the workflow terminates how the heck are we supposed to re-execute the workflow cause its already terminated right :) and you get the "Workflow not found in persistence store" when you use a store like SQL . Now this happens when our activity doesn't have a fault handler associated with this it. So one of the solutions we tried for state machine error handling was this.

View the FaultHandlers in the event driven activity in the state.
Add a new Fault activity and set the fault type to System.Exception (this is to capture generic faults and nothing fancier) you can customize this but then again we are trying to avoid workflow termination here.
in the fault handler use a CallExternalMethodActivity.
How to catch the exception - You can promote the Fault property as a dependency property. Another easy way would be to call a methodInvoked(ie the method to be executed before the callExternal method is invoked) and in that access the exception as the fault property in the parent of the callExternalMethodActivity.
You can then pass on what ever data you get to the external method.

I believe there are many more ways of fault handling. I even know of cases where customers hacked the stored procedure of Insertworkflow to avoid workflow deletion on termination.

Anyway this is just on of the easier ways out to clean up incase you have better practices do leave a link :)

Durable Tokens Across Services - Share your tokens

Sajay — Fri, 20 Apr 2007 09:32:00 GMT

There seems to be quite a number of time when you want to perform your authentication once and then you just go ahead the want to just call a service without performing the authentication again.

What are some advantages of this ?

1. You get to manage your authentication independently. - Also results in a single point of failure.

2. You can build solutions that can leverage an existing authentication framework and save time building that

3. You could have many services talk to each other and share credentials across and build connected systems as they don't have to manager user bases or authentication stores independently. Still there are dependency on user details but the application is freed from worrying about the actual authentication scheme.

4. And many more depending on your scenario :)

The SDK already has a DurableTokenSecurity Sample and in this post the only modification to that is the way the token cache is built on the client side. If you haven't yet understood the sample, then the you need to understand how the token is picked up and cached and replayed back.

Understanding Durable Tokens

The endpoint has a ClientCredentials behavior. You have to remove the default behavior and slap on your own. the client credentials is also responsible for retrieving the credentials for a service and sending it out with the service request.

factory.Endpoint.Behaviors.Remove<ClientCredentials>();

factory.Endpoint.Behaviors.Add(durableCreds);

The durable credential extends the ClientCredentials and has a reference to the cache that supplies the tokens and stores the token. The SDK sample comes with multiple forms of cache. A file cache and in memory cache. You can choose what cache you would like as they have the separate uses.

Next step would be to understand how the cache is used. The DurableIssuedSecurityTokenProvider implements the SecurityTokenProvider which is responsible for retrieving the token from the cache and uses the instance of the cache that is provided and calls the Add or TryGet that queries the concrete implementation of the cache. The GetTokenCore is what is used to retrieve the token from the cache.

protected override SecurityToken GetTokenCore(TimeSpan timeout)

On walking through the implementation of the cache you see that the cache add or removes the tokens and the key is what governs how the tokens are retrieved. In the actual sample the key is is qualified as shown.

Key key = new Key(target.Uri, (issuer == null) ? null : issuer.Uri);

and when the URI is used.

Changes to the Cache to share the Tokens across Multiple Service

Changing the key pretty much increases or changes the total scope of the token. if you changed the key to something like this

Key key = new Key(new Uri(target.Uri.GetLeftPart(UriPartial.Authority)),
(issuer == null) ? null : issuer.Uri);

This pretty much says that the same token can be used across multiple services with the same Authority(usually the domain name in this case).

So there we go we have increased the scope and in this case but you can write your own key building logic and even use something like a predefined list of keys to retrieve the tokens and share them across multiple services.

Check out the source attached and let me know in case you have some queries around this.

ServiceAuthorizationManager and PrincipalPermission

Sajay — Fri, 22 Dec 2006 06:33:00 GMT

You may face a problem when trying to check for Principal permission and demand in the CheckAccessCore of the SerivceAuthorizationManager and you might see a security exception. This is primarily because the threads principal is not set when this demand check in the SAM happens.

You can however do a Principal Permission check within the operation either by a Demand() operation for the principal or delcaratively in code. This what Brent Schmaltz who helped with this issue said.

"There are two advantages of the SAM approach it is:

centralized and every call will be routed through there. This avoids what I like to call the ‘fractured policy system” where one needs to touch all access points to understand the authorization policy. This is similar to the File System. For example with this method it is difficult to answer: Can X access Y, without having X attempt to access Y?
called way up the stack and is hence has a performance advantage."

The solutions was to check the WindowsClaimSet. This claim set holds all the SIDs that is required and we can check the claim set if the SID of the group you require exits and bump the user out and authorizer the user using this. Basically you have a collection of SecurityIdentifiers in the WindowsClaimSet.

Next time - Checking SID's in the WindowsClaimSet

WSE Client - WCF service Interop

Sajay — Wed, 31 May 2006 11:59:00 GMT

I wanted to put up this sample using the Feb CTP.
Basically it uses WSE 3.0 and WCF to demostrate both AnonymousCertificate configuration and MutualCertificate configuration using the service custom binding Configuration and the WSE policy file.

The point is that WSE uses MessageVersion.Soap11WSAddressingAugust2004 or MessageVersion.Soap12WSAddressingAugust2004 basically will need a custom binding for this.

Security at both Message and Transport Level

Sajay — Wed, 24 May 2006 08:49:00 GMT

When using webservices we usually want the messages encrypted and also use SSL. This configuration as of now is not supported out of the box. We could use either tranport or message or a type called TransportWithMessageCredentials.
The 3rd type does not encrypt the soap message at the Message level but only supplies the claims(credentials) at this level. The security is pretty much provided at the Transport Level as the name should suggest.
The only binding that provides this out of the box is the following

WsHttpBinding provides a mixed mode but not both.
You can get a full listing here Predefined Bindings.

Incase you do want to use this you have to create a custom binding specifying each element. The behavior element can be used to specify the credentials that the message level security would use and the tranport can use say the server certificate from IIS. The snippet below shows a bare skeleton of this kind of binding.

Getting the X509Certificate Serial Number out of the ClaimSet

Sajay — Fri, 31 Mar 2006 12:27:00 GMT

The ClaimSet is quite interesting and extracting the Serial number from the certificate was something that wasn't that straight forward using FindClaims which takes the ClaimType Enumerator. For this you can cast the claim set into a X509CertificateClaimSet and get the Serial Number

        public string GetCertificateSerialNumber()
        {
            foreach (ClaimSet cs in OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets)
                if (cs is X509CertificateClaimSet)
                    return ((X509CertificateClaimSet)cs).SerialNumber;

return null;
}

Script for setting up Certificates for WCF

Sajay — Thu, 30 Mar 2006 16:28:00 GMT

I thought this script might be quite useful to set up certificates for testing with services hosted in IIS. This uses 3 tools present in the SDK folder.
1. makecert
2. certmgr
3. FindPrivateKey
You can find these in the WCF samples.

Note: Make sure you run this from the Windows SDK prompt and check the cert stores for the certifcates.

--------------------------------Setup.bat----------------------------

echo off
echo ************
echo Client cert setup starting
echo ************
set CLIENT_NAME=client.com
set SERVER_NAME=localhost

echo ****************
echo Cleanup starting
echo ****************

echo -------------------------
echo del client certs
echo -------------------------
certmgr -del -r CurrentUser -s My -c -n %CLIENT_NAME%
certmgr -del -r CurrentUser -s TrustedPeople -c -n %SERVER_NAME%

echo -------------------------
echo del service certs
echo -------------------------
certmgr -del -r LocalMachine -s My -c -n %SERVER_NAME%
certmgr -del -r LocalMachine -s TrustedPeople -c -n %CLIENT_NAME%

echo *****************
echo Cleanup completed
echo *****************

echo ************
echo making client cert
echo ************
makecert.exe -sr CurrentUser -ss MY -a sha1 -n CN=%CLIENT_NAME% -sky exchange -pe
echo ************
echo copying client cert to server's CurrentUserstore
echo ************
certmgr.exe -add -r CurrentUser -s My -c -n %CLIENT_NAME% -r LocalMachine -s TrustedPeople

echo ************
echo Server cert setup starting
echo %SERVER_NAME%
echo ************
echo making server cert
echo ************
makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=%SERVER_NAME% -sky exchange -pe
echo ************
echo copying server cert to client's CurrentUser store
echo ************
certmgr.exe -add -r LocalMachine -s My -c -n %SERVER_NAME% -r CurrentUser -s TrustedPeople

echo ************
echo setting privileges on server certificates
echo ************
for /F "delims=" %%i in ('"FindPrivateKey.exe" My LocalMachine -n CN^=%SERVER_NAME% -a') do set PRIVATE_KEY_FILE=%%i
set WP_ACCOUNT=NT AUTHORITY\NETWORK SERVICE
(ver | findstr "5.1") && set WP_ACCOUNT=%COMPUTERNAME%\ASPNET
echo Y|cacls.exe "%PRIVATE_KEY_FILE%" /E /G "%WP_ACCOUNT%":R
iisreset