Windows Azure Service Management request validation

Security considerations and Design, Windows Azure service requests must pass security authentication, in the way that there are two types of authentication:

1.Authenticate using Azure Active Directory (active catalog authentication)

Secure requests to the management service can is authenticated by creating an Azure AD application and using The Active Directory authentication Library To obtain a access token from the application.

A. Sign in to the Azure Management Portal.         

B. Towards the bottom of the left menu, click Active Directory, and then click Default Directory.

C. On the Default Directory page, under Integrate applications, click Add A application you ' re developing.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4F/24/wKiom1RheqmBbrpIAACY8ZbG20I520.jpg "title=" Ic727494.png "alt=" Wkiom1rheqmbbrpiaacy8zbg20i520.jpg "/>

D. Enter the name of the application, select NATIVE CLIENT Application, and then click on the right arrow.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/24/wKiom1Rhes_BDBOsAACqa6h5loI638.jpg "title=" Ic727496.png "alt=" Wkiom1rhes_bdbosaacqa6h5loi638.jpg "/>

E. Enter a URI for the application and then click the Checkmark. The URI includes the name of the application that's preceded by http://localhost/.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/23/wKioL1Rhe2eiCq9ZAACEb7g_Ir4083.jpg "title=" Ic727497.png "alt=" Wkiol1rhe2eicq9zaaceb7g_ir4083.jpg "/>

F. After the application are created, you must add permission for the application to access the Service Management APIs. Go to the page for your application, and then click Configure.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/25/wKiom1RheyCQ5edPAAC9it2Esns530.jpg "title=" Ic727498.png "alt=" Wkiom1rheycq5edpaac9it2esns530.jpg "/>

G. In the Permissions to other applications sections at the bottom of the configuration page, click Select Application, and th En select Windows Azure Service Management API.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/25/wKiom1RheyCQ5edPAAC9it2Esns530.jpg "title=" Ic727498.png "alt=" Wkiom1rheycq5edpaac9it2esns530.jpg "/>

H. Click delegated permissions:0, and then select Access Azure Service Management.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/23/wKioL1Rhe6jinpxsAADGZc5ZaCo407.jpg "title=" Ic727499.png "alt=" Wkiol1rhe6jinpxsaadgzc5zaco407.jpg "/>

I. Click Save on the bottom menu.

You can easily install the Active Directory authentication Library to your Visual Studio project by using the NuGet pack Age. To install the following:

1. Right-click the project name in the solution Explorer, and then click Manage NuGet Packages.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4F/25/wKioL1RhfULQenAIAAH5RkiqLzM285.jpg "title=" Ic727503.png "alt=" Wkiol1rhfulqenaiaah5rkiqlzm285.jpg "/>

2. Type Active Directory in the Search box, click Install for the Active Directory authentication Library package, and then F Ollow the instructions to install the package.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4F/25/wKioL1Rhfa-DirYzAAMs9N_jxTg121.jpg "title=" Ic727505.png "alt=" Wkiol1rhfa-diryzaams9n_jxtg121.jpg "/>

The following code example shows how to do access control:

Private static string getauthorizationheader () {  authenticationresult result  = null;    var context = new authenticationcontext ("https:/ /login.windows.net/{tenantid} ");   var thread = new thread (()  =>   {    result = context. Acquiretoken (       "https://management.core.windows.net/",        "{clientId}",       new uri ("{Redirecturi}");   });   thread. Setapartmentstate (ApartmentState.STA);   thread. name =  "Aquiretokenthread";   thread. Start ();   thread. Join ();              if  (Result  == null)   {    throw new invalidoperationexception ("Failed  to obtain The jwt token ");   }  string token = result. Accesstoken;  return token;}

3.

{tenantId} with the GUID of the application. To find the GUID, go to the Default directory page in the Active directory section of the Management Portal, select the AP Plication. Previously created, and then click View Endpoints.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/4F/B9/wKioL1Rh0srxeOgbAAAzT7T3sS4953.jpg "title=" 1.png " alt= "Wkiol1rh0srxeogbaaazt7t3ss4953.jpg"/>

4.Copy the GUID of the application and replace the placeholder with it.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4F/BB/wKiom1Rh0qeRhrKMAAHBCeB3p2E314.jpg "title=" Ic727508.png "alt=" Wkiom1rh0qerhrkmaahbceb3p2e314.jpg "/>

{ClientId} with the client identifier. To find the client identifier, go to the Configuration page of the application in the Management Portal.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/BC/wKiom1Rh0uvBhLJ_AADC6H6ZO-0285.jpg "title=" Ic727509.png "alt=" Wkiom1rh0uvbhlj_aadc6h6zo-0285.jpg "/>

Use the following line of code to assign the token that's returned from the Getauthorizationheader method shown above to A variable that can is used by the request:

String token = Getauthorizationheader ();

Use the following lines of code to add the token to a request:

HttpWebRequest request = (HttpWebRequest) httpwebrequest.create (URI); request. Headers.add (httprequestheader.authorization, "Bearer" + token);

2.Authenticate using a Management certificate (Management certificate validation)

Talk about the following two points before you say Management certificate validation:

A.The Service Management API does not verify, a certificate is still valid. Authentication would succeed against an expired certificate.

B.all Management certificates carry the same set of privileges. There is no notion of "role-based" authentication where one Management certificate can be configured in one role and Anoth Er on the same subscription are configured in a different role.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4F/BE/wKioL1Rh1NfjXSASAALwU7YYCW0264.jpg "title=" access _controlpng.png "alt=" Wkiol1rh1nfjxsasaalwu7yycw0264.jpg "/>

As shown above: the same subscription ID number has multiple fingerprints, through the fingerprint can find the corresponding management certificate for verification; Code is as follows:

Private static x509certificate2 getstorecertificate (string thumbprint) {  List <StoreLocation> locations = new List<StoreLocation>  {      StoreLocation.CurrentUser,     StoreLocation.LocalMachine   };    foreach  (var location in locations)   {     x509store store = new x509store ("My",  location);     try    {      store. Open (openflags.readonly | openflags.openexistingonly);       X509certificate2collection certificates = store. Certificates.find (        X509FindType.FindByThumbprint,  Thumbprint, false);      if  (certificates. COUNT&NBSP;==&NBSP;1) &NBSP;&NBSP;&NBSP;&NBsp;  {              return  certificates[0];      }    }     Finally    {      store. Close ();     }  }  throw new argumentexception (String. Format (     "a certificate with thumbprint  ' {0} '  could not  be located. ",     thumbprint));}

X509Certificate2 certificate = getstorecertificate (thumbprint) to obtain the available certificates for storage via fingerprint;

Add the certificate to the request header:

HttpWebRequest request = (HttpWebRequest) httpwebrequest.create (URI); request. Clientcertificates.add (certificate);

Summarize:

Version control provides a choice of user API versions, and management certifications make application management more secure.

The first way: China century interconnection agent does not provide this service. So I can't do a test, it's annoying.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/4F/C5/wKioL1Rh2DWh5CYTAADxd3TeG2w256.jpg "title=" 1.png " alt= "Wkiol1rh2dwh5cytaadxd3teg2w256.jpg"/>

The second way is to manage authentication through a certificate, and the next step is to write a separate demo that creates the VM detailing the process. In addition, the above two methods are Microsoft official in the API can be found in the detailed description. (Windows Azure REST API)

This article is from the "Love Coffee" blog, please be sure to keep this source http://4837471.blog.51cto.com/4827471/1575445

Windows Azure Service Management request validation