Steps to secure the use of Azure blob storage in Windows store applications

In the previous article, we demonstrated the steps to secure the use of Azure blob storage in Windows Store applications. The steps on Windows phone are similar to this, but there are some differences in client code and settings. But to make it easier for readers to read, I'll write a separate one for how to use Azure blob storage securely in Windows Phone apps. This will suffice for Windows Phone developers to read this article.

We have demonstrated in this article the basic steps in using Azure BLOB storage in Windows Phone applications, but it is important for a business application to secure data. In the code of the last article, access to the BLOB is controlled by publicaccess, theoretically if the publicaccess is set to off, then third parties should not be able to access the BLOB. But there is an obvious security risk: Our code stores the access key string in plaintext, and it's easy for a third party to get the string through some decompile tools. If this access key is exposed, the contents of the BLOB will be completely secret. To this end, we need to find a reliable way to ensure the security of the authentication information.

To solve this problem, we need to do the following two:

1. Ensure that users do not obtain authentication information without authorization.

2. The authenticated information obtained by the user after authorization cannot be reused.

For the first, we can set up a server ourselves, and the connection to that server needs to be authenticated first, and then the authentication information for connecting to the Windows Azure Storage service is obtained from the server. But since we've already used Windows Azure, we can use Windows Azure cloud services to do the same thing for us.

For the second article, the Windows Azure storage service provides shared access signatures (shared access Signature) to ensure the timeliness of validation information. A shared access signature is a URI that grants restricted access to containers, blobs, and other storage objects at a specific time interval. In other words, the shared access signature is a URI that allows the client to access the container and blob within a specified time period, and the URI is invalid and needs to be retrieved over time.

Combining these two approaches, we can protect the authentication information. We put the code that generates the shared access signature on the Windows Azure Cloud service, where the client accesses a blob of the Windows Azure Storage service provider by accessing the cloud service interface for a shared access signature.

So let's take a look at the steps that need to be done to safely implement the same functionality as the previous article.

I. Creating cloud services and implementing Service Interfaces:

1. Download and install the Azure Cloud Service SDK for. NET from the following link:

Http://www.windowsazure.com/en-us/downloads/?sdk=net

For different versions of Visual Studio, you need to install the appropriate SDK so that the Azure Cloud service template appears in your Visual Studio project template.

2. Create a Cloud service through the Azure Cloud services template, and add the WCF Service Web role to the Project Wizard:

When completed, the Project Wizard automatically builds two projects, one is the cloud service project WindowsAzure1 and the other is the Web role Project WCFServiceWebRole1 that provides WCF service. An interface named IService1 is generated in WCFServiceWebRole1 and the Service1 class is implemented for that interface.

3. Modify the IService1 interface in the WCFSERVICEWEBROLE1 Project add interface functions for obtaining shared access signatures:

public interface IService1

{

[OperationContract]

String] Getuploadsas (String containername, string blobname);

[OperationContract]

String] Getdownloadsas (String containername, string blobname);

}

These two interface functions are used to obtain shared access signatures for uploads, a shared access signature for downloading, which receives two parameters: container name and blob name, returns a string array containing two strings, and the first string holds the URI used to access the BLOB. The second string is used to hold the shared access signature.

4. Implement the Getuploadsas function in the Service1 class of the WCFServiceWebRole1 project to return the shared access signature for the upload, similar to the image upload code from the previous demo, we first create a BLOB client object instance using the account name and the access key. Then the object instance of the container is obtained based on the container name, and if the container does not exist, the container is established and the access rights to the anonymous user are turned off. Then we get the BLOB block object instance through the Blob name, which invokes Getsharedaccesssignature to obtain a shared access signature with 5 minutes read and write access.

public string] Getuploadsas (String containername, String blobname)

{

String] Blobinfo = new string[2];

if (string. IsNullOrEmpty (containername) | | String. IsNullOrEmpty (Blobname))

{

throw new ArgumentNullException ();

}

var credentials = new Storagecredentials (AccountName, AccessKey);

var account = new Cloudstorageaccount (credentials, true);

var blobclient = account. Createcloudblobclient ();

var container = blobclient.getcontainerreference (containername);

Container. Createifnotexists ();

Blobcontainerpermissions containerpermissions = new Blobcontainerpermissions ();

containerpermissions.publicaccess = Blobcontainerpublicaccesstype.off;

Container. SetPermissions (containerpermissions);

var blob = container. Getblockblobreference (Blobname);

Blobinfo[0] = blob. Uri.absoluteuri;

BLOBINFO[1] = blob. Getsharedaccesssignature (New Sharedaccessblobpolicy ()

{

Sharedaccessexpirytime = DateTime.UtcNow.AddMinutes (5),

Permissions = Sharedaccessblobpermissions.write | Sharedaccessblobpermissions.read

});

return blobinfo;

}

5. Implement the Getdownloadsas function in the Service1 class of the WCFServiceWebRole1 project to return the shared access signature used to download the picture, similar to step 4, first to create a BLOB client object instance using the account name and the access key. The object instance of the container is then obtained from the container name, then the Blob block object instance is obtained by using the Blob name, and the Getsharedaccesssignature function of the instance is invoked to obtain a shared access signature with 5 minutes read-only access:

public string] Getdownloadsas (String containername, String blobname)

{

String] Blobinfo = new string[2];

if (string. IsNullOrEmpty (containername) | | String. IsNullOrEmpty (Blobname))

{

throw new ArgumentNullException ();

}

var credentials = new Storagecredentials (AccountName, AccessKey);

var account = new Cloudstorageaccount (credentials, true);

var blobclient = account. Createcloudblobclient ();

var container = blobclient.getcontainerreference (containername);

var blob = container. Getblockblobreference (Blobname);

Blobinfo[0] = blob. Uri.absoluteuri;

BLOBINFO[1] = blob. Getsharedaccesssignature (New Sharedaccessblobpolicy ()

{

Sharedaccessexpirytime = DateTime.UtcNow.AddMinutes (5),

Permissions = Sharedaccessblobpermissions.read

});

return blobinfo;

}

6. After completing the above code, you can click on the Azure application to build->publish the service to publish Windows Azure up:

A. The publishing wizard will first let you provide your Windows Azure account, and if you have already logged in, you can select it directly in the dropdown box, and if you are logged in first, you need to press the Sign in button to enter your account information. Then press next to go to the next page:

B. If you have not created the cloud service on Windows Azure, you will need to create a new cloud service and set the server location. Or you can choose to overwrite an existing cloud Service. Here we will name the new cloud service Sasservice:

C. After the setup is complete, the Publishing Wizard deploys the cloud service and application to your Windows Azure, and you can confirm the cloud service and whether the application has been successfully deployed through the Windows Azure Management portal. When the cloud service deployment is complete, service status displays created, production displays running:

d. Click the URL of the cloud service to enter the website providing WCF service and we can see that the WCF service provided by the website is service1.svc. So the URL to access the WCF service is http://sasservice.cloudapp.net/Service1.svc.

E. Open this URL to confirm that the WCF service is available and that you can get the C # sample code that invokes the service on the client.