The code below is a class that authorizes a WCF web service call using EntLib's AzMan authorization provider:

public sealed class AzManAuthorizationManager : ServiceAuthorizationManager
{
    private const string OperationContextPrefix = "O:";

    protected override bool CheckAccessCore(OperationContext operationContext)
    {
        try
        {
            // Obtain the requested action from the context.
            string action = operationContext.RequestContext.RequestMessage.Headers.Action;
            // Remove the namespace part from the action.
            action.Substring(action.LastIndexOf('/') + 1);

            // Get the windows claim set that contains the windows identity
            // and use that to authorize.
            foreach (ClaimSet claimSet in operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
            {
                WindowsClaimSet windowsClaimSet = claimSet as WindowsClaimSet;
                if (windowsClaimSet != null)
                {
                    WindowsPrincipal principal = new WindowsPrincipal(windowsClaimSet.WindowsIdentity);
                    IAuthorizationProvider provider = AuthorizationFactory.GetAuthorizationProvider();
                    return provider.Authorize(principal, OperationContextPrefix + action);
                }
            }
        }
        catch (Exception exception)
        {
            if (ExceptionPolicy.HandleException(exception, "Exception in Security"))
            {
                throw;
            }
        }
        return false;
    }
}

Notes:

• This won't work with basicHttpBinding, you'll at least have to use wsHttpBinding.
• I simply remove the namespace portion of the SOAP action. This is because AzMan doesn't allow characters like : and / in an operation name.
• When calling Authorize prefix operations with "O:". Without prefix it will instead try to find a task of the supplied name.
• EntLib's WCF Exception Shielding won't work here, any exception is converted to a SecurityAccessDeniedException so you probably want a specific exception policy that also logs the actual exception (which is what I did).

I hope you find this useful, if not let me know!

Both WCF/EntLib integration for Validation and Exception handling are cool, but combining them is a bit tricky.

EntLib's Exception handling allows you to send a generic SOAP fault to a client if any Exception occurs within your service. This allows you to hide exception details from the client. Unfortunately a ValidationFault also gets translated to this generic service fault.

The solution: in the EntLib configuration, under your exception policy for your WCF service (usually named "WCF Exception Shielding" add an entry for the System.ServiceModel.FaultException and set it to NotifyRethrow besides catching System.Exception and throwing a custom SOAP fault in its place. The specific exception to rethrow would be FaultException<ValidationFault> but I'm not sure how to configure EntLib for this.

Fortunately the order is not important: the EntLib configuration tool orders the added exception types alphabetically so it automatically puts the FaultException after the generic Exception handler, but it works just the same.

Today I tried to handle a SecurityException through EntLib's Exception Application Block. I though it would be useful to rethrow it as a custom type name SecurityFault. Silly me, apparently a SecurityException gets translated to a System.ServiceModel.Security.SecurityAccessDeniedException.

Lessen: don't try this at home (or at work for that matter)...

I've seen some blog entries of people having trouble using VAB in WCF when a web service has a message contract. Apparently any contained DataContracts aren't validated.

After some fidgeting I found the problem: apparently the validation starts at the MessageContract. Just decorate the message body property (decorated with [MessageBody]) with [ObjectValidator].

The ObjectValidator is a validator that allows you to validate properties of a class containing properties decorated with validators. In other words; it allows validation of subtypes.

• System message "Please press button ...": If the system already knows what button should be pressed, why ask me to do it?
• System message "Would you like to save the changes?" - "Yes" - "Can't save changes because of ...": Why don't you check if you can save before you ask me?
• System message "Message sent." - "Can't send message because of ...": Why tell me you performed the action while in fact you haven't already?
• And the best: a form that can open in 9 different modes which make the form act subtly different while there are no visual clues telling the user what mode the form is in.

I really feel sorry for the future users.

In .NET 2.0 this should be easier with CryptoStream and DeflateStream. The only tricky bit is how to get the compressed & encrypted data into and out of a MemoryStream properly. If you don't close the Crypto & Deflate stream they don't finalize their output properly and if you do close them they close the underlying MemoryStream. There's a way around this but it differs between the CryptoStream and DeflateStream. The sample code below shows how to do this (and these aren't my real passwords  of course):

• create a MemoryStream and a CryptoStream,
• create a DeflateStream with leaveOpen set to true in the constructor, serialize the secret information into it and close it,
• call CryptoStream.FlushFinalBlock(),
• reset the MemoryStream to the beginning,
• create the containing object (Vault) and put in the contents of the MemoryStream,
• serialize the containing object to a file.

So, the CryptoStream has an extra method FlushFinalBlock() to tell the stream to finish its work. On the other hand DeflateStream is instructed to leave the underlying stream open. If the DeflateStream is then closed it will also finish its work.

namespace Spikes
{
    public class Credential
    {
        [XmlAttribute]
        public string Site;
        [XmlAttribute]
        public string User;
        [XmlAttribute]
        public string Password;
    }

    public class Secrets
    {
        public Credential[] Credentials;
    }

    public class Vault
    {
        [XmlAttribute]
        public int Hashes;
        [XmlAttribute]
        public byte[] IV;
        [XmlText]
        public byte[] Data;
    }

    class Program
    {
        static void Main(string[] args)
        {
            Credential credential1 = new Credential();
            credential1.Site = "Info Support";
            credential1.User = "frankg";
            credential1.Password = "bl@h'1";
            Credential credential2 = new Credential();
            credential2.Site = "Live Mail";
            credential2.User = "fjtdg(at)hotmail.com";
            credential2.Password = "Y0!";
            Secrets secrets = new Secrets();
            secrets.Credentials = new Credential[] { credential1, credential2, };
            RandomNumberGenerator rng = RNGCryptoServiceProvider.Create();
            byte[] iv = new byte[16];
            rng.GetBytes(iv);
            const string path = @"C:\Users\Frank\Documents\vault.xml";
            const string password = @"P@$$\/\/w0rd";
            const int hashes = 16; //1048576;
            Save(secrets, path, password, hashes, iv);
            secrets = Open(path, password);
            Console.WriteLine(secrets.Credentials.Length);
        }

        static void Save(Secrets secrets, string path, string password, int hashes, byte[] iv)
        {
            using (MemoryStream dataStream = new MemoryStream())
            {
                Rijndael rijndael = Rijndael.Create();
                byte[] key = Key(password, hashes);
                using (CryptoStream cryptoStream = new CryptoStream(dataStream, rijndael.CreateEncryptor(key, iv),
CryptoStreamMode.Write))
                {
                    using (Stream zipStream = new DeflateStream(cryptoStream, CompressionMode.Compress, true))
                    {
                        XmlSerializer secretsSerializer = new XmlSerializer(typeof(Secrets));
                        secretsSerializer.Serialize(zipStream, secrets);
                    }
                    cryptoStream.FlushFinalBlock();
                    dataStream.Position = 0;
                    Vault vault = new Vault();
                    vault.Hashes = hashes;
                    vault.IV = iv;
                    byte[] data = new byte[dataStream.Length];
                    dataStream.Read(data, 0, data.Length);
                    vault.Data = data;
                    using (FileStream vaultStream = File.Open(path, FileMode.Create))
                    {
                        XmlSerializer vaultSerializer = new XmlSerializer(typeof(Vault));
                        vaultSerializer.Serialize(vaultStream, vault);
                    }
                }
            }
        }

        static Secrets Open(string path, string password)
        {
            using (FileStream vaultStream = File.Open(path, FileMode.Open))
            {
                XmlSerializer vaultSerializer = new XmlSerializer(typeof(Vault));
                Vault vault = (Vault)vaultSerializer.Deserialize(vaultStream);
                byte[] key = Key(password, vault.Hashes);
                using (MemoryStream dataStream = new MemoryStream())
                {
                    dataStream.Write(vault.Data, 0, vault.Data.Length);
                    dataStream.Flush();
                    dataStream.Position = 0;
                    Rijndael rijndael = Rijndael.Create();
                    using (CryptoStream cryptoStream = new CryptoStream(dataStream, rijndael.CreateDecryptor(key,
vault.IV), CryptoStreamMode.Read))
                    {
                        using (Stream zipStream = new DeflateStream(cryptoStream, CompressionMode.Decompress))
                        {
                            XmlSerializer secretsSerializer = new XmlSerializer(typeof(Secrets));
                            return (Secrets)secretsSerializer.Deserialize(zipStream);
                        }
                    }
                }
            }
        }

        static byte[] Key(string password, int hashes)
        {
            byte[] bytes = Encoding.UTF8.GetBytes(password);
            HashAlgorithm hasher = new SHA256Managed();
            for (int i = 0; i < hashes; i++)
            {
                bytes = hasher.ComputeHash(bytes);
            }
            return bytes;
        }
    }
}

• The basic idea is indeed very basic (what can be more basic than asking questions?),
• The architects they intend to force people out of their comfort zone (especially useful to technical specialists),
• and the questions also encourage people to collaborate (instead of just throwing documents over the wall).
• They also emphasized that a strict timebox encourages people to prioritize the questions,
• and be honest when they just don't know the answer yet.

Again a methodology with a strong social component. In my opinion methods like these have a promising future.