Enable Multiple Action Claims in AppFabric WRAP/SWT Sample

If you’re using the ASPNETSimpleService sample for investigating Azure’s August release of AppFabric (currently in AppFabric Labs), you might like to know a simple change to enable more action claims.

The sample provides instructions for creating the necessary ‘reverse’ value for the ‘action’ claim in an ACS Rule Group.  But what happens if you have more than one ‘action’ claim in the rule group (either by adding or by reusing an existing rule group)?  The sample breaks and renders WebException, (401) Unauthorized.  What gives?

The client app retrieves a SWT from AppFabric’s ACS and passes it to the web service.  The web service (implemented in the sample’s default.aspx) verifies that the SWT contains the ‘reverse’ value of the ‘action’ claim.  Unfortunately, the sample expects the SWT to look like:

“action=reverse&Audience=http://localhost:8000/Service/&ExpiresOn=1281474685&Issuer=https://<your-namespace>.accesscontrol.appfabriclabs.com/&HMACSHA256=muXlPgsuZkO9BHNAZqA97TZj4gz4NLKc0Ut58Y=”

This SWT will work fine.  Notice the claim “action=reverse” at the beginning.  If you aren’t aware (I wasn’t), multiple values of an claim are combined and separated by commas.  So, if you have another value ‘translate’ for the ‘action’ claim, the SWT will look like this:

“action=reverse,translate&Audience=http://localhost:8000/Service/&ExpiresOn=1281474685&Issuer=https://<your-namespace>.accesscontrol.appfabriclabs.com/&HMACSHA256=muXlPgsuZkO9BHNAZqA97TZj4gz4NLKc0Ut58Y=”

And that makes sense.  Why include multiple ‘action=<value>’ sections?  One simple change to the sample enables it to handle this situation.  Around line 90 of the sample’s default.aspx you’ll see

// check for the correct action claim value
if (!actionClaimValue.Equals(this.requiredClaimValue))
{
this.ReturnUnauthorized();
return;
}

This bit of code is requiring that the actionClaimValue (which comes from the SWT) EQUALS the expected value (requiredClaimValue which set to ‘reverse’).  In the second SWT above, the value of actionClaimValue will be “reverse,translate” which do not equal “reverse”

Simply changing Equals to use the Contains method fixes the sample.  Based on this situation, I don’t think using Equals is a good idea for your apps.  Contains is a reasonable alternative, but you may want to use a more rigorous practice.

CloudStorageAccount.Parse fails on trailing semicolon

Be careful not to let a sneaky little semicolon add itself to the end of your Azure connection string!  It’ll cause CloudStorageAccount.Parse to throw “Invalid Account String” exception.  For example

“AccountName=<account>;AccountKey=<key>;DefaultEndpointsProtocol=http”

works as expected, but

“AccountName=<account>;AccountKey=<key>;DefaultEndpointsProtocol=http;

causes the exception.  Spaces after the semicolon result in the exception, too.  The easiest fix is to use TrimEnd

azureConnStr = azureConnStr.TrimEnd(new char[] {‘;’});

I wish Microsoft would code Parse to handle this case more gracefully.  I guess it seems like just a little thing, but when you’re connecting to the cloud tracking down problems like this takes too long.

AppFabric goes Production on 4/9/10

Microsoft announced that the Windows Azure AppFabric will go live for production purposes on April 9th.

Pricing: Service Bus will now be charge $3.99 per “connection-month;” $1.99 per 100,000 Access Control transactions.