安全性考虑与设计,Windows Azure的服务请求必须通过安全认证,验证的方式有两种如下:
1.Authenticate using Azure Active Directory(活动目录验证)
Secure requests to the management service can be authenticated by creating an Azure AD application and using the Active Directory Authentication Library to obtain an access token from the application.
a.Sign in to the Azure Management Portal.
b.Towards the bottom of the left menu, click Active Directory, and then click Default Directory.
c.On the Default Directory page, under Integrate applications, click Add an application you’re developing.
d.Enter the name of the application, select NATIVE CLIENT APPLICATION, and then click the right arrow.
e.Enter a URI for the application and then click the checkmark. The URI includes the name of the application that is preceded by http://localhost/.
f.After the application is created, you must add permission for the application to access the Service Management APIs. Go to the page for your application, and then click Configure.
g.In the Permissions to other applications section at the bottom of the configuration page, click Select application, and then select Windows Azure Service Management API.
h.Click Delegated Permissions: 0, and then select Access Azure Service Management.
i.Click Save on the bottom menu.
You can easily install the Active Directory Authentication Library into your Visual Studio project by using the NuGet package. To install the package, do the following:
1.Right-click the project name in the Solution Explorer, and then click Manage NuGet Packages.
2.Type Active Directory in the search box, click Install for the Active Directory Authentication Library package, and then follow the instructions to install the package.
下面代码范例演示如何进行访问控制:
private static string GetAuthorizationHeader() { AuthenticationResult result = null; var context = new AuthenticationContext("https://login.windows.net/{tenantId}"); var thread = new Thread(() => { result = context.AcquireToken( "https://management.core.windows.net/", "{clientId}", new Uri("{redirectUri}")); }); thread.SetApartmentState(ApartmentState.STA); thread.Name = "AquireTokenThread"; thread.Start(); thread.Join(); if (result == null) { throw new InvalidOperationException("Failed to obtain the JWT token"); } string token = result.AccessToken; return token; }
3.
{tenantId} with the GUID of the application. To find the GUID, go to the Default Directory page in the Active Directory section of the Management Portal, select the application that you previously created, and then click View Endpoints.
4.Copy the GUID of the application and replace the placeholder with it.
{clientId} with the client identifier. To find the client identifier, go to the Configuration page of the application in the Management Portal.
Use the following line of code to assign the token that is returned from the GetAuthorizationHeader method shown above to a variable that can be used by the request:
string token = GetAuthorizationHeader();
Use the following lines of code to add the token to a request:
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri); request.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + token);
2.Authenticate using a management certificate(管理证书验证)
在说管理证书验证之前要先说一下以下两点:
a.The Service Management API does not verify that a certificate is still valid. Authentication will succeed against an expired certificate.
b.All management certificates carry the same set of privileges. There is no notion of “role-based” authentication where one management certificate can be configured in one role and another on the same subscription is configured in a different role.
如上面所展示:同一个订阅ID号有多个指纹,通过指纹就可以找到对应的管理证书进行验证;代码如下:
private static X509Certificate2 GetStoreCertificate(string thumbprint) { List<StoreLocation> locations = new List<StoreLocation> { StoreLocation.CurrentUser, StoreLocation.LocalMachine }; foreach (var location in locations) { X509Store store = new X509Store("My", location); try { store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); X509Certificate2Collection certificates = store.Certificates.Find( X509FindType.FindByThumbprint, thumbprint, false); if (certificates.Count == 1) { return certificates[0]; } } finally { store.Close(); } } throw new ArgumentException(string.Format( "A Certificate with Thumbprint '{0}' could not be located.", thumbprint)); }
//通过指纹获得存储的可用证书 X509Certificate2 certificate = GetStoreCertificate(Thumbprint);
把证书添加到请求头中:
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri); request.ClientCertificates.Add(certificate);
总结:
版本控制提供了用户API版本的选择,管理认证让应用管理更加安全。
第一种方式:中国世纪互联代理没有提供这个服务。所以我也没法做个测试,烦人。
第二种方式是通过证书进行管理认证,接下来将单独写一个创建VM的Demo中会详细说明这个过程。另外上面的两种方式都是微软官方在API中可以找到详细说明的。(Windows Azure REST API)