{"id":699,"date":"2006-11-17T18:51:00","date_gmt":"2006-11-18T03:51:00","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/2006\/11\/17\/using-windows-cardspace-for-securing-a-wpf-smartclient-in-wcf-token-caching-sauce\/"},"modified":"2006-11-17T18:51:00","modified_gmt":"2006-11-18T03:51:00","slug":"using-windows-cardspace-for-securing-a-wpf-smartclient-in-wcf-token-caching-sauce","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2006\/11\/17\/using-windows-cardspace-for-securing-a-wpf-smartclient-in-wcf-token-caching-sauce\/","title":{"rendered":"Using Windows CardSpace for securing a WPF smartclient, in WCF & token caching sauce"},"content":{"rendered":"

Hello everybody.<\/P>
\n

It’s some time that I have this sample<\/A> in the buffer: I am publishing now in a rush, since this sundaly I leave for 2 weeks in EU for some nice CardSpace briefings here and there. I won’t be on mail very much, so I hope you will hold most questions for when I will be back in Redmond \ud83d\ude42<\/P>
\n

I would really love to speak at lenght about this, but I really don’t have much time (I have also to mention all the ones that helped, and the list is long!:)). For the time being I am including an exerpt of the sample documentation<\/A>: later I’ll go deeper on it.<\/P>
\n

Enjoy \ud83d\ude42<\/P>
\n

Vittorio<\/P>
\n

 ———————————————<\/FONT><\/P>
\n

Windows CardSpace, WCF and Token Caching<\/FONT><\/EM><\/H2>
\n


\n

<\/FONT><\/STRONG><\/P><\/A><\/A>Windows CardSpace provides a consistent experience across web and rich client scenarios. Windows Communication Foundation (WCF) supports CardSpace out of the box, supplying a powerful means of handling authentication in web service based applications: users enjoy an easy experience that shields them from the complexities of WS-Policy, while WCF receives a token for securing the messages. <\/FONT><\/SPAN>
\n

The WCF programming model stores credentials on a per-channel basis: hence, in normal conditions the user would be prompted to choose a card as many times as a channel is created and used. WCF extensibility model, however, offers an easy way of modifying this behavior.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

The sample presented here demonstrates how a simple WPF application can leverage CardSpace for securing the access to two different WCF web services, prompting the user only once.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Contents of this sample<\/FONT><\/STRONG><\/SPAN><\/SPAN><\/P>
\n

This sample contains the following components:<\/FONT><\/SPAN><\/SPAN><\/P>
\n

A sample certificate<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Installation scripts<\/FONT><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>The Simple WPF Smartclient solution<\/FONT><\/FONT><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>A sample selfissued card<\/FONT><\/FONT><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>This document<\/FONT><\/FONT><\/SPAN><\/SPAN><\/P>
\n

Certificate Setup<\/FONT><\/STRONG><\/SPAN><\/SPAN><\/P>
\n

This example does not require any website setup. The example requires, however, the installation of an X509 certificate. The configuration is done using the installation batch file provided in the sample folder:<\/FONT><\/SPAN><\/SPAN><\/P>
\n


\n


          <\/SPAN>Install.bat<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P><\/DIV>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

If you have troubles on Windows Vista, please install those certificates manually under the Local Machine store or refer to the documentation <\/FONT><\/SPAN><\/SPAN>here<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A>.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

For more information and troubleshooting tips, consult the document <\/FONT><\/SPAN><\/SPAN>installation-instructions.doc<\/FONT><\/SPAN><\/SPAN> located in the <\/FONT><\/SPAN><\/SPAN>documents<\/FONT><\/SPAN><\/SPAN> folder. Please note that this document provides help for a wide range of CardSpace examples, hence it sometimes refer to things (like websites setup) that do not apply to the sample here described.<\/FONT><\/SPAN><\/SPAN><\/P>
\n


<\/SPAN><\/B> <\/P>
\n

The Application<\/FONT><\/STRONG><\/SPAN><\/SPAN><\/P>
\n

The application is a WPF client which aggregates weather and traffic info on a simple map. It can be accessed by opening the solution <\/FONT><\/SPAN><\/SPAN>MeteoAndTraffic.sln<\/SPAN> in Visual Studio. Before examining the code, let\u2019s verify the intended behavior of the application: once you loaded the solution, start it by pressing F5. The screenshot below shows the application as it appears once it starts.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

<\/SPAN><\/SPAN><\/FONT> <\/P>
\n

 <\/P>
\n

The user can click on the \u201cGet Traffic Info\u201d button for retrieving traffic <\/FONT><\/SPAN><\/SPAN><\/P>
\n

information from a web service: the data will be displayed in the form of different colors on the road segments. The button \u201cGet Weather Info\u201d will contact a different web service, which will reply with weather information on the area. Both web services are offered by the same organization, nonetheless they are exposed on different endpoints.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Both web services are secured by CardSpace, and configured for accepting the self issued card provided with the sample. The self issued card can be imported by double clicking on the file <\/FONT><\/SPAN><\/SPAN>SampleCardsPrimaCard.crds<\/SPAN>: the password is \u201c88888888\u201d without the quotes.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

Once the card has been imported, click on any of the two buttons mentioned above: the order is not important.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

The system will open the identity selector, prompting for a self issued card. <\/FONT><\/SPAN><\/SPAN><\/P>
\n

Select the sample card \u201cPrima Card\u201d and hit Send: the identity selector will close and the application will perform the web service call.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Assuming that the button clicked was \u201cGet Weather Info\u201d, the application will show a scene similar to the following:<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN>At this point, all subsequent calls will not prompt the user again regardless of the service invoked. Pushing the \u201cGet Traffic Info\u201d button will update the visualization with traffic data right away, without showing the identity selector.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

<\/FONT><\/SPAN><\/SPAN> <\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

If you want to be prompted again, it is enough to empty the token cache by pressing the \u201cFlush Token\u201d button: the next invocation will not find a suitable token in the cache, hence the user will be asked to select a card and restart the cycle.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

Let\u2019s take a closer look at the code that made this behavior possible.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

The client code<\/FONT><\/STRONG><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

The client application is a simple Windows Presentation Foundation application: the visual components were created with Microsoft Expression Interactive Designer, then the project has been imported into Visual Studio 2005. The details of the WPF design are out of the scope of this document and won\u2019t be discussed here (refer to <\/FONT><\/SPAN><\/SPAN>Vittorio\u2019s blog<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A> for any question about it).<\/FONT><\/SPAN><\/SPAN><\/P>
\n

You can find the client project in the <\/FONT><\/SPAN><\/SPAN>MeteoAndTraffic<\/FONT><\/SPAN><\/SPAN> solution, under the <\/FONT><\/SPAN><\/SPAN>MeteoAndTraffic<\/FONT><\/SPAN><\/SPAN> project name. It contains the following files:<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n


\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

Application.xaml<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

Application.xaml.cs<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

AssemblyInfo.cs<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

App.config<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

MeteoServiceContract.cs<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

TrafficServiceContract.cs<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

Map.xaml<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

Map.xaml.cs<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P><\/DIV>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

We can safely ignore <\/FONT><\/SPAN><\/SPAN>Application.xaml<\/FONT><\/SPAN><\/SPAN> , <\/FONT><\/SPAN><\/SPAN>Application.xaml.cs<\/FONT><\/SPAN><\/SPAN> and <\/FONT><\/SPAN><\/SPAN>AssemblyInfo.cs<\/FONT><\/SPAN><\/SPAN>.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

The <\/FONT><\/SPAN><\/SPAN>MeteoServiceContract.cs<\/FONT><\/SPAN><\/SPAN> and <\/FONT><\/SPAN><\/SPAN>TrafficServiceContract.cs<\/FONT><\/SPAN><\/SPAN> files contain the contract definitions of the weather and traffic web services, respectively. Again, please consult the documentation suggested above if those concepts are not clear.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Map.xaml<\/FONT><\/SPAN><\/SPAN> contains WPF code defining the appearance of the main UI; <\/FONT><\/SPAN><\/SPAN>Map.xaml.cs<\/FONT><\/SPAN><\/SPAN> contains the initialization code and the actual web service invocation code. Here there is an excerpt of <\/FONT><\/SPAN><\/SPAN>Map.xaml.cs<\/FONT><\/SPAN><\/SPAN>:<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/I><\/SPAN><\/SPAN><\/P>
\n


\n

…<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

public<\/SPAN><\/SPAN><\/SPAN> MapScene()<\/SPAN><\/SPAN><\/SPAN><\/P>
\n

{<\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>this<\/SPAN>.InitializeComponent();<\/SPAN><\/SPAN><\/SPAN><\/P>
\n

}<\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

void<\/SPAN><\/SPAN><\/SPAN> BtnTrafficClicked(object<\/SPAN> sender, RoutedEventArgs<\/SPAN> e)<\/SPAN><\/SPAN><\/SPAN><\/FONT><\/P>
\n

{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>try<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>ChannelFactory<\/SPAN><TrafficService.ITraffic<\/SPAN>> cnFactory = new<\/SPAN> <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>ChannelFactory<\/SPAN><TrafficService.ITraffic<\/SPAN>>(“TrafficClient”<\/SPAN>);<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>TrafficService.ITraffic<\/SPAN> chn = cnFactory.CreateChannel();<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>List<\/SPAN><TrafficInfo<\/SPAN>> ti = chn.GetTrafficInfo();<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>cnFactory.Close();<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>UpdateTrafficUI(ti);<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>catch<\/SPAN> (Exception<\/SPAN> ee)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>MessageBox<\/SPAN>.Show(“Something went wrong: nn”<\/SPAN> + ee.ToString());<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

…<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P><\/DIV>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

That code fragment looks exactly like a usual WCF sample. Let\u2019s assume for a moment that the associated config file contains the usual WCF+CardSpace configuration, as described <\/FONT><\/SPAN><\/SPAN>here<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A>.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

In <\/FONT><\/SPAN><\/SPAN>BtnTrafficClicked<\/SPAN><\/SPAN><\/SPAN>,<\/SPAN> the event handler associated to the \u201cGet Traffic Info\u201d button, we:<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

1.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>Create a <\/FONT><\/SPAN><\/SPAN>ChannelFactory<\/SPAN> connected to the contract type (<\/FONT><\/SPAN><\/SPAN>TrafficService.<\/SPAN><\/SPAN><\/SPAN>ITraffic<\/SPAN>) and endpoint associated to the service we want to invoke<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

2.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>Use the <\/FONT><\/SPAN><\/SPAN>ChannelFactory<\/SPAN> for instantiating a proxy to the service<\/FONT><\/FONT><\/SPAN><\/SPAN><\/P>
\n

3.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>Use the proxy for invoking the service and obtaining the data we need (in this case, a <\/FONT><\/SPAN><\/SPAN>List<\/SPAN><\/SPAN><\/SPAN><<\/SPAN><\/SPAN><\/SPAN>TrafficInfo<\/SPAN><\/SPAN><\/SPAN>><\/SPAN>)<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

4.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>Close the channel (via <\/FONT><\/SPAN><\/SPAN>ChannelFactory.Close()<\/SPAN>) and use the data obtained for updating the UI<\/FONT><\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

From the description in the former section, we know that at a certain point during the execution of this code (namely in point 3 in the list above) the user has been prompted by the CardSpace UI. When the user selects one card, the system will obtain the corresponding security token (from the internal STS if a self issued card is selected, from an external identity provider in case of a managed card): this token will be stored in the channel and used to secure the call.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

If I would reuse the same channel instance for subsequent calls, WCF would use the token already stored in the channel cache and would not ask the user to re-select the card. Since we close the channel, however, the token cache is lost and subsequent clicks on the \u201cGet Traffic Info\u201d button would cause the CardSpace UI to show again. Unfortunately, just avoiding destroying the channel does not solve the problem. If the user would press the \u201cGet Weather Info\u201d we would execute <\/FONT><\/SPAN><\/SPAN>BtnMeteoClicked<\/SPAN>: the code would be perfectly analogous to what we have described for <\/FONT><\/SPAN><\/SPAN>BtnTrafficClicked<\/SPAN>. The problem is that the channel instance would be necessarily different from the one we created in <\/FONT><\/SPAN><\/SPAN>BtnTrafficClicked<\/SPAN>, so WCF would have to populate the token cache of this new channel and in so doing it would again prompt the user for selecting a card.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

Fortunately, the extensibility model of WCF allows modifying the above described behavior; furthermore, it is possible to implement our custom caching behavior without imposing any modification to the C# code. <\/FONT><\/SPAN><\/SPAN><\/P>
\n

If you are interested in the details, please refer to the <\/FONT><\/SPAN><\/SPAN>credential types explanation in the SDK documentation<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A>; in this context, it is enough to say that the token caching logic is managed by the <\/FONT><\/SPAN><\/SPAN>ClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A> behavior. We can modify the way in which a channel handles credentials by replacing <\/FONT><\/SPAN><\/SPAN>ClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A> from its behaviors list with our own implementation. For doing that we need to <\/FONT><\/SPAN><\/SPAN><\/P>
\n

1.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>Create our implementation of <\/FONT><\/SPAN><\/SPAN>ClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A><\/SPAN><\/SPAN><\/P>
\n

2.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>Change the configuration of the client so that it will take advantage of our class, as opposed to the <\/FONT><\/SPAN><\/SPAN>ClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A> implementation supplied by the framework <\/FONT><\/SPAN><\/SPAN><\/P>
\n

In the remainder of this section we will explore 2., while in the next section we will get a closer look to the implementation details of our custom behavior.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

Below you can see the first lines of the config file associated to our client:<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n


\n

<?xml<\/SPAN> version<\/SPAN>=”1.0″ encoding<\/SPAN>=”utf-8″ ?><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

<configuration<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

  <\/SPAN><system.serviceModel<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><extensions<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><behaviorExtensions<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><add<\/SPAN> name<\/SPAN>=”SimpleCardSpaceTokenClientCredentials” type<\/SPAN>=”SimpleCardSpaceTokenClientCredentialsSample.SimpleCardSpaceTokenClientCredentialsConfigHandler, SimpleCardSpaceTokenClientCredentials, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null” \/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><\/behaviorExtensions<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><\/extensions<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P><\/DIV>
\n

In those lines we declare a config handler for our custom <\/FONT><\/SPAN><\/SPAN><\/SPAN>ClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A> <\/SPAN><\/SPAN>class. This basically tells to the system that:<\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/P>
\n

\u00b7<\/FONT>         <\/SPAN><\/SPAN><\/SPAN>There is a new behavior available, represented by the tag <\/FONT><\/SPAN><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/P>
\n

\u00b7<\/FONT>         <\/SPAN><\/SPAN><\/SPAN>The code for reading the configuration values is in the class <\/FONT><\/SPAN><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentialsSample.SimpleCardSpaceTokenClientCredentialsConfigHandler<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/SPAN>, provided by the assembly <\/FONT><\/SPAN><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/SPAN>.<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/P>
\n

The next lines represent the endpoints recognized by the client application. <\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/P>
\n


\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><client<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><endpoint<\/SPAN> <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>name<\/SPAN>=”MeteoClient”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>address<\/SPAN>=”http:\/\/localhost:4127\/MeteoService\/MeteoEndpoint”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>contract<\/SPAN>=”MeteoService.IMeteo”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>binding<\/SPAN>=”wsHttpBinding”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>bindingConfiguration<\/SPAN>=”myBinding”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>behaviorConfiguration<\/SPAN>=”MyClientBehavior”><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><identity<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN><certificateReference<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>findValue<\/SPAN>=’www.fabrikam.com’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>storeLocation<\/SPAN>=’LocalMachine’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>storeName<\/SPAN>=’My’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>x509FindType<\/SPAN>=’FindBySubjectName’ \/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><\/identity<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><\/endpoint<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><endpoint<\/SPAN> <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>name<\/SPAN>=”TrafficClient”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>address<\/SPAN>=”http:\/\/localhost:4128\/TrafficService\/TrafficEndpoint”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>contract<\/SPAN>=”TrafficService.ITraffic”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>binding<\/SPAN>=”wsHttpBinding”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                     <\/SPAN>  <\/SPAN>bindingConfiguration<\/SPAN>=”myBinding”<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>behaviorConfiguration<\/SPAN>=”MyClientBehavior”><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><identity<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN><certificateReference<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN>    <\/SPAN>findValue<\/SPAN>=’www.fabrikam.com’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>storeLocation<\/SPAN>=’LocalMachine’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>storeName<\/SPAN>=’My’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN>x509FindType<\/SPAN>=’FindBySubjectName’ \/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><\/identity<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><\/endpoint<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><\/client<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><bindings<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><wsHttpBinding<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><binding<\/SPAN> name<\/SPAN>=”myBinding”><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN><security<\/SPAN> mode<\/SPAN>=”Message”><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN><message<\/SPAN> clientCredentialType<\/SPAN>=”IssuedToken”\/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN><\/security<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><\/binding<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><\/wsHttpBinding<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><\/bindings<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P><\/DIV>
\n

Here it is all business as usual: there is no significant difference from what is described <\/FONT><\/SPAN><\/SPAN><\/SPAN>here<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A>. We define an endpoint for getting weather information and one for getting traffic data; they both share the same binding, <\/SPAN><\/SPAN>wsHttpBinding<\/SPAN>, and the same behavior configuration.<\/SPAN><\/SPAN><\/FONT><\/FONT><\/P>
\n

The final lines of the configuration file are the one where we actually apply our custom behavior.<\/FONT><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n


\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><behaviors<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><endpointBehaviors<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

       <\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><behavior<\/SPAN> name<\/SPAN>=’MyClientBehavior’><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN><!–<ClientCredentials><\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN><serviceCertificate><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN><authentication<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>trustedStoreLocation=’LocalMachine’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>revocationMode=’NoCheck’\/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN><defaultCertificate<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>findValue=’www.fabrikam.com’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>     <\/SPAN>storeLocation=’LocalMachine’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>storeName=’My’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>x509FindType=’FindBySubjectName’ \/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN><\/serviceCertificate><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN><\/ClientCredentials><\/SPAN><\/SPAN><\/SPAN>–><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/P>
\n

          <\/SPAN><SimpleCardSpaceTokenClientCredentials<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN><serviceCertificate<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN><authentication<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>trustedStoreLocation<\/SPAN>=’LocalMachine’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>revocationMode<\/SPAN>=’NoCheck’\/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

              <\/SPAN><defaultCertificate<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>findValue<\/SPAN>=’www.fabrikam.com’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>storeLocation<\/SPAN>=’LocalMachine’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>storeName<\/SPAN>=’My’<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                 <\/SPAN>x509FindType<\/SPAN>=’FindBySubjectName’ \/><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN><\/serviceCertificate<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

          <\/SPAN><\/SimpleCardSpaceTokenClientCredentials<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN><\/behavior<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><\/endpointBehaviors<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN><\/behaviors<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

  <\/SPAN><\/system.serviceModel<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

<\/configuration<\/SPAN>><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P><\/DIV>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

In the commented element you will probably recognize the usual behavior, as described <\/FONT><\/SPAN><\/SPAN>here<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A>. We substituted it with our custom behavior, <\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/FONT><\/SPAN><\/SPAN>; note that the content of the element is exactly the same of the commented version. The semantic of every subelement does not change: the effect of every setting is preserved in the new implementation, too. The only significant difference when we use our custom behavior is that tokens will survive across channel instances, and will be shared by all the endpoints that make use of our behavior in the current process.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

In the next section we will get a closer look at the <\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/SPAN>  <\/SPAN>code, to see how we obtained this result.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

[[[[[[[<\/FONT><\/SPAN><\/SPAN><\/P>
\n

This is exactly what we do in the highlighted lines:<\/FONT><\/SPAN><\/SPAN><\/P>
\n

\u00b7<\/FONT>         <\/SPAN><\/SPAN><\/SPAN>We add to the scene class a member of type <\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/SPAN>, our custom ClientCredentials behavior (more on the internals of <\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/SPAN> in the next section) and we initialize it in the constructor<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

\u00b7<\/FONT>         <\/SPAN><\/SPAN><\/SPAN>When we create the channel, we substitute the default <\/FONT><\/SPAN><\/SPAN>ClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A>  <\/SPAN>with our instance<\/FONT><\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/STRONG><\/SPAN><\/SPAN><\/P>
\n

The SimpleCardSpaceTokenClientCredentials class<\/FONT><\/STRONG><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

The  <\/SPAN><\/FONT><\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/SPAN> class is contained in the project <\/FONT><\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials<\/FONT><\/SPAN><\/SPAN>, namely in the file <\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials.cs<\/FONT><\/SPAN><\/SPAN>. It derives from <\/FONT><\/SPAN><\/SPAN>ClientCredentials<\/SPAN>. It will be instanced automatically whenever the system will find it in the behaviors list in an endpoint configuration, as we have shown in the former section.<\/FONT><\/FONT><\/SPAN><\/SPAN><\/P>
\n

The <\/FONT><\/SPAN><\/SPAN>tokenCache<\/SPAN><\/SPAN><\/SPAN> static <\/SPAN>member will survive for the entire lifetime of the UI, and will be accessible by every <\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials <\/SPAN>instance: this will allow us to share its content across all the channel instances that we will use for invoking services, for as long as the user will work with the application.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

Simply saving the first token obtained from CardSpace and sharing it indiscriminately, however, is not a correct solution. Different services may be bonded to different policies: in that case, the token previously cached is simply not suitable for calling the new service and the CardSpace UI MUST appear. Furthermore, tokens can expire: it is then necessary to prompt the user again in order to obtain a fresh version of the credentials. <\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

Let\u2019s focus on the code that deals with the caching function. <\/FONT><\/SPAN><\/SPAN>ClientCredentials<\/SPAN> has a method, <\/FONT><\/SPAN><\/SPAN>GetInfoCardSecurityToken<\/SPAN>, that is called every time there is the need of obtaining a token from the CardSpace UI. This is the hook where we can implement our caching strategy: our custom class will override <\/FONT><\/SPAN><\/SPAN>GetInfoCardSecurityToken<\/SPAN>, saving the new tokens obtained from the UI in a store and serving them back without invoking the UI if a suitable token was already cached. Below is a snippet of the relevant code.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n


\n

\/\/\/ <\/SPAN><summary><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

\/\/\/ Custom ClientCredentials behavior, contianing caching logic<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

\/\/\/ <\/SPAN><\/summary><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

public<\/SPAN><\/SPAN><\/SPAN> class<\/SPAN> SimpleCardSpaceTokenClientCredentials<\/SPAN> : ClientCredentials<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/P>
\n

{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>\/\/\/ <\/SPAN><summary><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>\/\/\/ The static token cache, indexed by policy<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>\/\/\/ <\/SPAN><\/summary><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>static<\/SPAN> Dictionary<\/SPAN><PolicyChainKey<\/SPAN>,SecurityToken<\/SPAN>> tokenCache;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>protected<\/SPAN> override<\/SPAN> SecurityToken<\/SPAN> GetInfoCardSecurityToken(bool<\/SPAN> requiresInfoCard, CardSpacePolicyElement<\/SPAN>[] chain, SecurityTokenSerializer<\/SPAN> tokenSerializer)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>PolicyChainKey<\/SPAN> pck = new<\/SPAN> PolicyChainKey<\/SPAN>(chain);            <\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>TimeZone<\/SPAN> localZone = TimeZone<\/SPAN>.CurrentTimeZone;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>if<\/SPAN> ((tokenCache.ContainsKey(pck)) && (localZone.ToLocalTime(tokenCache[pck].ValidFrom) < DateTime<\/SPAN>.Now) && (localZone.ToLocalTime(tokenCache[pck].ValidTo) > DateTime<\/SPAN>.Now))<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>return<\/SPAN> tokenCache[pck];<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>lock<\/SPAN> (tokenCache)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>tokenCache.Add(pck, base<\/SPAN>.GetInfoCardSecurityToken(requiresInfoCard, chain, tokenSerializer));<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>return<\/SPAN> tokenCache[pck];            <\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>}<\/SPAN> <\/FONT><\/SPAN><\/SPAN><\/P><\/DIV>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

The highlighted member represents the true token cache. It is a dictionary of <\/FONT><\/SPAN><\/SPAN>SecurityToken<\/SPAN>: every item is associated with a key which represents the policy conditions under which the token was obtained. We will explain this point in much greater detail later in the section.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

The override of <\/FONT><\/SPAN><\/SPAN>GetInfoCardSecurityToken<\/SPAN> is really straightforward:<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

1.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>The code derives a dictionary key from the policy requirements associated with the current token request (more on this later)<\/FONT><\/SPAN><\/SPAN><\/P>
\n

2.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>If the token cache<\/FONT><\/SPAN><\/SPAN><\/P>
\n

a.<\/FONT>    <\/SPAN><\/SPAN><\/SPAN>Contains a token compatible with the current policy requirements<\/FONT><\/SPAN><\/SPAN><\/P>
\n

b.<\/FONT>    <\/SPAN><\/SPAN><\/SPAN>Such a token is still valid<\/FONT><\/SPAN><\/SPAN><\/P>
\n

then the method returns such a token, without invoking the UI. Otherwise: a new token is obtained from the UI (via <\/FONT><\/SPAN><\/SPAN>base.GetInfoCardSecurityToken<\/SPAN>), it gets cached and returned.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

This is really easy. Of course, we need to take steps for ensuring that the mechanism will not be abused. For this reason, we cache tokens according to the policy that was enforced when every single token was originally obtained.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Namely, we concentrate on three elements:<\/FONT><\/SPAN><\/SPAN><\/P>
\n

1.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>The certificate associated with the web service we are calling (our target<\/I>)<\/FONT><\/SPAN><\/SPAN><\/P>
\n

2.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>The URI of the issuer<\/FONT><\/SPAN><\/SPAN><\/P>
\n

3.<\/FONT>   <\/SPAN><\/SPAN><\/SPAN>The URI of the target<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

Before deciding to reuse a token we have in the cache, we have to verify if the current policy requirement is \u201cequivalent\u201d to the ones associated with the cached token.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

The certificate HAS to be the same. If a token was obtained for a web service with a certain identity, in the form of an X509 certificate, the results of many cryptographic operations will be bonded to that certificate. Even the value of the PPID claim will depend on that. <\/FONT><\/SPAN><\/SPAN><\/P>
\n

The URI of the STS, from where we obtained the cached token, needs to be the same as well. We don\u2019t want to repurpose any token against the explicit requirements of the policy which is mandating a well determined STS.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Where we have some degree of discretion is in the URI of the target. We can\u2019t mandate that the two are exactly the same, of course: that would partially defy the very reasons for which we are building a cache. Two different services will have two different URIs for their endpoints, yet they may use the same token. This is the case of our example, where two web services are offered by the same entity: both services share the same x509 certificate, and the same base address. In this example we arbitrarily decided that two URIs are equivalent if the server name corresponds.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

Such requirements have been expressed in the implementation of the <\/FONT><\/SPAN><\/SPAN>PolicyChainKey<\/SPAN> class. The <\/FONT><\/SPAN><\/SPAN>PolicyChainKey<\/SPAN> class contains three members which contain information about the target URI, the issuer URI and the certificate hash string associated with a token. <\/FONT><\/SPAN><\/SPAN>PolicyChainKey<\/SPAN> overrides the <\/FONT><\/SPAN><\/SPAN>Equals<\/SPAN> method in a way that expresses the equivalence concepts listed above.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

Thanks to the <\/FONT><\/SPAN><\/SPAN>Equals<\/SPAN> override, checking a hashtable for a certain <\/FONT><\/SPAN><\/SPAN>PolicyChainKey<\/SPAN> key value corresponds to verifying if the cache contains a token that satisfies the policy requirements in the sense defined above.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

The code below is the source of the <\/FONT><\/SPAN><\/SPAN>PolicyChainKey<\/SPAN> class.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

  <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n


\n

public class PolicyChainKey<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>string targetHost;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>string issuer;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

  <\/SPAN>      <\/SPAN>string certificate;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>public PolicyChainKey(CardSpacePolicyElement<\/SPAN>[] chain)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>if (chain.Length != 0)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>EndpointAddress<\/SPAN> ea = EndpointAddress<\/SPAN>.ReadFrom(XmlDictionaryReader<\/SPAN>.CreateDictionaryReader(new XmlTextReader<\/SPAN>(new System.IO.StringReader<\/SPAN>(chain[0].Target.OuterXml))));                <\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>X509CertificateEndpointIdentity<\/SPAN> xcei = ea.Identity as X509CertificateEndpointIdentity<\/SPAN>;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>certificate = xcei.Certificates[0].GetCertHashString();<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>targetHost = ea.Uri.Host;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>if (chain[0].Issuer != null)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                    <\/SPAN>ea = EndpointAddress<\/SPAN>.ReadFrom(XmlDictionaryReader<\/SPAN>.CreateDictionaryReader(new XmlTextReader<\/SPAN>(new System.IO.StringReader<\/SPAN>(chain[0].Issuer.OuterXml))));<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                    <\/SPAN>issuer = ea.Uri.ToString();<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>public override bool Equals(Object<\/SPAN> obj)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>if (obj == null || GetType() != obj.GetType())<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>return false;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>PolicyChainKey<\/SPAN> p = (PolicyChainKey<\/SPAN>)obj;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>return (targetHost == p.targetHost) && (certificate == p.certificate) && (issuer == p.issuer);<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>public override int GetHashCode()<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>return (issuer == null) ? targetHost.GetHashCode() ^ certificate.GetHashCode() :<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>targetHost.GetHashCode() ^ certificate.GetHashCode() ^ issuer.GetHashCode();<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>}<\/SPAN>

<\/FONT><\/SPAN><\/SPAN><\/P><\/DIV>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

The last class defined in <\/FONT><\/SPAN><\/SPAN>SimpleCardSpaceTokenClientCredentials.cs<\/FONT><\/SPAN><\/SPAN> is straightforward. <\/FONT><\/SPAN><\/SPAN><\/P>
\n

SimpleCardSpaceTokenClientCredentialsConfigHandler<\/SPAN><\/SPAN><\/SPAN> <\/SPAN>defines how to read the configuration tag, and it basically uses directly the implementation of the base class.<\/FONT><\/SPAN><\/SPAN><\/FONT><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n


\n

  <\/SPAN>\/\/\/ <\/SPAN><summary><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>\/\/\/ Configuration element for the SimpleCardSpaceTokenClientCredentials behavior<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>\/\/\/ <\/SPAN><\/summary><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>public<\/SPAN> class<\/SPAN> SimpleCardSpaceTokenClientCredentialsConfigHandler<\/SPAN> : ClientCredentialsElement<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>public<\/SPAN> override<\/SPAN> Type<\/SPAN> BehaviorType<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>get<\/SPAN> { return<\/SPAN> typeof<\/SPAN>(SimpleCardSpaceTokenClientCredentials<\/SPAN>); }<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

      <\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>protected<\/SPAN> override<\/SPAN> object<\/SPAN> CreateBehavior()<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>SimpleCardSpaceTokenClientCredentials<\/SPAN> scstcc = new<\/SPAN> SimpleCardSpaceTokenClientCredentials<\/SPAN>();<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>base<\/SPAN>.ApplyConfiguration(scstcc);<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>return<\/SPAN> scstcc;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

    <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P><\/DIV>
\n

The services<\/FONT><\/STRONG><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

The services do not need to be aware of what the client is doing: they play no part in implementing the caching behavior featured by the sample. <\/FONT><\/SPAN><\/SPAN><\/P>
\n

The two service projects, <\/FONT><\/SPAN><\/SPAN>MeteoService<\/FONT><\/SPAN><\/SPAN> and <\/FONT><\/SPAN><\/SPAN>TrafficService<\/FONT><\/SPAN><\/SPAN>, do not really contain anything different from the usual samples.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

The only code we added simulates a very rough form of authorization control: the body of the method checks if the token used for securing the call contains the PPID of the sample self issued card we provided. You can easily modify that hardcoded value with a PPID of your own by changing the value of the <\/FONT><\/SPAN><\/SPAN>AppSettings<\/SPAN> key \u201c<\/FONT><\/SPAN><\/SPAN><\/FONT>PPIDToCheck<\/SPAN>\u201d, or even better substitute the entire check with a more proper authorization mechanism. Note that if you don\u2019t provide any value for \u201c<\/FONT><\/SPAN><\/SPAN>PPIDToCheck<\/SPAN>\u201d in the service configuration the authorization step will be skipped.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

The snipped below is taken from the file <\/FONT><\/SPAN><\/SPAN>Program.cs<\/FONT><\/SPAN><\/SPAN> of the <\/FONT><\/SPAN><\/SPAN>TrafficService<\/FONT><\/SPAN><\/SPAN> project; the project <\/FONT><\/SPAN><\/SPAN>MeteoService<\/FONT><\/SPAN><\/SPAN> is perfectly equivalent.<\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/P>
\n

 <\/SPAN><\/SPAN><\/SPAN><\/P>
\n


\n

    <\/SPAN>class<\/SPAN> Traffic<\/SPAN> : ITraffic<\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

  <\/SPAN>  <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>private<\/SPAN> bool<\/SPAN> AuthorizeByPPID()<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>string<\/SPAN> ppid = System.Configuration.ConfigurationManager<\/SPAN>.AppSettings[“PPIDToCheck”<\/SPAN>];<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>if<\/SPAN> (ppid == null<\/SPAN>)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>return<\/SPAN> true<\/SPAN>;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>AuthorizationContext<\/SPAN> ac = ServiceSecurityContext<\/SPAN>.Current.AuthorizationContext;<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>foreach<\/SPAN> (ClaimSet<\/SPAN> ct in<\/SPAN> ac.ClaimSets)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>foreach<\/SPAN> (Claim<\/SPAN> c in<\/SPAN> ct)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                    <\/SPAN>if<\/SPAN> (c.ClaimType == “http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/privatepersonalidentifier”<\/SPAN>)<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                        <\/SPAN>return<\/SPAN> (c.Resource.ToString() == ppid);<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

                <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>return<\/SPAN> false<\/SPAN>;            <\/SPAN><\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>}<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>#region<\/SPAN><\/SPAN><\/SPAN> ITraffic Members<\/SPAN><\/SPAN><\/SPAN><\/FONT><\/P>
\n

 <\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>public<\/SPAN> List<\/SPAN><TrafficInfo<\/SPAN>> GetTrafficInfo()<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

        <\/SPAN>{<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>if<\/SPAN> (AuthorizeByPPID())<\/FONT><\/SPAN><\/SPAN><\/SPAN><\/P>
\n

            <\/SPAN>{<\/SPAN><\/SPAN><\/SPAN>…<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/P>
\n

 <\/FONT><\/SPAN><\/P><\/DIV>
\n

Conclusion<\/FONT><\/STRONG><\/P>
\n

 <\/FONT><\/P>
\n

Windows CardSpace provides a consistent mean of authenticating users, both on web applications and web services. <\/FONT><\/P>
\n

In this sample we have shown how you can obtain a smoother experience when developing smartclient applications, by reducing the number of unnecessary prompts with an adequate caching strategy.<\/FONT><\/P>
\n

 <\/P><\/p>\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

Hello everybody. It’s some time that I have this sample in the buffer: I am publishing now in a rush, since this sundaly I leave for 2 weeks in EU for some nice CardSpace briefings here and there. I won’t be on mail very much, so I hope you will hold most questions…<\/p>\n","protected":false},"author":1,"featured_media":1499,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[61,39,9,86,64,55,31,104,62],"tags":[],"class_list":["post-699","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-architecture-ws","category-cardspace","category-identity","category-infocard","category-wcf","category-windows-cardspace","category-windows-communication-foundation","category-windows-presentation-foundation","category-wpf"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=699"}],"version-history":[{"count":0,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/699\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media\/1499"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

If you have any question, please refer to the <\/FONT>Windows CardSpace forums<\/FONT><\/A> or to <\/FONT>Vittorio\u2019s blog<\/FONT><\/A>.<\/FONT><\/P>
\n

The file <\/FONT><\/SPAN><\/SPAN>App.config <\/FONT><\/SPAN><\/SPAN>contains the typical WCF configuration which is necessary for invoking two endpoints with <\/FONT><\/SPAN><\/SPAN>wsHttpBinding <\/SPAN>and CardSpace. If you are not familiar with the use of WCF and CardSpace, please refer to the <\/FONT><\/FONT><\/SPAN><\/SPAN>SDK documentation<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A> or consider going through a <\/FONT><\/SPAN><\/SPAN>virtual lab<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/FONT><\/FONT><\/A>.<\/FONT><\/SPAN><\/SPAN><\/P>
\n