Pablo M. Cibraro (aka Cibrax)

Dominick just blogged what I think is one of the best ways to provide claim based security for RESTful services at the moment. The idea of using simple web tokens for RESTful services I’ve been in my head for a while, but I was not able to find enough the time to implement it. Fortunately, Dominick already did it for us, so it’s really great to have a sample with that.

The Federation Authentication Module (FAM) shipped as part of WIF protects by the default the session cookies from being tampered with in passive scenarios using DPAPI. As I mentioned in the past, this technique simplifies a lot the initial deployment for the whole solution as nothing extra needs to configured, the automatically generated DPAPI key is used to protect the cookies, so this might be reason to have that as default protection mechanism in WSE, WCF and now WIF.

Windows AppFabric (Previously known as Dublin) introduces a new built-in mechanism for monitoring the execution of the WCF services, all the events generated during the execution or the interaction with other services. While the message trace capabilities in WCF already provided some detail about the execution and the exchanged messages, it was a feature more suitable for troubleshooting and error diagnosis.   The performance counters did not help in this area either, as they provided live service usage statistics, which sometimes resulted very useful to determine possible bottlenecks.

WS-Trust 1.4 introduced a new feature called as “ActAs” for addressing common scenarios where an application needs to call a service on behalf of the logged user or a service needs to call another service on behalf of the original caller. These are typical examples of what is usually resolved with the “Trusted Subsystem” pattern.

WIF will be finally supported in W2k3. This has represented a big barrier for the adoption of WIF in one of my customers for a while, but it looks like now I will able to use it after December :).  This is the official announcement made by the Geneva Team this weekend on their blog,

The first chapter of the WCF extensibility guide that Jesus and I have been working on during the last few months went live in MSDN this weekend. You can find it here, http://msdn.microsoft.com/en-us/library/ee672186.aspx 

I was wondering these days what would be the point in using WS-Passive when there is another simple sign-on solution, OpenID, that works really well and it’s getting a great adoption in the community. I can not say the same about WS-Passive, I haven’t seen any concrete implementation yet (For instance, Microsoft is planning to release a first implementation as part of the WIF framework before the end of this year).

As Dr Nick announced in this post, WCF 4.0 will ship with a new feature to configure a client channel from a configuration source other than the traditional section in the application configuration file (I discussed a workaround for doing the same thing in WCF 3.0 a time ago in this post)