Windows Azure Storage Proxy Cloud Services

Introduction

Every request made against the Windows Azure Storage Services must be authenticated (unless the request is for a blob or container resource that has been made available for public or signed access).

An authenticated request requires two headers: the Date or x-ms-date header and the Authorization header. The latter, contains a request signature that is generated with the key for the account that is making the request. This means that to perform operations to these services, you require to have access to a storage account secrets.

To avoid having to store your secrets (the storage account name and key) in your client applications, this NuGet package provides a set of proxies services that let you consume the Windows Azure Storage Services in a secure fashion. This way, the storage account information remains safe in the Web Role hosting these services:

• The Azure Tables and Queues proxy services are WCF Web API REST Services that forward requests to the real Windows Azure Storage Services. These proxies support different authentication mechanisms, like Membership and ACS, and allow a more granular level of authorization on top of the storage resources by allowing developers to add their custom authorization logic. If the proxy determines that the request has the correct privileges, it will sign the request, forward it to the real Windows Azure Storage Services, and then forward back the response client.
• The Shared Access Signature service, is a WCF Web API REST Service that delivers Shared Access Signatures (SAS) for containers and blobs. A SAS is a set of URL query parameters that incorporates all of the information necessary to grant controlled access to a blob or container resource. The URL specifies the time interval over which the SAS is valid, the permissions that it grants, the resource that is to be made available, and the signature that the Blob service should use to authenticate the request. Once the phone client receives the SAS, it can use it to perform request Blob Service REST API.

Prerequisites

• Windows Azure SDK and Tools
• NuGet 1.5 or above

Configuration

Configuration your service settings

You can change the default configuration by editing the StorageServices.cs file in the App_Start folder. The following is a list of the options available in the Storage Service configuration context:

• AuthenticateRequest: Performs the user authentication. Allows developers registering a delegate that returns true or false according to whether the request has originated from an authenticated client. By default, the services allow anonymous access. This delegate will be called before the service performs the desired operation in the Windows Azure Storage Account.
• AuthorizeBlobsAccess: Performs user authorization of Blob requests. Allows developers registering a delegate that returns true or false according to whether the current user performing the request has enough permissions to make it. By default, the services allow all requests to go through. This delegate will be called before the service performs the desired operation in the Windows Azure Storage Account.
• AuthorizeQueuesAccess: Performs user authorization of Queue requests. Allows developers registering a delegate that returns true or false according to whether the current user performing the request has enough permissions to make it. By default, the services allow all requests to go through. This delegate will be called before the service performs the desired operation in the Windows Azure Storage Account.
• AuthorizeTablesAccess: Performs user authorization of Table requests. Allows developers registering a delegate that returns true or false according to whether the current user performing the request has enough permissions to make it. By default, the services allow all requests to go through. This delegate will be called before the service performs the desired operation in the Windows Azure Storage Account.
• BlobsSasExpirationTime: Is the number of minutes for which Blobs Shared Access Signatures are valid. It should be greater than 0. The defatul value is 15 minutes.
• ContainerSasExpirationTime: Is the number of minutes for which Container Shared Access Signatures are valid. It should be greater than 0. The defatul value is 15 minutes.
• WindowsAzureStorageMaximmumResponseSize: Is the maximmum size of the responses read from Windows Azure Storage. Responses larger than this value will be discarded. The default value is 1MB.
• CloudStorageAccount: The CloudStorageAccount to use in all Storage Services operations. You should update it to point to your Windows Azure Storage account.
• DelegatingHandlers: A list of Web API DelegatingHandlers. Allows you to register any handlers you wantto be called in theWeb API Services pipeline, for authentication, logging, etc.