The overall architecture of a Forms Server 2007 and InfoPath 2007 implementation can quickly take on a three-tier or n-tier structure, which can complicate security and authentication. When the user (layer 1) requests a form from his Web browser, he accesses Internet Information Services (IIS) (layer 2), which passes the request to the Forms Server (layer 3). The Forms Server then loads and converts the InfoPath 2007 form, which might attempt to access a Web service (layer 4) to supply some of the detail it will return to the user. All these layers or tiers require authentication credentials to be passed along to the next layer, or tier.
For security reasons, Web services often require separate authentication. Under normal circumstances, the Forms Server can pass on only the user's credentials. However, these credentials often do not have the necessary permissions to access the Web service. You need to use the Forms Server Web Services Proxy Configuration option, which you can access by going to Central Administration and clicking the Manage The Web Service Proxy link in the Application Management section. This option allows users to access forms that, in turn, access Web services on behalf of the user without that user needing to enter her security credentials multiple times. As administrators and planners, you need to be aware of this potential problem and how to configure Forms Server 2007 and InfoPath 2007 to work securely.
A user authentication occurs either through the InfoPath client or the Web browser connecting through the Forms Server. This causes the Forms Server itself to attempt to connect to the various Web services, without having any way of supplying correct authentication credentials to the Web services. This problem is referred to in various documents as multihop authentication and is quite common in a variety of distributed application situations.
Real World Alternate Authentication in Addition to the Proxy Settings
Because a form might need to use multiple Web services-each requiring different credentials-Forms Server 2007 works with user-created universal data connection (UDC/UDCX) files to streamline the security processes across multiple tiers.
To manage the Web proxy services, you first need to go to Central Administration, Application Management, InfoPath Forms Services, Manage The Web Service Proxy, and select the Enable check box in the Enable The Web Service Proxy section, as shown in Figure 21-4.
Figure 21-4: Managing Web proxy configuration settings
The text accompanying the check box explains that there needs to be a UDC file for the form's data connection. You can also enable the service for user-deployed forms on this page.
In the real world, this setup might be too restrictive. If you find it necessary to use multiple authentications based on different users and it is not appropriate to always use the Web application's account, you can use the <UsernameToken> passed to the Web service to programmatically impersonate whatever account necessary to accomplish your goal.
By default, this proxy connects to the Web service using the Web application pool account. This means that all Web service connections made in this entire Web application will authenticate using the Web application pool account. If you decide to use a UDC file, it needs to reside in a Data Connection library in the Web application the proxy is set to use, and the form library using the proxy needs to be encapsulated in the same Web application.
In the following sample code, there is an .xml element named UsernameToken that contains a child element named Username. This information is passed in the WS-Security header sent to the Web service. The header is set up in the UDC file and is used by the InfoPath form. The Forms Server using the Form Converter processes the InfoPath form and emits an HTML/ASPX file that is set up to use headers as prescribed by the UDC file. When the form connects to a Web service, the header is passed on, from the browser to the Forms Server and onto the Web service. Here is what the code looks like:
<!-- No Password --> <UsernameToken> <Username>Bob</Username> </UsernameToken>
This information can then be extracted and used inside the Web service programmatically to authorize this user as needed by impersonating, if necessary, the application pool account with sufficient permissions for access. Using the UDC file, an administrator can set this scenario up and then request that a programmer use this information from within the Web service to allow the needed specific user access.
To actually get the InfoPath form to communicate with the Web service and pass this information to it, you need to edit the UDC file as follows:
Locate the ServiceUrl XML element.
Set this element's UseFormsServiceProxy attribute to "1" (UseFormsService-Proxy= "1").