public override HttpStatusCode ValidateAuthentication(IHttpAuthenticationContext authenticationContext)
{
HttpStatusCode result = base.ValidateAuthentication(authenticationContext);
if (result == HttpStatusCode.OK)
{
if (this.shouldValidateClientCertificate)
{
bool isValidCertificate;
X509Certificate2 clientCertificate = authenticationContext.GetClientCertificate(out isValidCertificate);
if (clientCertificate == null)
{
if (this.RequireClientCertificate)
{
if (DiagnosticUtility.ShouldTraceError)
{
TraceUtility.TraceEvent(TraceEventType.Error, TraceCode.HttpsClientCertificateNotPresent, SR.GetString(SR.TraceCodeHttpsClientCertificateNotPresent),
authenticationContext.CreateTraceRecord(), this, null);
}
result = CertificateErrorStatusCode;
}
}
else if (!isValidCertificate && !this.useCustomClientCertificateVerification)
{
if (DiagnosticUtility.ShouldTraceError)
{
TraceUtility.TraceEvent(TraceEventType.Error, TraceCode.HttpsClientCertificateInvalid, SR.GetString(SR.TraceCodeHttpsClientCertificateInvalid),
authenticationContext.CreateTraceRecord(), this, null);
}
result = CertificateErrorStatusCode;
}
// Audit Authentication failure
if (result != HttpStatusCode.OK && (AuditLevel.Failure == (this.AuditBehavior.MessageAuthenticationAuditLevel & AuditLevel.Failure)))
{
string message = SR.GetString(SR.HttpAuthenticationFailed, this.AuthenticationScheme, result);
Exception exception = DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(message));
WriteAuditEvent(AuditLevel.Failure, (clientCertificate != null) ? SecurityUtils.GetCertificateId(clientCertificate) : String.Empty, exception);
}
}
}
return(result);
}
public override SecurityMessageProperty ProcessAuthentication(IHttpAuthenticationContext authenticationContext)
{
if (this.shouldValidateClientCertificate)
{
SecurityMessageProperty retValue;
X509Certificate2 certificate = null;
try
{
bool isCertificateValid;
certificate = authenticationContext.GetClientCertificate(out isCertificateValid);
Fx.Assert(!this.requireClientCertificate || certificate != null, "ClientCertificate must be present");
if (certificate != null)
{
if (!this.useCustomClientCertificateVerification)
{
Fx.Assert(isCertificateValid, "ClientCertificate must be valid");
}
WindowsIdentity identity = null;
string authType = base.GetAuthType(authenticationContext);
if (this.useHostedClientCertificateMapping)
{
identity = authenticationContext.LogonUserIdentity;
if (identity == null || !identity.IsAuthenticated)
{
identity = WindowsIdentity.GetAnonymous();
}
else
{
// it is not recommended to call identity.AuthenticationType as this is a privileged instruction.
// when the identity is cloned, it will be created with an authtype indicating WindowsIdentity from a cert.
identity = SecurityUtils.CloneWindowsIdentityIfNecessary(identity, SecurityUtils.AuthTypeCertMap);
authType = SecurityUtils.AuthTypeCertMap;
}
}
retValue = CreateSecurityProperty(certificate, identity, authType);
}
else if (this.AuthenticationScheme == AuthenticationSchemes.Anonymous)
{
return(new SecurityMessageProperty());
}
else
{
return(base.ProcessAuthentication(authenticationContext));
}
}
#pragma warning suppress 56500 // covered by FXCop
catch (Exception exception)
{
if (Fx.IsFatal(exception))
{
throw;
}
// Audit Authentication failure
if (AuditLevel.Failure == (this.AuditBehavior.MessageAuthenticationAuditLevel & AuditLevel.Failure))
{
WriteAuditEvent(AuditLevel.Failure, (certificate != null) ? SecurityUtils.GetCertificateId(certificate) : String.Empty, exception);
}
throw;
}
// Audit Authentication success
if (AuditLevel.Success == (this.AuditBehavior.MessageAuthenticationAuditLevel & AuditLevel.Success))
{
WriteAuditEvent(AuditLevel.Success, (certificate != null) ? SecurityUtils.GetCertificateId(certificate) : String.Empty, null);
}
return(retValue);
}
else if (this.AuthenticationScheme == AuthenticationSchemes.Anonymous)
{
return(new SecurityMessageProperty());
}
else
{
return(base.ProcessAuthentication(authenticationContext));
}
}