private SecurityTokenProvider CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { //throw new PlatformNotSupportedException("TlsnegoServerX509Token"); RecipientServiceModelSecurityTokenRequirement serverX509Requirement = new RecipientServiceModelSecurityTokenRequirement { TokenType = SecurityTokenTypes.X509Certificate, KeyUsage = SecurityKeyUsage.Exchange, ListenUri = recipientRequirement.ListenUri, KeyType = SecurityKeyType.AsymmetricKey, SecurityBindingElement = recipientRequirement.SecurityBindingElement }; return(CreateSecurityTokenProvider(serverX509Requirement)); }
public void CreateProviderX509() { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.ServiceCredentials.ServiceCertificate.Certificate = new X509Certificate2("Test/Resources/test.pfx", "mono"); X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r) as X509SecurityTokenProvider; Assert.IsNotNull(p, "#1"); }
private SecurityTokenAuthenticator CreateTlsnegoClientX509TokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { //throw new PlatformNotSupportedException("TlsnegoClientX509Token"); RecipientServiceModelSecurityTokenRequirement clientX509Requirement = new RecipientServiceModelSecurityTokenRequirement { TokenType = SecurityTokenTypes.X509Certificate, KeyUsage = SecurityKeyUsage.Signature, ListenUri = recipientRequirement.ListenUri, KeyType = SecurityKeyType.AsymmetricKey, SecurityBindingElement = recipientRequirement.SecurityBindingElement }; return(CreateSecurityTokenAuthenticator(clientX509Requirement, out _)); }
RecipientServiceModelSecurityTokenRequirement CreateRecipientRequirement(string tokenType) { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); r.TokenType = tokenType; r.SecurityBindingElement = new SymmetricSecurityBindingElement(); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext(new CustomBinding(), new BindingParameterCollection()); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new IssuedSecurityTokenParameters(); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; return(r); }
private SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); recipientRequirement.TryGetProperty <ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out _); SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator { ExtendedProtectionPolicy = null, AllowUnauthenticatedCallers = ServiceCredentials.WindowsAuthentication.AllowAnonymousLogons, ExtractGroupsForWindowsAccounts = ServiceCredentials.WindowsAuthentication.IncludeWindowsGroups, IsClientAnonymous = false, EncryptStateInServiceToken = isCookieMode, IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver, IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), SecurityStateEncoder = ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder, KnownTypes = ServiceCredentials.SecureConversationAuthentication.SecurityContextClaimTypes, LdapSettings = ServiceCredentials.WindowsAuthentication.LdapSetting }; // if the SPNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // audit settings //authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; //authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; //authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return(authenticator); }
public void CreateProviderX509Recipient() { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); r.TokenType = SecurityTokenTypes.X509Certificate; r.KeyUsage = SecurityKeyUsage.Exchange; def_c.ClientCredentials.ClientCertificate.Certificate = cert; X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r) as X509SecurityTokenProvider; Assert.IsNotNull(p, "#1"); }
RecipientServiceModelSecurityTokenRequirement CreateAnonSslRequirement() { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); MySslSecurityTokenParameters p = new MySslSecurityTokenParameters(); p.InitRequirement(r); r.SecurityBindingElement = new SymmetricSecurityBindingElement(new X509SecurityTokenParameters()); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = p.Clone(); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext(new CustomBinding(new HttpTransportBindingElement()), new BindingParameterCollection()); r.Properties [ReqType.MessageSecurityVersionProperty] = MessageSecurityVersion.Default.SecurityTokenVersion; return(r); }
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { throw new PlatformNotSupportedException("TlsnegoSecurityToken"); /* * SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; * if (securityBindingElement == null) * { * throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); * } * bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; * LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; * sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); * * TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator(); * authenticator.IsClientAnonymous = !requireClientCertificate; * if (requireClientCertificate) * { * authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); * authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; * } * authenticator.EncryptStateInServiceToken = isCookieMode; * authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); * authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; * authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); * authenticator.ListenUri = recipientRequirement.ListenUri; * authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; * authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); * authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; * authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; * authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement); * // local security quotas * authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; * authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; * authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; * authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; * // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. * if (securityBindingElement is TransportSecurityBindingElement) * { * authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); * } * // audit settings * // authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; * // authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; * // authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; * return authenticator;*/ }
public void CreateProviderAnonSslError() { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego; r.ListenUri = new Uri("http://localhost:8080"); r.SecurityBindingElement = new SymmetricSecurityBindingElement(); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext(new CustomBinding(), new BindingParameterCollection()); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r); Assert.IsNotNull(p, "#1"); }
public void CreateProviderAnonSsl() { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); new MySslSecurityTokenParameters().InitRequirement(r); Assert.IsFalse(r.Properties.ContainsKey(ReqType.ChannelParametersCollectionProperty), "#1"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.EndpointFilterTableProperty), "#2"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.HttpAuthenticationSchemeProperty), "#3"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.IsOutOfBandTokenProperty), "#4"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.IssuerAddressProperty), "#5"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.MessageDirectionProperty), "#6"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.MessageSecurityVersionProperty), "#7"); //Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.SecurityAlgorithmSuiteProperty), "#9"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.SecurityBindingElementProperty), "#10"); Assert.IsFalse(r.Properties.ContainsKey(ReqType.SupportingTokenAttachmentModeProperty), "#11"); Assert.AreEqual(null, r.TransportScheme, "#12"); r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego; r.ListenUri = new Uri("http://localhost:8080"); r.SecurityBindingElement = new SymmetricSecurityBindingElement(); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext(new CustomBinding(), new BindingParameterCollection()); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; r.Properties [ReqType.SecurityAlgorithmSuiteProperty] = SecurityAlgorithmSuite.Default; r.TransportScheme = "https"; r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection(); r.Properties [ReqType.EndpointFilterTableProperty] = null; r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous; r.Properties [ReqType.IsOutOfBandTokenProperty] = true; r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress("http://localhost:9090"); // r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input; r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement(); r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed; SecurityTokenProvider p = def_c.CreateSecurityTokenProvider(r); Assert.IsNotNull(p, "#1"); }
protected RecipientServiceModelSecurityTokenRequirement CreateRecipientSecurityTokenRequirement() { RecipientServiceModelSecurityTokenRequirement requirement = new RecipientServiceModelSecurityTokenRequirement(); requirement.SecurityBindingElement = this.securityBindingElement; requirement.SecurityAlgorithmSuite = this.IncomingAlgorithmSuite; requirement.ListenUri = this.listenUri; requirement.MessageSecurityVersion = this.MessageSecurityVersion.SecurityTokenVersion; // requirement.AuditLogLocation = this.auditLogLocation; // requirement.SuppressAuditFailure = this.suppressAuditFailure; // requirement.MessageAuthenticationAuditLevel = this.messageAuthenticationAuditLevel; requirement.Properties[ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy] = this.extendedProtectionPolicy; if (this.endpointFilterTable != null) { requirement.Properties.Add(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, this.endpointFilterTable); } return(requirement); }
private SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); ExtendedProtectionPolicy result = null; recipientRequirement.TryGetProperty <ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out result); SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator { ExtendedProtectionPolicy = result, AllowUnauthenticatedCallers = this.parent.WindowsAuthentication.AllowAnonymousLogons, ExtractGroupsForWindowsAccounts = this.parent.WindowsAuthentication.IncludeWindowsGroups, IsClientAnonymous = false, EncryptStateInServiceToken = flag, IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver, IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder, KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes }; if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return(authenticator); }
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator { IsClientAnonymous = !requireClientCertificate }; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = flag; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement); authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return(authenticator); }
/// <summary> /// Helper method to setup the WrappedSecureConversttion /// </summary> SecurityTokenAuthenticator SetupSecureConversationWrapper(RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver) { // This code requires Orcas SP1 to compile. // WCF expects this securityTokenAuthenticator to support: // 1. IIssuanceSecurityTokenAuthenticator // 2. ICommunicationObject is needed for this to work right. // WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the // the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens. // when sp1 is installed, use this one. //SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver ); // use this code if SP1 is not installed SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); SessionSecurityTokenHandler sessionTokenHandler = tokenHandler; // // If there is no SCT handler here, create one. // if (tokenHandler == null) { sessionTokenHandler = new SessionSecurityTokenHandler(_cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime); sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection; sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration; } if (ServiceCredentials != null) { sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew; } SctClaimsHandler claimsHandler = new SctClaimsHandler( _securityTokenHandlerCollection, GetNormalizedEndpointId(tokenRequirement)); WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator(sessionTokenHandler, sta, claimsHandler, _exceptionMapper); WrappedTokenCache wrappedTokenCache = new WrappedTokenCache(_tokenCache, claimsHandler); SetWrappedTokenCache(wrappedTokenCache, sta, wssta, claimsHandler); outOfBandTokenResolver = wrappedTokenCache; return(wssta); }
protected void SetSecurityTokenAuthenticator(string scheme, BindingContext context) { if (base.ReceiveParameters.TransportSecurity.MsmqAuthenticationMode == MsmqAuthenticationMode.Certificate) { SecurityTokenResolver resolver; SecurityCredentialsManager manager = context.BindingParameters.Find <SecurityCredentialsManager>(); if (manager == null) { manager = ServiceCredentials.CreateDefaultCredentials(); } SecurityTokenManager manager2 = manager.CreateSecurityTokenManager(); RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement { TokenType = SecurityTokenTypes.X509Certificate, TransportScheme = scheme, ListenUri = this.Uri, KeyUsage = SecurityKeyUsage.Signature }; this.x509SecurityTokenAuthenticator = manager2.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver); } }
private SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { AuthenticationSchemes schemes; string tokenType = recipientRequirement.TokenType; SecurityTokenProvider provider = null; if (tokenType == SecurityTokenTypes.X509Certificate) { return(this.CreateServerX509TokenProvider()); } if (!(tokenType == ServiceModelSecurityTokenTypes.SspiCredential)) { return(provider); } if (recipientRequirement.TryGetProperty <AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out schemes) && (schemes == AuthenticationSchemes.Basic)) { return(new SspiSecurityTokenProvider(null, this.parent.UserNameAuthentication.IncludeWindowsGroups, false)); } return(new SspiSecurityTokenProvider(null, this.parent.WindowsAuthentication.IncludeWindowsGroups, this.parent.WindowsAuthentication.AllowAnonymousLogons)); }
public void CreateAuthenticatorUserName() { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); r.TokenType = SecurityTokenTypes.UserName; SecurityTokenResolver resolver; SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator(r, out resolver); Assert.AreEqual(typeof(WindowsUserNameSecurityTokenAuthenticator), a.GetType(), "#1"); Assert.IsNull(resolver, "#2"); def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; def_c.ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator = new MyUserNameValidator(); a = def_c.CreateSecurityTokenAuthenticator(r, out resolver); Assert.AreEqual(typeof(CustomUserNameSecurityTokenAuthenticator), a.GetType(), "#3"); Assert.IsNull(resolver, "#4"); }
public void CreateAuthenticatorAnonSsl() { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement(); SecurityTokenResolver resolver; X509Certificate2 cert = new X509Certificate2("Test/Resources/test.pfx", "mono"); def_c.ServiceCredentials.ServiceCertificate.Certificate = cert; SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator(r, out resolver); // non-standard authenticator type. Assert.IsNotNull(resolver, "#1"); Assert.IsTrue(a is IIssuanceSecurityTokenAuthenticator, "#2"); try { a.ValidateToken(new X509SecurityToken(cert)); Assert.Fail("It cannot validate raw X509SecurityToken"); } catch (SecurityTokenValidationException) { } }
public virtual EndpointIdentity GetIdentityOfSelf(SecurityTokenRequirement tokenRequirement) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement) { string tokenType = tokenRequirement.TokenType; if (((tokenType == SecurityTokenTypes.X509Certificate) || (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)) { if (this.parent.ServiceCertificate.Certificate != null) { return(EndpointIdentity.CreateX509CertificateIdentity(this.parent.ServiceCertificate.Certificate)); } } else { if ((tokenType == SecurityTokenTypes.Kerberos) || (tokenType == ServiceModelSecurityTokenTypes.Spnego)) { return(System.ServiceModel.Security.SecurityUtils.CreateWindowsIdentity()); } if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { SecurityBindingElement secureConversationSecurityBindingElement = ((RecipientServiceModelSecurityTokenRequirement)tokenRequirement).SecureConversationSecurityBindingElement; if (secureConversationSecurityBindingElement != null) { if ((secureConversationSecurityBindingElement == null) || (secureConversationSecurityBindingElement is TransportSecurityBindingElement)) { return(null); } SecurityTokenParameters parameters = (secureConversationSecurityBindingElement is SymmetricSecurityBindingElement) ? ((SymmetricSecurityBindingElement)secureConversationSecurityBindingElement).ProtectionTokenParameters : ((AsymmetricSecurityBindingElement)secureConversationSecurityBindingElement).RecipientTokenParameters; SecurityTokenRequirement requirement = new RecipientServiceModelSecurityTokenRequirement(); parameters.InitializeSecurityTokenRequirement(requirement); return(this.GetIdentityOfSelf(requirement)); } } } } return(null); }
void CreateRecipientProviderCore(bool mutual) { MyParameters tp = new MyParameters(); tp.RequireClientCertificate = true; RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement(); tp.InitRequirement(r); r.ListenUri = new Uri("http://localhost:8080"); r.SecurityBindingElement = new SymmetricSecurityBindingElement(); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext(new CustomBinding(), new BindingParameterCollection()); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; ClientCredentials cred = new ClientCredentials(); ClientCredentialsSecurityTokenManager manager = new ClientCredentialsSecurityTokenManager(cred); manager.CreateSecurityTokenProvider(r); }
SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { string tokenType = recipientRequirement.TokenType; SecurityTokenProvider result = null; if (tokenType == SecurityTokenTypes.X509Certificate) { result = CreateServerX509TokenProvider(); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { // if Transport Security, AuthenticationSchemes.Basic will look at parent.UserNameAuthentication settings. AuthenticationSchemes authenticationScheme; bool authenticationSchemeIdentified = recipientRequirement.TryGetProperty <AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out authenticationScheme); if (authenticationSchemeIdentified && authenticationScheme.IsSet(AuthenticationSchemes.Basic) && authenticationScheme.IsNotSet(AuthenticationSchemes.Digest | AuthenticationSchemes.Ntlm | AuthenticationSchemes.Negotiate)) { // create security token provider even when basic and Anonymous are enabled. result = new SspiSecurityTokenProvider(null, parent.UserNameAuthentication.IncludeWindowsGroups, false); } else { if (authenticationSchemeIdentified && authenticationScheme.IsSet(AuthenticationSchemes.Basic) && parent.WindowsAuthentication.IncludeWindowsGroups != parent.UserNameAuthentication.IncludeWindowsGroups) { // Ensure there are no inconsistencies when Basic and (Digest and/or Ntlm and/or Negotiate) are both enabled throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenProviderIncludeWindowsGroupsInconsistent, (AuthenticationSchemes)authenticationScheme - AuthenticationSchemes.Basic, parent.UserNameAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.IncludeWindowsGroups))); } result = new SspiSecurityTokenProvider(null, parent.WindowsAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.AllowAnonymousLogons); } } return(result); }
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement) { if (requirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("requirement"); } RecipientServiceModelSecurityTokenRequirement recipientRequirement = requirement as RecipientServiceModelSecurityTokenRequirement; SecurityTokenProvider provider = null; if (recipientRequirement != null) { provider = this.CreateLocalSecurityTokenProvider(recipientRequirement); } else if (requirement is InitiatorServiceModelSecurityTokenRequirement) { provider = this.CreateUncorrelatedDuplexSecurityTokenProvider((InitiatorServiceModelSecurityTokenRequirement)requirement); } if (provider == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { requirement }))); } return(provider); }
public static SslStreamSecurityUpgradeProvider CreateServerProvider( SslStreamSecurityBindingElement bindingElement, BindingContext context) { SecurityCredentialsManager credentialProvider = context.BindingParameters.Find <SecurityCredentialsManager>(); if (credentialProvider == null) { credentialProvider = ServiceCredentials.CreateDefaultCredentials(); } Uri listenUri = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress); SecurityTokenManager tokenManager = credentialProvider.CreateSecurityTokenManager(); RecipientServiceModelSecurityTokenRequirement serverCertRequirement = new RecipientServiceModelSecurityTokenRequirement { TokenType = SecurityTokenTypes.X509Certificate, RequireCryptographicToken = true, KeyUsage = SecurityKeyUsage.Exchange, TransportScheme = context.Binding.Scheme, ListenUri = listenUri }; SecurityTokenProvider tokenProvider = tokenManager.CreateSecurityTokenProvider(serverCertRequirement); if (tokenProvider == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCredentialsUnableToCreateLocalTokenProvider, serverCertRequirement))); } SecurityTokenAuthenticator certificateAuthenticator = TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, listenUri); return(new SslStreamSecurityUpgradeProvider(context.Binding, tokenProvider, bindingElement.RequireClientCertificate, certificateAuthenticator, context.Binding.Scheme, bindingElement.IdentityVerifier, bindingElement.SslProtocols)); }
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (recipientRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement"); } Collection <SecurityToken> outOfBandTokens = new Collection <SecurityToken>(); if (parent.ServiceCertificate.Certificate != null) { outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate)); } List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>(); if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0)) { for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i) { outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i])); } } X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator(); supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator)); if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers) { supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator()); } outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false) : null; SamlSecurityTokenAuthenticator ssta; if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null)) { ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators); } else { ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew); } // set audience uri restrictions ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode; IList <string> allowedAudienceUris = ssta.AllowedAudienceUris; if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null) { for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++) { allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]); } } if (recipientRequirement.ListenUri != null) { allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri); } return(ssta); }
public override void OnOpen(TimeSpan timeout) { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); base.OnOpen(timeoutHelper.RemainingTime()); // open forward direction if (this.ActAsInitiator) { if (this.ApplyIntegrity) { if (this.CryptoTokenParameters == null) { OnPropertySettingsError("CryptoTokenParameters", true); } if (this.CryptoTokenParameters.RequireDerivedKeys) { this.ExpectKeyDerivation = true; } } } else { if (this.CryptoTokenParameters == null) { OnPropertySettingsError("CryptoTokenParameters", true); } if (this.CryptoTokenParameters.RequireDerivedKeys) { this.ExpectKeyDerivation = true; } SecurityTokenResolver resolver = null; if (this.RequireIntegrity) { RecipientServiceModelSecurityTokenRequirement requirement = CreateRecipientSecurityTokenRequirement(); this.CryptoTokenParameters.InitializeSecurityTokenRequirement(requirement); requirement.KeyUsage = SecurityKeyUsage.Signature; requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Input; this.recipientCryptoTokenAuthenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver); Open("RecipientCryptoTokenAuthenticator", true, this.recipientCryptoTokenAuthenticator, timeoutHelper.RemainingTime()); } if (resolver != null) { Collection <SecurityTokenResolver> tmp = new Collection <SecurityTokenResolver>(); tmp.Add(resolver); this.recipientOutOfBandTokenResolverList = new ReadOnlyCollection <SecurityTokenResolver>(tmp); } else { this.recipientOutOfBandTokenResolverList = EmptyReadOnlyCollection <SecurityTokenResolver> .Instance; } } if (this.RequiresAsymmetricTokenProviderForForwardDirection || this.RequiresAsymmetricTokenProviderForReturnDirection) { if (this.AsymmetricTokenParameters == null) { OnPropertySettingsError("AsymmetricTokenParameters", this.RequiresAsymmetricTokenProviderForForwardDirection); } else if (this.AsymmetricTokenParameters.RequireDerivedKeys) { this.ExpectKeyDerivation = true; } if (!this.ActAsInitiator) { RecipientServiceModelSecurityTokenRequirement requirement = CreateRecipientSecurityTokenRequirement(); this.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(requirement); requirement.KeyUsage = (this.RequiresAsymmetricTokenProviderForForwardDirection) ? SecurityKeyUsage.Exchange : SecurityKeyUsage.Signature; requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = (this.RequiresAsymmetricTokenProviderForForwardDirection) ? MessageDirection.Input : MessageDirection.Output; this.recipientAsymmetricTokenProvider = this.SecurityTokenManager.CreateSecurityTokenProvider(requirement); Open("RecipientAsymmetricTokenProvider", this.RequiresAsymmetricTokenProviderForForwardDirection, this.recipientAsymmetricTokenProvider, timeoutHelper.RemainingTime()); } } if (this.ActAsInitiator && this.AllowSerializedSigningTokenOnReply && this.IdentityVerifier == null) { OnPropertySettingsError("IdentityVerifier", false); } }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } string tokenType = tokenRequirement.TokenType; outOfBandTokenResolver = null; SecurityTokenAuthenticator authenticator = null; if (((tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) && (tokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)) { return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false)); } RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (recipientRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } if (tokenType == SecurityTokenTypes.X509Certificate) { authenticator = this.CreateClientX509TokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { authenticator = new KerberosSecurityTokenAuthenticatorWrapper(new KerberosSecurityTokenAuthenticator(this.parent.WindowsAuthentication.IncludeWindowsGroups)); } else if (tokenType == SecurityTokenTypes.UserName) { if (this.parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows) { if (this.parent.UserNameAuthentication.CacheLogonTokens) { authenticator = new WindowsUserNameCachingSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups, this.parent.UserNameAuthentication.MaxCachedLogonTokens, this.parent.UserNameAuthentication.CachedLogonTokenLifetime); } else { authenticator = new WindowsUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups); } } else { authenticator = new CustomUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.GetUserNamePasswordValidator()); } } else if (tokenType == SecurityTokenTypes.Rsa) { authenticator = new RsaSecurityTokenAuthenticator(); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { authenticator = this.CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { authenticator = this.CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (((tokenType == SecurityTokenTypes.Saml) || (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) || ((tokenType == "urn:oasis:names:tc:SAML:1.0:assertion") || ((tokenType == null) && this.IsIssuedSecurityTokenRequirement(recipientRequirement)))) { authenticator = this.CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } if (authenticator == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } return(authenticator); }
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenAuthenticatorRequiresSecurityBindingElement, (object)recipientRequirement)); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; IMessageFilterTable <EndpointAddress> propertyOrDefault = recipientRequirement.GetPropertyOrDefault <IMessageFilterTable <EndpointAddress> >(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, (IMessageFilterTable <EndpointAddress>)null); if (!flag) { sctResolver = (SecurityTokenResolver) new SecurityContextSecurityTokenResolver(int.MaxValue, false); return((SecurityTokenAuthenticator) new SecuritySessionSecurityTokenAuthenticator() { BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement((ServiceModelSecurityTokenRequirement)recipientRequirement), IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver, IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), KeyEntropyMode = securityBindingElement.KeyEntropyMode, ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, SessionTokenLifetime = TimeSpan.MaxValue, KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval, StandardsManager = SecurityUtils.CreateSecurityStandardsManager((SecurityTokenRequirement)recipientRequirement, (SecurityTokenManager)this), EndpointFilterTable = propertyOrDefault, MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations, NegotiationTimeout = localServiceSettings.NegotiationTimeout, PreserveBootstrapTokens = preserveBootstrapTokens }); } throw new NotImplementedException(); /* TODO later * sctResolver = (SecurityTokenResolver)new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew); * AcceleratedTokenAuthenticator tokenAuthenticator = new AcceleratedTokenAuthenticator(); * tokenAuthenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement((ServiceModelSecurityTokenRequirement)recipientRequirement); * tokenAuthenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode; * tokenAuthenticator.EncryptStateInServiceToken = true; * tokenAuthenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); * tokenAuthenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; * tokenAuthenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); * tokenAuthenticator.ListenUri = recipientRequirement.ListenUri; * tokenAuthenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; * tokenAuthenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager((SecurityTokenRequirement)recipientRequirement, (SecurityTokenManager)this); * tokenAuthenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder; * tokenAuthenticator.KnownTypes = (IList<System.Type>)this.parent.SecureConversationAuthentication.SecurityContextClaimTypes; * tokenAuthenticator.PreserveBootstrapTokens = preserveBootstrapTokens; * tokenAuthenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; * tokenAuthenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; * tokenAuthenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; * tokenAuthenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; * tokenAuthenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; * tokenAuthenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; * tokenAuthenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; * tokenAuthenticator.EndpointFilterTable = propertyOrDefault; * return (SecurityTokenAuthenticator)tokenAuthenticator;*/ }
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; IMessageFilterTable <EndpointAddress> endpointFilterTable = recipientRequirement.GetPropertyOrDefault <IMessageFilterTable <EndpointAddress> >(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null); if (!isCookieMode) { sctResolver = new SecurityContextSecurityTokenResolver(Int32.MaxValue, false); // remember this authenticator for future reference SecuritySessionSecurityTokenAuthenticator authenticator = new SecuritySessionSecurityTokenAuthenticator(); authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement); authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode; authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.SessionTokenLifetime = TimeSpan.MaxValue; authenticator.KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.EndpointFilterTable = endpointFilterTable; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.PreserveBootstrapTokens = preserveBootstrapTokens; return(authenticator); } else { sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew); AcceleratedTokenAuthenticator authenticator = new AcceleratedTokenAuthenticator(); authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement); authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode; authenticator.EncryptStateInServiceToken = true; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.PreserveBootstrapTokens = preserveBootstrapTokens; // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // audit settings authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; authenticator.EndpointFilterTable = endpointFilterTable; return(authenticator); } }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement)); } string tokenType = tokenRequirement.TokenType; outOfBandTokenResolver = null; SecurityTokenAuthenticator result = null; if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { // this is the uncorrelated duplex case in which the server is asking for // an authenticator to validate its provisioned client certificate if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false)); } } RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (recipientRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } if (tokenType == SecurityTokenTypes.X509Certificate) { result = CreateClientX509TokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { throw new PlatformNotSupportedException("KerberosSecurityTokenAuthenticator"); //result = new KerberosSecurityTokenAuthenticatorWrapper( // new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups)); } else if (tokenType == SecurityTokenTypes.UserName) { if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows) { throw new PlatformNotSupportedException("UserNamePasswordValidationMode.Windows"); //if (parent.UserNameAuthentication.CacheLogonTokens) //{ // result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups, // parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime); //} //else //{ // result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups); //} } else { result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator()); } } else if (tokenType == SecurityTokenTypes.Rsa) { result = new RsaSecurityTokenAuthenticator(); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { throw new PlatformNotSupportedException("SecureConversation"); //result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if ((tokenType == SecurityTokenTypes.Saml) || (tokenType == SecurityXXX2005Strings.SamlTokenType) || (tokenType == SecurityJan2004Strings.SamlUri) || (tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement))) { throw new PlatformNotSupportedException("SamlToken"); //result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } if (result == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } return(result); }
/// <summary> /// Overriden from the base class. Creates the requested Token Authenticator. /// Looks up the list of Token Handlers registered with the token Manager /// based on the TokenType Uri in the SecurityTokenRequirement. If none is found, /// then the call is delegated to the inner Token Manager. /// </summary> /// <param name="tokenRequirement">Security Token Requirement for which the Authenticator should be created.</param> /// <param name="outOfBandTokenResolver">Token resolver that resolves any out-of-band tokens.</param> /// <returns>Instance of Security Token Authenticator.</returns> /// <exception cref="ArgumentNullException">'tokenRequirement' parameter is null.</exception> /// <exception cref="NotSupportedException">No Authenticator is registered for the given token type.</exception> public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } outOfBandTokenResolver = null; // Check for a registered authenticator SecurityTokenAuthenticator securityTokenAuthenticator = null; string tokenType = tokenRequirement.TokenType; // // When the TokenRequirement.TokenType is null, we treat this as a SAML issued token case. It may be SAML 1.1 or SAML 2.0. // if (String.IsNullOrEmpty(tokenType)) { return(CreateSamlSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver)); } // // When the TokenType is set, build a token authenticator for the specified token type. // SecurityTokenHandler securityTokenHandler = _securityTokenHandlerCollection[tokenType]; if ((securityTokenHandler != null) && (securityTokenHandler.CanValidateToken)) { outOfBandTokenResolver = GetDefaultOutOfBandTokenResolver(); if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.UserName)) { UserNameSecurityTokenHandler upSecurityTokenHandler = securityTokenHandler as UserNameSecurityTokenHandler; if (upSecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(UserNameSecurityTokenHandler)))); } securityTokenAuthenticator = new WrappedUserNameSecurityTokenAuthenticator(upSecurityTokenHandler, _exceptionMapper); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Kerberos)) { securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Rsa)) { RsaSecurityTokenHandler rsaSecurityTokenHandler = securityTokenHandler as RsaSecurityTokenHandler; if (rsaSecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(RsaSecurityTokenHandler)))); } securityTokenAuthenticator = new WrappedRsaSecurityTokenAuthenticator(rsaSecurityTokenHandler, _exceptionMapper); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.X509Certificate)) { X509SecurityTokenHandler x509SecurityTokenHandler = securityTokenHandler as X509SecurityTokenHandler; if (x509SecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(X509SecurityTokenHandler)))); } securityTokenAuthenticator = new WrappedX509SecurityTokenAuthenticator(x509SecurityTokenHandler, _exceptionMapper); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.SamlTokenProfile11) || StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSamlTokenProfile11)) { SamlSecurityTokenHandler saml11SecurityTokenHandler = securityTokenHandler as SamlSecurityTokenHandler; if (saml11SecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(SamlSecurityTokenHandler)))); } if (saml11SecurityTokenHandler.Configuration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274)); } securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper); // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens. outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver; } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Saml2TokenProfile11) || StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSaml2TokenProfile11)) { Saml2SecurityTokenHandler saml2SecurityTokenHandler = securityTokenHandler as Saml2SecurityTokenHandler; if (saml2SecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(Saml2SecurityTokenHandler)))); } if (saml2SecurityTokenHandler.Configuration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274)); } securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper); // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens. outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver; } else if (StringComparer.Ordinal.Equals(tokenType, ServiceModelSecurityTokenTypes.SecureConversation)) { RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (tr == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString())); } securityTokenAuthenticator = SetupSecureConversationWrapper(tr, securityTokenHandler as SessionSecurityTokenHandler, out outOfBandTokenResolver); } else { securityTokenAuthenticator = new SecurityTokenAuthenticatorAdapter(securityTokenHandler, _exceptionMapper); } } else { if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation || tokenType == ServiceModelSecurityTokenTypes.MutualSslnego || tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego || tokenType == ServiceModelSecurityTokenTypes.SecurityContext || tokenType == ServiceModelSecurityTokenTypes.Spnego) { RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (tr == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString())); } securityTokenAuthenticator = SetupSecureConversationWrapper(tr, null, out outOfBandTokenResolver); } else { securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); } } return(securityTokenAuthenticator); }