private SecurityTokenProvider CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
//throw new PlatformNotSupportedException("TlsnegoServerX509Token");
RecipientServiceModelSecurityTokenRequirement serverX509Requirement = new RecipientServiceModelSecurityTokenRequirement
{
TokenType = SecurityTokenTypes.X509Certificate,
KeyUsage = SecurityKeyUsage.Exchange,
ListenUri = recipientRequirement.ListenUri,
KeyType = SecurityKeyType.AsymmetricKey,
SecurityBindingElement = recipientRequirement.SecurityBindingElement
};
return(CreateSecurityTokenProvider(serverX509Requirement));
}
public void CreateProviderX509()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ServiceCredentials.ServiceCertificate.Certificate =
new X509Certificate2("Test/Resources/test.pfx", "mono");
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r)
as X509SecurityTokenProvider;
Assert.IsNotNull(p, "#1");
}
private SecurityTokenAuthenticator CreateTlsnegoClientX509TokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
//throw new PlatformNotSupportedException("TlsnegoClientX509Token");
RecipientServiceModelSecurityTokenRequirement clientX509Requirement = new RecipientServiceModelSecurityTokenRequirement
{
TokenType = SecurityTokenTypes.X509Certificate,
KeyUsage = SecurityKeyUsage.Signature,
ListenUri = recipientRequirement.ListenUri,
KeyType = SecurityKeyType.AsymmetricKey,
SecurityBindingElement = recipientRequirement.SecurityBindingElement
};
return(CreateSecurityTokenAuthenticator(clientX509Requirement, out _));
}
RecipientServiceModelSecurityTokenRequirement CreateRecipientRequirement(string tokenType)
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = tokenType;
r.SecurityBindingElement = new SymmetricSecurityBindingElement();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext(new CustomBinding(), new BindingParameterCollection());
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new IssuedSecurityTokenParameters();
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
return(r);
}
private SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
recipientRequirement.TryGetProperty <ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out _);
SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator
{
ExtendedProtectionPolicy = null,
AllowUnauthenticatedCallers = ServiceCredentials.WindowsAuthentication.AllowAnonymousLogons,
ExtractGroupsForWindowsAccounts = ServiceCredentials.WindowsAuthentication.IncludeWindowsGroups,
IsClientAnonymous = false,
EncryptStateInServiceToken = isCookieMode,
IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty),
IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver,
IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty),
ListenUri = recipientRequirement.ListenUri,
SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite,
StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this),
SecurityStateEncoder = ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder,
KnownTypes = ServiceCredentials.SecureConversationAuthentication.SecurityContextClaimTypes,
LdapSettings = ServiceCredentials.WindowsAuthentication.LdapSetting
};
// if the SPNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// audit settings
//authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
//authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
//authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return(authenticator);
}
public void CreateProviderX509Recipient()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.X509Certificate;
r.KeyUsage = SecurityKeyUsage.Exchange;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r)
as X509SecurityTokenProvider;
Assert.IsNotNull(p, "#1");
}
RecipientServiceModelSecurityTokenRequirement CreateAnonSslRequirement()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
MySslSecurityTokenParameters p = new MySslSecurityTokenParameters();
p.InitRequirement(r);
r.SecurityBindingElement = new SymmetricSecurityBindingElement(new X509SecurityTokenParameters());
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = p.Clone();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext(new CustomBinding(new HttpTransportBindingElement()), new BindingParameterCollection());
r.Properties [ReqType.MessageSecurityVersionProperty] =
MessageSecurityVersion.Default.SecurityTokenVersion;
return(r);
}
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
throw new PlatformNotSupportedException("TlsnegoSecurityToken");
/*
* SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
* if (securityBindingElement == null)
* {
* throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
* }
* bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
* LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
* sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
*
* TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator();
* authenticator.IsClientAnonymous = !requireClientCertificate;
* if (requireClientCertificate)
* {
* authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
* authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
* }
* authenticator.EncryptStateInServiceToken = isCookieMode;
* authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
* authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
* authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
* authenticator.ListenUri = recipientRequirement.ListenUri;
* authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
* authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
* authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
* authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
* authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement);
* // local security quotas
* authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
* authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
* authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
* authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
* // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
* if (securityBindingElement is TransportSecurityBindingElement)
* {
* authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
* }
* // audit settings
* // authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
* // authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
* // authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
* return authenticator;*/
}
public void CreateProviderAnonSslError()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext(new CustomBinding(), new BindingParameterCollection());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
}
public void CreateProviderAnonSsl()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
new MySslSecurityTokenParameters().InitRequirement(r);
Assert.IsFalse(r.Properties.ContainsKey(ReqType.ChannelParametersCollectionProperty), "#1");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.EndpointFilterTableProperty), "#2");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.HttpAuthenticationSchemeProperty), "#3");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.IsOutOfBandTokenProperty), "#4");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.IssuerAddressProperty), "#5");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.MessageDirectionProperty), "#6");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.MessageSecurityVersionProperty), "#7");
//Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.SecurityAlgorithmSuiteProperty), "#9");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.SecurityBindingElementProperty), "#10");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.SupportingTokenAttachmentModeProperty), "#11");
Assert.AreEqual(null, r.TransportScheme, "#12");
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext(new CustomBinding(), new BindingParameterCollection());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
r.Properties [ReqType.SecurityAlgorithmSuiteProperty] =
SecurityAlgorithmSuite.Default;
r.TransportScheme = "https";
r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection();
r.Properties [ReqType.EndpointFilterTableProperty] = null;
r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous;
r.Properties [ReqType.IsOutOfBandTokenProperty] = true;
r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress("http://localhost:9090");
// r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input;
r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement();
r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
}
protected RecipientServiceModelSecurityTokenRequirement CreateRecipientSecurityTokenRequirement()
{
RecipientServiceModelSecurityTokenRequirement requirement = new RecipientServiceModelSecurityTokenRequirement();
requirement.SecurityBindingElement = this.securityBindingElement;
requirement.SecurityAlgorithmSuite = this.IncomingAlgorithmSuite;
requirement.ListenUri = this.listenUri;
requirement.MessageSecurityVersion = this.MessageSecurityVersion.SecurityTokenVersion;
// requirement.AuditLogLocation = this.auditLogLocation;
// requirement.SuppressAuditFailure = this.suppressAuditFailure;
// requirement.MessageAuthenticationAuditLevel = this.messageAuthenticationAuditLevel;
requirement.Properties[ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy] = this.extendedProtectionPolicy;
if (this.endpointFilterTable != null)
{
requirement.Properties.Add(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, this.endpointFilterTable);
}
return(requirement);
}
private SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement }));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
ExtendedProtectionPolicy result = null;
recipientRequirement.TryGetProperty <ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out result);
SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator {
ExtendedProtectionPolicy = result,
AllowUnauthenticatedCallers = this.parent.WindowsAuthentication.AllowAnonymousLogons,
ExtractGroupsForWindowsAccounts = this.parent.WindowsAuthentication.IncludeWindowsGroups,
IsClientAnonymous = false,
EncryptStateInServiceToken = flag,
IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty),
IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver,
IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty),
ListenUri = recipientRequirement.ListenUri,
SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite,
StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this),
SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder,
KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes
};
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return(authenticator);
}
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement }));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator {
IsClientAnonymous = !requireClientCertificate
};
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = flag;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement);
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return(authenticator);
}
/// <summary>
/// Helper method to setup the WrappedSecureConversttion
/// </summary>
SecurityTokenAuthenticator SetupSecureConversationWrapper(RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver)
{
// This code requires Orcas SP1 to compile.
// WCF expects this securityTokenAuthenticator to support:
// 1. IIssuanceSecurityTokenAuthenticator
// 2. ICommunicationObject is needed for this to work right.
// WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the
// the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens.
// when sp1 is installed, use this one.
//SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver );
// use this code if SP1 is not installed
SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
SessionSecurityTokenHandler sessionTokenHandler = tokenHandler;
//
// If there is no SCT handler here, create one.
//
if (tokenHandler == null)
{
sessionTokenHandler = new SessionSecurityTokenHandler(_cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime);
sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection;
sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration;
}
if (ServiceCredentials != null)
{
sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew;
}
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId(tokenRequirement));
WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator(sessionTokenHandler, sta,
claimsHandler, _exceptionMapper);
WrappedTokenCache wrappedTokenCache = new WrappedTokenCache(_tokenCache, claimsHandler);
SetWrappedTokenCache(wrappedTokenCache, sta, wssta, claimsHandler);
outOfBandTokenResolver = wrappedTokenCache;
return(wssta);
}
protected void SetSecurityTokenAuthenticator(string scheme, BindingContext context)
{
if (base.ReceiveParameters.TransportSecurity.MsmqAuthenticationMode == MsmqAuthenticationMode.Certificate)
{
SecurityTokenResolver resolver;
SecurityCredentialsManager manager = context.BindingParameters.Find <SecurityCredentialsManager>();
if (manager == null)
{
manager = ServiceCredentials.CreateDefaultCredentials();
}
SecurityTokenManager manager2 = manager.CreateSecurityTokenManager();
RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
TransportScheme = scheme,
ListenUri = this.Uri,
KeyUsage = SecurityKeyUsage.Signature
};
this.x509SecurityTokenAuthenticator = manager2.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver);
}
}
private SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
AuthenticationSchemes schemes;
string tokenType = recipientRequirement.TokenType;
SecurityTokenProvider provider = null;
if (tokenType == SecurityTokenTypes.X509Certificate)
{
return(this.CreateServerX509TokenProvider());
}
if (!(tokenType == ServiceModelSecurityTokenTypes.SspiCredential))
{
return(provider);
}
if (recipientRequirement.TryGetProperty <AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out schemes) && (schemes == AuthenticationSchemes.Basic))
{
return(new SspiSecurityTokenProvider(null, this.parent.UserNameAuthentication.IncludeWindowsGroups, false));
}
return(new SspiSecurityTokenProvider(null, this.parent.WindowsAuthentication.IncludeWindowsGroups, this.parent.WindowsAuthentication.AllowAnonymousLogons));
}
public void CreateAuthenticatorUserName()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = SecurityTokenTypes.UserName;
SecurityTokenResolver resolver;
SecurityTokenAuthenticator a =
def_c.CreateSecurityTokenAuthenticator(r, out resolver);
Assert.AreEqual(typeof(WindowsUserNameSecurityTokenAuthenticator), a.GetType(), "#1");
Assert.IsNull(resolver, "#2");
def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
def_c.ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator = new MyUserNameValidator();
a = def_c.CreateSecurityTokenAuthenticator(r, out resolver);
Assert.AreEqual(typeof(CustomUserNameSecurityTokenAuthenticator), a.GetType(), "#3");
Assert.IsNull(resolver, "#4");
}
public void CreateAuthenticatorAnonSsl()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement();
SecurityTokenResolver resolver;
X509Certificate2 cert = new X509Certificate2("Test/Resources/test.pfx", "mono");
def_c.ServiceCredentials.ServiceCertificate.Certificate = cert;
SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator(r, out resolver);
// non-standard authenticator type.
Assert.IsNotNull(resolver, "#1");
Assert.IsTrue(a is IIssuanceSecurityTokenAuthenticator, "#2");
try {
a.ValidateToken(new X509SecurityToken(cert));
Assert.Fail("It cannot validate raw X509SecurityToken");
} catch (SecurityTokenValidationException) {
}
}
public virtual EndpointIdentity GetIdentityOfSelf(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement)
{
string tokenType = tokenRequirement.TokenType;
if (((tokenType == SecurityTokenTypes.X509Certificate) || (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego))
{
if (this.parent.ServiceCertificate.Certificate != null)
{
return(EndpointIdentity.CreateX509CertificateIdentity(this.parent.ServiceCertificate.Certificate));
}
}
else
{
if ((tokenType == SecurityTokenTypes.Kerberos) || (tokenType == ServiceModelSecurityTokenTypes.Spnego))
{
return(System.ServiceModel.Security.SecurityUtils.CreateWindowsIdentity());
}
if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
SecurityBindingElement secureConversationSecurityBindingElement = ((RecipientServiceModelSecurityTokenRequirement)tokenRequirement).SecureConversationSecurityBindingElement;
if (secureConversationSecurityBindingElement != null)
{
if ((secureConversationSecurityBindingElement == null) || (secureConversationSecurityBindingElement is TransportSecurityBindingElement))
{
return(null);
}
SecurityTokenParameters parameters = (secureConversationSecurityBindingElement is SymmetricSecurityBindingElement) ? ((SymmetricSecurityBindingElement)secureConversationSecurityBindingElement).ProtectionTokenParameters : ((AsymmetricSecurityBindingElement)secureConversationSecurityBindingElement).RecipientTokenParameters;
SecurityTokenRequirement requirement = new RecipientServiceModelSecurityTokenRequirement();
parameters.InitializeSecurityTokenRequirement(requirement);
return(this.GetIdentityOfSelf(requirement));
}
}
}
}
return(null);
}
void CreateRecipientProviderCore(bool mutual)
{
MyParameters tp = new MyParameters();
tp.RequireClientCertificate = true;
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
tp.InitRequirement(r);
r.ListenUri = new Uri("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext(new CustomBinding(),
new BindingParameterCollection());
r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion;
ClientCredentials cred = new ClientCredentials();
ClientCredentialsSecurityTokenManager manager =
new ClientCredentialsSecurityTokenManager(cred);
manager.CreateSecurityTokenProvider(r);
}
SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
string tokenType = recipientRequirement.TokenType;
SecurityTokenProvider result = null;
if (tokenType == SecurityTokenTypes.X509Certificate)
{
result = CreateServerX509TokenProvider();
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
// if Transport Security, AuthenticationSchemes.Basic will look at parent.UserNameAuthentication settings.
AuthenticationSchemes authenticationScheme;
bool authenticationSchemeIdentified = recipientRequirement.TryGetProperty <AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out authenticationScheme);
if (authenticationSchemeIdentified &&
authenticationScheme.IsSet(AuthenticationSchemes.Basic) &&
authenticationScheme.IsNotSet(AuthenticationSchemes.Digest | AuthenticationSchemes.Ntlm | AuthenticationSchemes.Negotiate))
{
// create security token provider even when basic and Anonymous are enabled.
result = new SspiSecurityTokenProvider(null, parent.UserNameAuthentication.IncludeWindowsGroups, false);
}
else
{
if (authenticationSchemeIdentified &&
authenticationScheme.IsSet(AuthenticationSchemes.Basic) &&
parent.WindowsAuthentication.IncludeWindowsGroups != parent.UserNameAuthentication.IncludeWindowsGroups)
{
// Ensure there are no inconsistencies when Basic and (Digest and/or Ntlm and/or Negotiate) are both enabled
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenProviderIncludeWindowsGroupsInconsistent,
(AuthenticationSchemes)authenticationScheme - AuthenticationSchemes.Basic,
parent.UserNameAuthentication.IncludeWindowsGroups,
parent.WindowsAuthentication.IncludeWindowsGroups)));
}
result = new SspiSecurityTokenProvider(null, parent.WindowsAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.AllowAnonymousLogons);
}
}
return(result);
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
{
if (requirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("requirement");
}
RecipientServiceModelSecurityTokenRequirement recipientRequirement = requirement as RecipientServiceModelSecurityTokenRequirement;
SecurityTokenProvider provider = null;
if (recipientRequirement != null)
{
provider = this.CreateLocalSecurityTokenProvider(recipientRequirement);
}
else if (requirement is InitiatorServiceModelSecurityTokenRequirement)
{
provider = this.CreateUncorrelatedDuplexSecurityTokenProvider((InitiatorServiceModelSecurityTokenRequirement)requirement);
}
if (provider == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateProviderForRequirement", new object[] { requirement })));
}
return(provider);
}
public static SslStreamSecurityUpgradeProvider CreateServerProvider(
SslStreamSecurityBindingElement bindingElement, BindingContext context)
{
SecurityCredentialsManager credentialProvider =
context.BindingParameters.Find <SecurityCredentialsManager>();
if (credentialProvider == null)
{
credentialProvider = ServiceCredentials.CreateDefaultCredentials();
}
Uri listenUri = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress);
SecurityTokenManager tokenManager = credentialProvider.CreateSecurityTokenManager();
RecipientServiceModelSecurityTokenRequirement serverCertRequirement = new RecipientServiceModelSecurityTokenRequirement
{
TokenType = SecurityTokenTypes.X509Certificate,
RequireCryptographicToken = true,
KeyUsage = SecurityKeyUsage.Exchange,
TransportScheme = context.Binding.Scheme,
ListenUri = listenUri
};
SecurityTokenProvider tokenProvider = tokenManager.CreateSecurityTokenProvider(serverCertRequirement);
if (tokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCredentialsUnableToCreateLocalTokenProvider, serverCertRequirement)));
}
SecurityTokenAuthenticator certificateAuthenticator =
TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, listenUri);
return(new SslStreamSecurityUpgradeProvider(context.Binding, tokenProvider, bindingElement.RequireClientCertificate,
certificateAuthenticator, context.Binding.Scheme, bindingElement.IdentityVerifier, bindingElement.SslProtocols));
}
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (recipientRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
}
Collection <SecurityToken> outOfBandTokens = new Collection <SecurityToken>();
if (parent.ServiceCertificate.Certificate != null)
{
outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
}
List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();
if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
{
outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));
if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false) : null;
SamlSecurityTokenAuthenticator ssta;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
// set audience uri restrictions
ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
IList <string> allowedAudienceUris = ssta.AllowedAudienceUris;
if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++)
{
allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]);
}
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return(ssta);
}
public override void OnOpen(TimeSpan timeout)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
base.OnOpen(timeoutHelper.RemainingTime());
// open forward direction
if (this.ActAsInitiator)
{
if (this.ApplyIntegrity)
{
if (this.CryptoTokenParameters == null)
{
OnPropertySettingsError("CryptoTokenParameters", true);
}
if (this.CryptoTokenParameters.RequireDerivedKeys)
{
this.ExpectKeyDerivation = true;
}
}
}
else
{
if (this.CryptoTokenParameters == null)
{
OnPropertySettingsError("CryptoTokenParameters", true);
}
if (this.CryptoTokenParameters.RequireDerivedKeys)
{
this.ExpectKeyDerivation = true;
}
SecurityTokenResolver resolver = null;
if (this.RequireIntegrity)
{
RecipientServiceModelSecurityTokenRequirement requirement = CreateRecipientSecurityTokenRequirement();
this.CryptoTokenParameters.InitializeSecurityTokenRequirement(requirement);
requirement.KeyUsage = SecurityKeyUsage.Signature;
requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Input;
this.recipientCryptoTokenAuthenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
Open("RecipientCryptoTokenAuthenticator", true, this.recipientCryptoTokenAuthenticator, timeoutHelper.RemainingTime());
}
if (resolver != null)
{
Collection <SecurityTokenResolver> tmp = new Collection <SecurityTokenResolver>();
tmp.Add(resolver);
this.recipientOutOfBandTokenResolverList = new ReadOnlyCollection <SecurityTokenResolver>(tmp);
}
else
{
this.recipientOutOfBandTokenResolverList = EmptyReadOnlyCollection <SecurityTokenResolver> .Instance;
}
}
if (this.RequiresAsymmetricTokenProviderForForwardDirection || this.RequiresAsymmetricTokenProviderForReturnDirection)
{
if (this.AsymmetricTokenParameters == null)
{
OnPropertySettingsError("AsymmetricTokenParameters", this.RequiresAsymmetricTokenProviderForForwardDirection);
}
else if (this.AsymmetricTokenParameters.RequireDerivedKeys)
{
this.ExpectKeyDerivation = true;
}
if (!this.ActAsInitiator)
{
RecipientServiceModelSecurityTokenRequirement requirement = CreateRecipientSecurityTokenRequirement();
this.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(requirement);
requirement.KeyUsage = (this.RequiresAsymmetricTokenProviderForForwardDirection) ? SecurityKeyUsage.Exchange : SecurityKeyUsage.Signature;
requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = (this.RequiresAsymmetricTokenProviderForForwardDirection) ? MessageDirection.Input : MessageDirection.Output;
this.recipientAsymmetricTokenProvider = this.SecurityTokenManager.CreateSecurityTokenProvider(requirement);
Open("RecipientAsymmetricTokenProvider", this.RequiresAsymmetricTokenProviderForForwardDirection, this.recipientAsymmetricTokenProvider, timeoutHelper.RemainingTime());
}
}
if (this.ActAsInitiator && this.AllowSerializedSigningTokenOnReply && this.IdentityVerifier == null)
{
OnPropertySettingsError("IdentityVerifier", false);
}
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
string tokenType = tokenRequirement.TokenType;
outOfBandTokenResolver = null;
SecurityTokenAuthenticator authenticator = null;
if (((tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) && (tokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange))
{
return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
}
RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (recipientRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
authenticator = this.CreateClientX509TokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
authenticator = new KerberosSecurityTokenAuthenticatorWrapper(new KerberosSecurityTokenAuthenticator(this.parent.WindowsAuthentication.IncludeWindowsGroups));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (this.parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
{
if (this.parent.UserNameAuthentication.CacheLogonTokens)
{
authenticator = new WindowsUserNameCachingSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups, this.parent.UserNameAuthentication.MaxCachedLogonTokens, this.parent.UserNameAuthentication.CachedLogonTokenLifetime);
}
else
{
authenticator = new WindowsUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups);
}
}
else
{
authenticator = new CustomUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.GetUserNamePasswordValidator());
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
authenticator = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
authenticator = this.CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
authenticator = this.CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (((tokenType == SecurityTokenTypes.Saml) || (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) || ((tokenType == "urn:oasis:names:tc:SAML:1.0:assertion") || ((tokenType == null) && this.IsIssuedSecurityTokenRequirement(recipientRequirement))))
{
authenticator = this.CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
if (authenticator == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
}
return(authenticator);
}
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenAuthenticatorRequiresSecurityBindingElement, (object)recipientRequirement));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
IMessageFilterTable <EndpointAddress> propertyOrDefault = recipientRequirement.GetPropertyOrDefault <IMessageFilterTable <EndpointAddress> >(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, (IMessageFilterTable <EndpointAddress>)null);
if (!flag)
{
sctResolver = (SecurityTokenResolver) new SecurityContextSecurityTokenResolver(int.MaxValue, false);
return((SecurityTokenAuthenticator) new SecuritySessionSecurityTokenAuthenticator()
{
BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement((ServiceModelSecurityTokenRequirement)recipientRequirement),
IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty),
IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver,
IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty),
KeyEntropyMode = securityBindingElement.KeyEntropyMode,
ListenUri = recipientRequirement.ListenUri,
SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite,
SessionTokenLifetime = TimeSpan.MaxValue,
KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval,
StandardsManager = SecurityUtils.CreateSecurityStandardsManager((SecurityTokenRequirement)recipientRequirement, (SecurityTokenManager)this),
EndpointFilterTable = propertyOrDefault,
MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations,
NegotiationTimeout = localServiceSettings.NegotiationTimeout,
PreserveBootstrapTokens = preserveBootstrapTokens
});
}
throw new NotImplementedException();
/* TODO later
* sctResolver = (SecurityTokenResolver)new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew);
* AcceleratedTokenAuthenticator tokenAuthenticator = new AcceleratedTokenAuthenticator();
* tokenAuthenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement((ServiceModelSecurityTokenRequirement)recipientRequirement);
* tokenAuthenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
* tokenAuthenticator.EncryptStateInServiceToken = true;
* tokenAuthenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
* tokenAuthenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
* tokenAuthenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
* tokenAuthenticator.ListenUri = recipientRequirement.ListenUri;
* tokenAuthenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
* tokenAuthenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager((SecurityTokenRequirement)recipientRequirement, (SecurityTokenManager)this);
* tokenAuthenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder;
* tokenAuthenticator.KnownTypes = (IList<System.Type>)this.parent.SecureConversationAuthentication.SecurityContextClaimTypes;
* tokenAuthenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
* tokenAuthenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
* tokenAuthenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
* tokenAuthenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
* tokenAuthenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
* tokenAuthenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
* tokenAuthenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
* tokenAuthenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
* tokenAuthenticator.EndpointFilterTable = propertyOrDefault;
* return (SecurityTokenAuthenticator)tokenAuthenticator;*/
}
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
IMessageFilterTable <EndpointAddress> endpointFilterTable = recipientRequirement.GetPropertyOrDefault <IMessageFilterTable <EndpointAddress> >(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null);
if (!isCookieMode)
{
sctResolver = new SecurityContextSecurityTokenResolver(Int32.MaxValue, false);
// remember this authenticator for future reference
SecuritySessionSecurityTokenAuthenticator authenticator = new SecuritySessionSecurityTokenAuthenticator();
authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.SessionTokenLifetime = TimeSpan.MaxValue;
authenticator.KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.EndpointFilterTable = endpointFilterTable;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
return(authenticator);
}
else
{
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew);
AcceleratedTokenAuthenticator authenticator = new AcceleratedTokenAuthenticator();
authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
authenticator.EncryptStateInServiceToken = true;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// audit settings
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
authenticator.EndpointFilterTable = endpointFilterTable;
return(authenticator);
}
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
}
string tokenType = tokenRequirement.TokenType;
outOfBandTokenResolver = null;
SecurityTokenAuthenticator result = null;
if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
// this is the uncorrelated duplex case in which the server is asking for
// an authenticator to validate its provisioned client certificate
if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
}
}
RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (recipientRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
result = CreateClientX509TokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
throw new PlatformNotSupportedException("KerberosSecurityTokenAuthenticator");
//result = new KerberosSecurityTokenAuthenticatorWrapper(
// new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
{
throw new PlatformNotSupportedException("UserNamePasswordValidationMode.Windows");
//if (parent.UserNameAuthentication.CacheLogonTokens)
//{
// result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups,
// parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime);
//}
//else
//{
// result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups);
//}
}
else
{
result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator());
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
result = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
throw new PlatformNotSupportedException("SecureConversation");
//result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if ((tokenType == SecurityTokenTypes.Saml) ||
(tokenType == SecurityXXX2005Strings.SamlTokenType) ||
(tokenType == SecurityJan2004Strings.SamlUri) ||
(tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement)))
{
throw new PlatformNotSupportedException("SamlToken");
//result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
if (result == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
return(result);
}
/// <summary>
/// Overriden from the base class. Creates the requested Token Authenticator.
/// Looks up the list of Token Handlers registered with the token Manager
/// based on the TokenType Uri in the SecurityTokenRequirement. If none is found,
/// then the call is delegated to the inner Token Manager.
/// </summary>
/// <param name="tokenRequirement">Security Token Requirement for which the Authenticator should be created.</param>
/// <param name="outOfBandTokenResolver">Token resolver that resolves any out-of-band tokens.</param>
/// <returns>Instance of Security Token Authenticator.</returns>
/// <exception cref="ArgumentNullException">'tokenRequirement' parameter is null.</exception>
/// <exception cref="NotSupportedException">No Authenticator is registered for the given token type.</exception>
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
outOfBandTokenResolver = null;
// Check for a registered authenticator
SecurityTokenAuthenticator securityTokenAuthenticator = null;
string tokenType = tokenRequirement.TokenType;
//
// When the TokenRequirement.TokenType is null, we treat this as a SAML issued token case. It may be SAML 1.1 or SAML 2.0.
//
if (String.IsNullOrEmpty(tokenType))
{
return(CreateSamlSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
//
// When the TokenType is set, build a token authenticator for the specified token type.
//
SecurityTokenHandler securityTokenHandler = _securityTokenHandlerCollection[tokenType];
if ((securityTokenHandler != null) && (securityTokenHandler.CanValidateToken))
{
outOfBandTokenResolver = GetDefaultOutOfBandTokenResolver();
if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.UserName))
{
UserNameSecurityTokenHandler upSecurityTokenHandler = securityTokenHandler as UserNameSecurityTokenHandler;
if (upSecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(UserNameSecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedUserNameSecurityTokenAuthenticator(upSecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Kerberos))
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Rsa))
{
RsaSecurityTokenHandler rsaSecurityTokenHandler = securityTokenHandler as RsaSecurityTokenHandler;
if (rsaSecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(RsaSecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedRsaSecurityTokenAuthenticator(rsaSecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.X509Certificate))
{
X509SecurityTokenHandler x509SecurityTokenHandler = securityTokenHandler as X509SecurityTokenHandler;
if (x509SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(X509SecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedX509SecurityTokenAuthenticator(x509SecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.SamlTokenProfile11) ||
StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSamlTokenProfile11))
{
SamlSecurityTokenHandler saml11SecurityTokenHandler = securityTokenHandler as SamlSecurityTokenHandler;
if (saml11SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(SamlSecurityTokenHandler))));
}
if (saml11SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Saml2TokenProfile11) ||
StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSaml2TokenProfile11))
{
Saml2SecurityTokenHandler saml2SecurityTokenHandler = securityTokenHandler as Saml2SecurityTokenHandler;
if (saml2SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(Saml2SecurityTokenHandler))));
}
if (saml2SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (StringComparer.Ordinal.Equals(tokenType, ServiceModelSecurityTokenTypes.SecureConversation))
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (tr == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
}
securityTokenAuthenticator = SetupSecureConversationWrapper(tr, securityTokenHandler as SessionSecurityTokenHandler, out outOfBandTokenResolver);
}
else
{
securityTokenAuthenticator = new SecurityTokenAuthenticatorAdapter(securityTokenHandler, _exceptionMapper);
}
}
else
{
if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
tokenType == ServiceModelSecurityTokenTypes.SecurityContext ||
tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (tr == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
}
securityTokenAuthenticator = SetupSecureConversationWrapper(tr, null, out outOfBandTokenResolver);
}
else
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
}
return(securityTokenAuthenticator);
}
