/// <summary>
/// Serializes the SecurityToken to the XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter to write to.</param>
/// <param name="token">The SecurityToken to serializer.</param>
/// <exception cref="ArgumentNullException">The input parameter 'writer' or 'token' is null.</exception>
protected override void WriteTokenCore(XmlWriter writer, SecurityToken token)
{
if (writer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
try
{
//
// Wire the session handler for SCT
//
SecurityContextSecurityToken sct = token as SecurityContextSecurityToken;
if (sct != null)
{
//
// Bare SCT tokens are wrapped with a SessionSecurityToken.
// The property SessionSecurityToken.IsSecurityContextSecurityTokenWrapper will be true.
//
token = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(sct, _scVersion);
}
SecurityTokenHandler securityTokenHandler = _securityTokenHandlers[token];
if ((securityTokenHandler != null) && (securityTokenHandler.CanWriteToken))
{
securityTokenHandler.WriteToken(writer, token);
return;
}
base.WriteTokenCore(writer, token);
}
catch (Exception ex)
{
if (!(MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException(ex)))
{
throw;
}
Fx.Assert(false, "ExceptionMapper did not handle an exception correctly.");
// This should never happen. ExceptionMapper will handle the exception, in which case,
// a fault exception is thrown or the original exception gets thrown.
}
}
public void AddContext(SecurityContextSecurityToken token)
{
//
// WCF will cache the token first before calling the WrappedSessionSecurityTokenHandler.OnTokenIssued.
// We need to map the claims here so we will be caching the correct token with Geneva Claims substitued
// in place of the WCF claims.
//
_claimsHandler.SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(token);
SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, token.ContextId, token.KeyGeneration);
SessionSecurityToken sessionToken = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(token, SecureConversationVersion.Default);
DateTime expiryTime = DateTimeUtil.Add(sessionToken.ValidTo, _claimsHandler.SecurityTokenHandlerCollection.Configuration.MaxClockSkew);
_tokenCache.AddOrUpdate(key, sessionToken, expiryTime);
}
public SecurityContextSecurityToken GetContext(System.Xml.UniqueId contextId, System.Xml.UniqueId generation)
{
SessionSecurityToken token = null;
SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, contextId, generation);
token = _tokenCache.Get(key);
SecurityContextSecurityToken sctToken = null;
if (token != null && token.IsSecurityContextSecurityTokenWrapper)
{
sctToken = SecurityContextSecurityTokenHelper.ConvertSessionTokenToSecurityContextSecurityToken(token);
}
return(sctToken);
}
/// <summary>
/// Deserializes the SecurityToken from the given XmlReader.
/// </summary>
/// <param name="reader">Reader to a Security token.</param>
/// <param name="tokenResolver">Instance of SecurityTokenResolver.</param>
/// <returns>'True' if the serializer can read the given Security Token.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'reader' is null.</exception>
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
try
{
foreach (SecurityTokenHandler securityTokenHandler in _securityTokenHandlers)
{
if (securityTokenHandler.CanReadToken(reader))
{
SecurityToken token = securityTokenHandler.ReadToken(reader, tokenResolver);
SessionSecurityToken sessionToken = token as SessionSecurityToken;
if (sessionToken != null)
{
if (sessionToken.SecureConversationVersion.AbsoluteUri != _scVersion.Namespace.Value)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4053, sessionToken.SecureConversationVersion, _scVersion));
}
return(SecurityContextSecurityTokenHelper.ConvertSessionTokenToSecurityContextSecurityToken(sessionToken));
}
else
{
return(token);
}
}
}
return(base.ReadTokenCore(reader, tokenResolver));
}
catch (Exception ex)
{
if (!(MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException(ex)))
{
throw;
}
Fx.Assert(false, "ExceptionMapper did not handle an exception correctly.");
// This should never happen. ExceptionMapper will handle the exception, in which case,
// a fault exception is thrown or the original exception gets thrown.
}
return(null);
}
public void UpdateContextCachingTime(SecurityContextSecurityToken token, DateTime expirationTime)
{
if (token.ValidTo <= expirationTime.ToUniversalTime())
{
return;
}
SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, token.ContextId, token.KeyGeneration);
SessionSecurityToken sessionToken = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(token, SecureConversationVersion.Default);
DateTime expiryTime = DateTimeUtil.Add(sessionToken.ValidTo, _claimsHandler.SecurityTokenHandlerCollection.Configuration.MaxClockSkew);
if (_tokenCache.Get(key) == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4285, sessionToken.ContextId.ToString()));
}
_tokenCache.AddOrUpdate(key, sessionToken, expiryTime);
}
/// <summary>
/// Called to retrieve all tokens that match a particular contextId. WCF will call this
/// </summary>
/// <param name="contextId"></param>
/// <returns></returns>
public Collection <SecurityContextSecurityToken> GetAllContexts(System.Xml.UniqueId contextId)
{
Collection <SecurityContextSecurityToken> tokens = new Collection <SecurityContextSecurityToken>();
IEnumerable <SessionSecurityToken> cachedTokens = _tokenCache.GetAll(_claimsHandler.EndpointId, contextId);
if (cachedTokens != null)
{
foreach (SessionSecurityToken sessionSct in cachedTokens)
{
if (sessionSct != null && sessionSct.IsSecurityContextSecurityTokenWrapper)
{
SecurityContextSecurityToken sctToken = SecurityContextSecurityTokenHelper.ConvertSessionTokenToSecurityContextSecurityToken(sessionSct);
tokens.Add(sctToken);
}
}
}
return(tokens);
}
/// <summary>
/// Validates the token using the wrapped token handler and generates IAuthorizationPolicy
/// wrapping the returned ClaimsIdentities.
/// </summary>
/// <param name="token">Token to be validated. This is always a SecurityContextSecurityToken.</param>
/// <returns>Read-only collection of IAuthorizationPolicy</returns>
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
SecurityContextSecurityToken sct = token as SecurityContextSecurityToken;
SessionSecurityToken sessionToken = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(sct);
IEnumerable <ClaimsIdentity> identities = null;
try
{
identities = _sessionTokenHandler.ValidateToken(sessionToken, _sctClaimsHandler.EndpointId);
}
catch (Exception ex)
{
if (!_exceptionMapper.HandleSecurityTokenProcessingException(ex))
{
throw;
}
}
return(new List <IAuthorizationPolicy>(new AuthorizationPolicy[] { new AuthorizationPolicy(identities) }).AsReadOnly());
}
