public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { if (identity == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); } if (authContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext"); } for (int i = 0; i < authContext.ClaimSets.Count; i++) { ClaimSet claimSet = authContext.ClaimSets[i]; if (claimSet.ContainsClaim(identity.IdentityClaim)) { SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, identity.IdentityClaim, base.GetType()); return(true); } string expectedSpn = null; if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType)) { expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", new object[] { (string)identity.IdentityClaim.Resource }); Claim claim = this.CheckDnsEquivalence(claimSet, expectedSpn); if (claim != null) { SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim, base.GetType()); return(true); } } SecurityIdentifier identitySid = null; if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType)) { identitySid = this.GetSecurityIdentifier(identity.IdentityClaim); } else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType)) { identitySid = ((UpnEndpointIdentity)identity).GetUpnSid(); } else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType)) { identitySid = ((SpnEndpointIdentity)identity).GetSpnSid(); } else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType)) { identitySid = new SpnEndpointIdentity(expectedSpn).GetSpnSid(); } if (identitySid != null) { Claim claim2 = this.CheckSidEquivalence(identitySid, claimSet); if (claim2 != null) { SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim2, base.GetType()); return(true); } } } SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, base.GetType()); return(false); }
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { EventTraceActivity eventTraceActivity = null; if (identity == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); } if (authContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext"); } if (FxTrace.Trace.IsEnd2EndActivityTracingEnabled) { eventTraceActivity = EventTraceActivityHelper.TryExtractActivity((OperationContext.Current != null) ? OperationContext.Current.IncomingMessage : null); } for (int i = 0; i < authContext.ClaimSets.Count; ++i) { ClaimSet claimSet = authContext.ClaimSets[i]; if (claimSet.ContainsClaim(identity.IdentityClaim)) { SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, identity.IdentityClaim, this.GetType()); return(true); } // try Claim equivalence string expectedSpn = null; if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType)) { expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", (string)identity.IdentityClaim.Resource); Claim claim = CheckDnsEquivalence(claimSet, expectedSpn); if (claim != null) { SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType()); return(true); } } // Allow a Sid claim to support UPN, and SPN identities // SID claims not available yet //SecurityIdentifier identitySid = null; //if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Sid"); //} //else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Upn"); //} //else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Spn"); //} //else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Dns"); //} //if (identitySid != null) //{ // Claim claim = CheckSidEquivalence(identitySid, claimSet); // if (claim != null) // { // SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType()); // return true; // } //} } SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, this.GetType()); if (WcfEventSource.Instance.SecurityIdentityVerificationFailureIsEnabled()) { WcfEventSource.Instance.SecurityIdentityVerificationFailure(eventTraceActivity); } return(false); }