SecurityTokenProvider CreateSpnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;

            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }
            SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement);
            bool negotiateTokenOnOpen = (sspiChannelParameter == null ? true : sspiChannelParameter.GetTokenOnOpen);
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext      issuerBindingContext        = initiatorRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            SpnegoTokenProvider spnegoTokenProvider         = new SpnegoTokenProvider(sspiChannelParameter != null ? sspiChannelParameter.CredentialsHandle : null, securityBindingElement);
            SspiSecurityToken   clientSspiToken             = GetSpnegoClientCredential(initiatorRequirement);

            spnegoTokenProvider.ClientCredential          = clientSspiToken.NetworkCredential;
            spnegoTokenProvider.IssuerAddress             = initiatorRequirement.IssuerAddress;
            spnegoTokenProvider.AllowedImpersonationLevel = parent.Windows.AllowedImpersonationLevel;
            spnegoTokenProvider.AllowNtlm              = clientSspiToken.AllowNtlm;
            spnegoTokenProvider.IdentityVerifier       = localClientSettings.IdentityVerifier;
            spnegoTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
            // if this is not a supporting token, authenticate the server
            spnegoTokenProvider.AuthenticateServer         = !initiatorRequirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty);
            spnegoTokenProvider.NegotiateTokenOnOpen       = negotiateTokenOnOpen;
            spnegoTokenProvider.CacheServiceTokens         = negotiateTokenOnOpen || localClientSettings.CacheCookies;
            spnegoTokenProvider.IssuerBindingContext       = issuerBindingContext;
            spnegoTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
            spnegoTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
            spnegoTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
            spnegoTokenProvider.TargetAddress    = targetAddress;
            spnegoTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
            spnegoTokenProvider.ApplicationProtectionRequirements = (issuerBindingContext != null) ? issuerBindingContext.BindingParameters.Find <ChannelProtectionRequirements>() : null;
            spnegoTokenProvider.InteractiveNegoExLogonEnabled     = this.ClientCredentials.SupportInteractive;

            return(spnegoTokenProvider);
        }
        SecurityTokenProvider CreateTlsnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement, bool requireClientCertificate)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;

            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }
            SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement);
            bool negotiateTokenOnOpen = sspiChannelParameter != null && sspiChannelParameter.GetTokenOnOpen;
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext       issuerBindingContext       = initiatorRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            TlsnegoTokenProvider tlsnegoTokenProvider       = new TlsnegoTokenProvider();

            tlsnegoTokenProvider.IssuerAddress        = initiatorRequirement.IssuerAddress;
            tlsnegoTokenProvider.NegotiateTokenOnOpen = negotiateTokenOnOpen;
            tlsnegoTokenProvider.CacheServiceTokens   = negotiateTokenOnOpen || localClientSettings.CacheCookies;
            if (requireClientCertificate)
            {
                tlsnegoTokenProvider.ClientTokenProvider = this.CreateTlsnegoClientX509TokenProvider(initiatorRequirement);
            }
            tlsnegoTokenProvider.IssuerBindingContext = issuerBindingContext;
            tlsnegoTokenProvider.ApplicationProtectionRequirements       = (issuerBindingContext != null) ? issuerBindingContext.BindingParameters.Find <ChannelProtectionRequirements>() : null;
            tlsnegoTokenProvider.MaxServiceTokenCachingTime              = localClientSettings.MaxCookieCachingTime;
            tlsnegoTokenProvider.SecurityAlgorithmSuite                  = initiatorRequirement.SecurityAlgorithmSuite;
            tlsnegoTokenProvider.ServerTokenAuthenticator                = this.CreateTlsnegoServerX509TokenAuthenticator(initiatorRequirement);
            tlsnegoTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
            tlsnegoTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
            tlsnegoTokenProvider.TargetAddress    = initiatorRequirement.TargetAddress;
            tlsnegoTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
            return(tlsnegoTokenProvider);
        }
Ejemplo n.º 3
0
 public Collection <XmlElement> CreateRequestParameters(MessageSecurityVersion messageSecurityVersion, SecurityTokenSerializer securityTokenSerializer)
 {
     return(CreateRequestParameters(SecurityUtils.CreateSecurityStandardsManager(messageSecurityVersion, securityTokenSerializer).TrustDriver));
 }
Ejemplo n.º 4
0
        private SecurityTokenProvider CreateSecureConversationSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
        {
            EndpointAddress targetAddress = initiatorRequirement.TargetAddress;

            if (targetAddress == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
            }
            SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;

            if (securityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
            }
            LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
            BindingContext             issuerBindingContext = initiatorRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            ChannelParameterCollection channelParameters    = initiatorRequirement.GetPropertyOrDefault <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, null);
            bool isSessionMode = initiatorRequirement.SupportSecurityContextCancellation;

            if (isSessionMode)
            {
                SecuritySessionSecurityTokenProvider sessionTokenProvider = new SecuritySessionSecurityTokenProvider();
                sessionTokenProvider.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(initiatorRequirement);
                sessionTokenProvider.IssuedSecurityTokenParameters   = initiatorRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
                sessionTokenProvider.IssuerBindingContext            = issuerBindingContext;
                sessionTokenProvider.KeyEntropyMode         = securityBindingElement.KeyEntropyMode;
                sessionTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
                sessionTokenProvider.StandardsManager       = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
                sessionTokenProvider.TargetAddress          = targetAddress;
                sessionTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
                Uri privacyNoticeUri;
                if (initiatorRequirement.TryGetProperty(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out privacyNoticeUri))
                {
                    sessionTokenProvider.PrivacyNoticeUri = privacyNoticeUri;
                }
                int privacyNoticeVersion;
                if (initiatorRequirement.TryGetProperty(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out privacyNoticeVersion))
                {
                    sessionTokenProvider.PrivacyNoticeVersion = privacyNoticeVersion;
                }
                EndpointAddress localAddress;
                if (initiatorRequirement.TryGetProperty(ServiceModelSecurityTokenRequirement.DuplexClientLocalAddressProperty, out localAddress))
                {
                    sessionTokenProvider.LocalAddress = localAddress;
                }
                sessionTokenProvider.ChannelParameters = channelParameters;
                sessionTokenProvider.WebHeaders        = initiatorRequirement.WebHeaders;

                return(sessionTokenProvider);
            }
            else
            {
                AcceleratedTokenProvider acceleratedTokenProvider = new AcceleratedTokenProvider();
                acceleratedTokenProvider.IssuerAddress = initiatorRequirement.IssuerAddress;
                acceleratedTokenProvider.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(initiatorRequirement);
                acceleratedTokenProvider.CacheServiceTokens         = localClientSettings.CacheCookies;
                acceleratedTokenProvider.IssuerBindingContext       = issuerBindingContext;
                acceleratedTokenProvider.KeyEntropyMode             = securityBindingElement.KeyEntropyMode;
                acceleratedTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
                acceleratedTokenProvider.SecurityAlgorithmSuite     = initiatorRequirement.SecurityAlgorithmSuite;
                acceleratedTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
                acceleratedTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
                acceleratedTokenProvider.TargetAddress    = targetAddress;
                acceleratedTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault <Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
                return(acceleratedTokenProvider);
            }
        }