public HttpsChannelListener(HttpsTransportBindingElement httpsBindingElement, BindingContext context) : base(httpsBindingElement, context) { this.requireClientCertificate = httpsBindingElement.RequireClientCertificate; SecurityCredentialsManager manager = context.BindingParameters.Find <SecurityCredentialsManager>(); if (manager == null) { manager = ServiceCredentials.CreateDefaultCredentials(); } SecurityTokenManager tokenManager = manager.CreateSecurityTokenManager(); this.certificateAuthenticator = TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress)); ServiceCredentials credentials = manager as ServiceCredentials; if ((credentials != null) && (credentials.ClientCertificate.Authentication.CertificateValidationMode == X509CertificateValidationMode.Custom)) { this.useCustomClientCertificateVerification = true; } else { this.useCustomClientCertificateVerification = false; X509SecurityTokenAuthenticator certificateAuthenticator = this.certificateAuthenticator as X509SecurityTokenAuthenticator; if (certificateAuthenticator != null) { this.certificateAuthenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None, certificateAuthenticator.MapCertificateToWindowsAccount, base.ExtractGroupsForWindowsAccounts, false); } } if (this.RequireClientCertificate && (base.AuthenticationScheme != AuthenticationSchemes.Anonymous)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new InvalidOperationException(System.ServiceModel.SR.GetString("HttpAuthSchemeAndClientCert", new object[] { base.AuthenticationScheme })), TraceEventType.Error); } this.channelBindingProvider = new ChannelBindingProviderHelper(); }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } outOfBandTokenResolver = null; SecurityTokenAuthenticator authenticator = null; InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; if (requirement != null) { string tokenType = requirement.TokenType; if (this.IsIssuedSecurityTokenRequirement(requirement)) { return(new GenericXmlSecurityTokenAuthenticator()); } if (tokenType == SecurityTokenTypes.X509Certificate) { if (requirement.IsOutOfBandToken) { authenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None); } else { authenticator = this.CreateServerX509TokenAuthenticator(); } } else if (tokenType == SecurityTokenTypes.Rsa) { authenticator = new RsaSecurityTokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { authenticator = new KerberosRequestorSecurityTokenAuthenticator(); } else if (((tokenType == ServiceModelSecurityTokenTypes.SecureConversation) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)) || ((tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) || (tokenType == ServiceModelSecurityTokenTypes.Spnego))) { authenticator = new GenericXmlSecurityTokenAuthenticator(); } } else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) { authenticator = this.CreateServerX509TokenAuthenticator(); } if (authenticator == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } return(authenticator); }
public HttpsChannelListener(HttpsTransportBindingElement httpsBindingElement, BindingContext context) : base(httpsBindingElement, context) { this.requireClientCertificate = httpsBindingElement.RequireClientCertificate; this.shouldValidateClientCertificate = ShouldValidateClientCertificate(this.requireClientCertificate, context); // Pick up the MapCertificateToWindowsAccount setting from the configured token authenticator. SecurityCredentialsManager credentialProvider = context.BindingParameters.Find <SecurityCredentialsManager>(); if (credentialProvider == null) { credentialProvider = ServiceCredentials.CreateDefaultCredentials(); } SecurityTokenManager tokenManager = credentialProvider.CreateSecurityTokenManager(); this.certificateAuthenticator = TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress)); ServiceCredentials serviceCredentials = credentialProvider as ServiceCredentials; if (serviceCredentials != null && serviceCredentials.ClientCertificate.Authentication.CertificateValidationMode == X509CertificateValidationMode.Custom) { useCustomClientCertificateVerification = true; } else { useCustomClientCertificateVerification = false; X509SecurityTokenAuthenticator authenticator = this.certificateAuthenticator as X509SecurityTokenAuthenticator; if (authenticator != null) { this.certificateAuthenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None, authenticator.MapCertificateToWindowsAccount, this.ExtractGroupsForWindowsAccounts, false); } } if (this.RequireClientCertificate && this.AuthenticationScheme.IsNotSet(AuthenticationSchemes.Anonymous)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new InvalidOperationException(SR.GetString( SR.HttpAuthSchemeAndClientCert, this.AuthenticationScheme)), TraceEventType.Error); } this.channelBindingProvider = new ChannelBindingProviderHelper(); }
void CreateSecurityProtocolFactory() { SecurityProtocolFactory incomingProtocolFactory; SecurityProtocolFactory outgoingProtocolFactory; ChannelProtectionRequirements protectionRequirements; lock (ThisLock) { if (null != securityProtocolFactory) { return; } TimeoutHelper timeoutHelper = new TimeoutHelper(ServiceDefaults.SendTimeout); if (!enableSigning) { outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); } else { X509Certificate2 cert = credManager.Certificate; if (cert != null) { SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement(); securityBindingElement.ReaderQuotas = this.readerQuotas; BindingParameterCollection bpc = new BindingParameterCollection(); if (protection == null) { protectionRequirements = new ChannelProtectionRequirements(); } else { protectionRequirements = new ChannelProtectionRequirements(protection); } ApplySigningRequirements(protectionRequirements.IncomingSignatureParts); ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts); bpc.Add(protectionRequirements); bpc.Add(this.auditBehavior); bpc.Add(credManager); BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc); outgoingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, false, null); } else { outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); } SecurityTokenResolver resolver; X509SecurityTokenAuthenticator auth = tokenManager.CreateSecurityTokenAuthenticator(PeerSecurityCredentialsManager.PeerClientSecurityTokenManager.CreateRequirement(SecurityTokenTypes.X509Certificate, true), out resolver) as X509SecurityTokenAuthenticator; if (auth != null) { SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement(); securityBindingElement.ReaderQuotas = this.readerQuotas; BindingParameterCollection bpc = new BindingParameterCollection(); if (protection == null) { protectionRequirements = new ChannelProtectionRequirements(); } else { protectionRequirements = new ChannelProtectionRequirements(protection); } ApplySigningRequirements(protectionRequirements.IncomingSignatureParts); ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts); bpc.Add(protectionRequirements); bpc.Add(this.auditBehavior); bpc.Add(credManager); BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc); incomingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, true, null); } else { incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory(); } } DuplexSecurityProtocolFactory tempFactory = new DuplexSecurityProtocolFactory(outgoingProtocolFactory, incomingProtocolFactory); tempFactory.Open(true, timeoutHelper.RemainingTime()); securityProtocolFactory = tempFactory; } }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement)); } outOfBandTokenResolver = null; SecurityTokenAuthenticator result = null; InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; if (initiatorRequirement != null) { string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator"); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.IsOutOfBandToken) { // when the client side soap security asks for a token authenticator, its for doing // identity checks on the out of band server certificate result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None); } else if (initiatorRequirement.PreferSslCertificateAuthenticator) { result = CreateServerSslX509TokenAuthenticator(); } else { result = CreateServerX509TokenAuthenticator(); } } else if (tokenType == SecurityTokenTypes.Rsa) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Rsa"); } else if (tokenType == SecurityTokenTypes.Kerberos) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Kerberos"); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation || tokenType == ServiceModelSecurityTokenTypes.MutualSslnego || tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego || tokenType == ServiceModelSecurityTokenTypes.Spnego) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator"); } } else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate) { // uncorrelated duplex case result = CreateServerX509TokenAuthenticator(); } if (result == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } return(result); }
internal static WindowsIdentity KerberosCertificateLogon(X509Certificate2 certificate) { return(X509SecurityTokenAuthenticator.KerberosCertificateLogon(certificate)); }