public SslStreamSecurityUpgradeInitiator(SslStreamSecurityUpgradeProvider parent, EndpointAddress remoteAddress, Uri via) : base("application/ssl-tls", remoteAddress, via)
{
SecurityTokenResolver resolver;
this.parent = parent;
InitiatorServiceModelSecurityTokenRequirement tokenRequirement = new InitiatorServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
RequireCryptographicToken = true,
KeyUsage = SecurityKeyUsage.Exchange,
TargetAddress = remoteAddress,
Via = via,
TransportScheme = this.parent.Scheme
};
this.serverCertificateAuthenticator = parent.ClientSecurityTokenManager.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver);
if (parent.RequireClientCertificate)
{
InitiatorServiceModelSecurityTokenRequirement requirement2 = new InitiatorServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
RequireCryptographicToken = true,
KeyUsage = SecurityKeyUsage.Signature,
TargetAddress = remoteAddress,
Via = via,
TransportScheme = this.parent.Scheme
};
this.clientCertificateProvider = parent.ClientSecurityTokenManager.CreateSecurityTokenProvider(requirement2);
if (this.clientCertificateProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialsUnableToCreateLocalTokenProvider", new object[] { requirement2 })));
}
}
}
public HttpReplyChannel (HttpChannelListener<IReplyChannel> listener)
: base (listener)
{
this.source = listener;
if (listener.SecurityTokenManager != null) {
var str = new SecurityTokenRequirement () { TokenType = SecurityTokenTypes.UserName };
security_token_authenticator = listener.SecurityTokenManager.CreateSecurityTokenAuthenticator (str, out security_token_resolver);
}
}
public void SetSessionTokenAuthenticator(UniqueId sessionId, SecurityTokenAuthenticator sessionTokenAuthenticator, SecurityTokenResolver sessionTokenResolver)
{
this.CommunicationObject.ThrowIfDisposedOrImmutable();
this.sessionId = sessionId;
this.sessionTokenResolver = sessionTokenResolver;
Collection<SecurityTokenResolver> tmp = new Collection<SecurityTokenResolver>();
tmp.Add(this.sessionTokenResolver);
this.sessionTokenResolverList = new ReadOnlyCollection<SecurityTokenResolver>(tmp);
this.sessionTokenAuthenticator = sessionTokenAuthenticator;
SupportingTokenAuthenticatorSpecification spec = new SupportingTokenAuthenticatorSpecification(this.sessionTokenAuthenticator, this.sessionTokenResolver, SecurityTokenAttachmentMode.Endorsing, this.Factory.SecurityTokenParameters);
this.sessionTokenAuthenticatorSpecificationList = new Collection<SupportingTokenAuthenticatorSpecification>();
this.sessionTokenAuthenticatorSpecificationList.Add(spec);
}
internal SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, System.ServiceModel.Security.SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters, bool isTokenOptional)
{
if (tokenAuthenticator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenAuthenticator");
}
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
if (tokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters");
}
this.tokenAuthenticator = tokenAuthenticator;
this.tokenResolver = securityTokenResolver;
this.tokenAttachmentMode = attachmentMode;
this.tokenParameters = tokenParameters;
this.isTokenOptional = isTokenOptional;
}
public override void OnAbort()
{
if (this.serverTokenProvider != null)
{
System.ServiceModel.Security.SecurityUtils.AbortTokenProviderIfRequired(this.serverTokenProvider);
this.serverTokenProvider = null;
}
if (this.clientTokenAuthenticator != null)
{
System.ServiceModel.Security.SecurityUtils.AbortTokenAuthenticatorIfRequired(this.clientTokenAuthenticator);
this.clientTokenAuthenticator = null;
}
if (this.serverToken != null)
{
this.serverToken = null;
}
base.OnAbort();
}
public override void OnClose(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
if (this.serverTokenProvider != null)
{
System.ServiceModel.Security.SecurityUtils.CloseTokenProviderIfRequired(this.serverTokenProvider, helper.RemainingTime());
this.serverTokenProvider = null;
}
if (this.clientTokenAuthenticator != null)
{
System.ServiceModel.Security.SecurityUtils.CloseTokenAuthenticatorIfRequired(this.clientTokenAuthenticator, helper.RemainingTime());
this.clientTokenAuthenticator = null;
}
if (this.serverToken != null)
{
this.serverToken = null;
}
base.OnClose(helper.RemainingTime());
}
/// <summary>
/// Initializes an instance of <see cref="WrappedRsaSecurityTokenAuthenticator"/>
/// </summary>
/// <param name="sessionTokenHandler">The sessionTokenHandler to wrap</param>
/// <param name="wcfSessionAuthenticator">The wcf SessionTokenAuthenticator.</param>
/// <param name="sctClaimsHandler">Handler that converts WCF generated IAuthorizationPolicy to <see cref="AuthorizationPolicy"/></param>
/// <param name="exceptionMapper">Converts token validation exception to SOAP faults.</param>
public WrappedSessionSecurityTokenAuthenticator( SessionSecurityTokenHandler sessionTokenHandler,
SecurityTokenAuthenticator wcfSessionAuthenticator,
SctClaimsHandler sctClaimsHandler,
ExceptionMapper exceptionMapper )
: base()
{
if ( sessionTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "sessionTokenHandler" );
}
if ( wcfSessionAuthenticator == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wcfSessionAuthenticator" );
}
if ( sctClaimsHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "sctClaimsHandler" );
}
if ( exceptionMapper == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "exceptionMapper" );
}
_issuanceSecurityTokenAuthenticator = wcfSessionAuthenticator as IIssuanceSecurityTokenAuthenticator;
if ( _issuanceSecurityTokenAuthenticator == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4244 ) );
}
_communicationObject = wcfSessionAuthenticator as ICommunicationObject;
if ( _communicationObject == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4245 ) );
}
_sessionTokenHandler = sessionTokenHandler;
_sctClaimsHandler = sctClaimsHandler;
_exceptionMapper = exceptionMapper;
}
public override void OnOpen(TimeSpan timeout)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
base.OnOpen(timeoutHelper.RemainingTime());
if (this.Factory.ActAsInitiator)
{
if (this.Factory.ApplyIntegrity)
{
InitiatorServiceModelSecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement();
this.Factory.CryptoTokenParameters.InitializeSecurityTokenRequirement(requirement);
requirement.KeyUsage = SecurityKeyUsage.Signature;
requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Output;
this.initiatorCryptoTokenProvider = this.Factory.SecurityTokenManager.CreateSecurityTokenProvider(requirement);
SecurityUtils.OpenTokenProviderIfRequired(this.initiatorCryptoTokenProvider, timeoutHelper.RemainingTime());
}
if (this.Factory.RequireIntegrity || this.Factory.ApplyConfidentiality)
{
InitiatorServiceModelSecurityTokenRequirement providerRequirement = CreateInitiatorSecurityTokenRequirement();
this.Factory.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(providerRequirement);
providerRequirement.KeyUsage = SecurityKeyUsage.Exchange;
providerRequirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = (this.Factory.ApplyConfidentiality) ? MessageDirection.Output : MessageDirection.Input;
this.initiatorAsymmetricTokenProvider = this.Factory.SecurityTokenManager.CreateSecurityTokenProvider(providerRequirement);
SecurityUtils.OpenTokenProviderIfRequired(this.initiatorAsymmetricTokenProvider, timeoutHelper.RemainingTime());
InitiatorServiceModelSecurityTokenRequirement authenticatorRequirement = CreateInitiatorSecurityTokenRequirement();
this.Factory.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(authenticatorRequirement);
authenticatorRequirement.IsOutOfBandToken = !this.Factory.AllowSerializedSigningTokenOnReply;
authenticatorRequirement.KeyUsage = SecurityKeyUsage.Exchange;
authenticatorRequirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = (this.Factory.ApplyConfidentiality) ? MessageDirection.Output : MessageDirection.Input;
// Create authenticator (we dont support out of band resolvers on the client side
SecurityTokenResolver outOfBandTokenResolver;
this.initiatorAsymmetricTokenAuthenticator = this.Factory.SecurityTokenManager.CreateSecurityTokenAuthenticator(authenticatorRequirement, out outOfBandTokenResolver);
SecurityUtils.OpenTokenAuthenticatorIfRequired(this.initiatorAsymmetricTokenAuthenticator, timeoutHelper.RemainingTime());
}
}
}
protected void EnsureOutgoingIdentity(SecurityToken token, SecurityTokenAuthenticator authenticator)
{
if (object.ReferenceEquals(token, this.identityVerifiedToken))
{
return;
}
if (this.factory.IdentityVerifier == null)
{
return;
}
if (this.Target == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoOutgoingEndpointAddressAvailableForDoingIdentityCheck)));
}
ReadOnlyCollection<IAuthorizationPolicy> authzPolicies = authenticator.ValidateToken(token);
this.factory.IdentityVerifier.EnsureOutgoingIdentity(this.Target, authzPolicies);
if (this.CacheIdentityCheckResultForToken)
{
this.identityVerifiedToken = token;
}
}
SupportingTokenSpecification ValidateTokensByParameters (SecurityTokenAuthenticator a, SecurityTokenResolver r, List<SupportingTokenInfo> tokens)
{
foreach (SupportingTokenInfo info in tokens)
if (a.CanValidateToken (info.Token))
return new SupportingTokenSpecification (
info.Token,
a.ValidateToken (info.Token),
info.Mode);
return null;
}
public void SetSessionTokenAuthenticator(UniqueId sessionId, SecurityTokenAuthenticator sessionTokenAuthenticator, SecurityTokenResolver sessionTokenResolver)
{
this.CommunicationObject.ThrowIfDisposedOrImmutable();
lock (ThisLock)
{
this.sessionId = sessionId;
this.sessionTokenAuthenticator = sessionTokenAuthenticator;
this.sessionTokenResolver = sessionTokenResolver;
List<SecurityTokenResolver> tmp = new List<SecurityTokenResolver>(1);
tmp.Add(this.sessionTokenResolver);
this.sessionResolverList = new ReadOnlyCollection<SecurityTokenResolver>(tmp);
}
}
public override void OnOpen(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
base.OnOpen(helper.RemainingTime());
if (this.Factory.ActAsInitiator)
{
SecurityTokenResolver resolver;
InitiatorServiceModelSecurityTokenRequirement tokenRequirement = this.CreateInitiatorTokenRequirement();
SecurityTokenProvider tokenProvider = this.Factory.SecurityTokenManager.CreateSecurityTokenProvider(tokenRequirement);
System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, helper.RemainingTime());
if (this.Factory.SecurityTokenParameters.HasAsymmetricKey)
{
this.initiatorAsymmetricTokenProvider = tokenProvider;
}
else
{
this.initiatorSymmetricTokenProvider = tokenProvider;
}
InitiatorServiceModelSecurityTokenRequirement requirement2 = this.CreateInitiatorTokenRequirement();
this.initiatorTokenAuthenticator = this.Factory.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement2, out resolver);
System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(this.initiatorTokenAuthenticator, helper.RemainingTime());
}
}
public SecureOutgoingMessageAsyncResult(Message m, SymmetricSecurityProtocol binding, SecurityTokenProvider provider, bool doIdentityChecks, SecurityTokenAuthenticator identityCheckAuthenticator, SecurityProtocolCorrelationState correlationState, TimeSpan timeout, AsyncCallback callback, object state) : base(m, binding, provider, doIdentityChecks, identityCheckAuthenticator, correlationState, timeout, callback, state)
{
this.symmetricBinding = binding;
base.Start();
}
protected HttpListenerManager (IChannelListener channelListener, HttpTransportBindingElement source, ServiceCredentialsSecurityTokenManager securityTokenManager, ChannelDispatcher dispatcher)
{
this.Dispatcher = dispatcher;
this.channel_listener = channelListener;
Source = source;
if (securityTokenManager != null) {
var str = new SecurityTokenRequirement () { TokenType = SecurityTokenTypes.UserName };
security_token_authenticator = securityTokenManager.CreateSecurityTokenAuthenticator (str, out security_token_resolver);
}
}
public void Release ()
{
ReleaseCore ();
authenticator = null;
}
public void SetIdentityCheckAuthenticator(SecurityTokenAuthenticator authenticator)
{
this.sessionTokenAuthenticator = authenticator;
}
protected SecurityToken GetTokenAndEnsureOutgoingIdentity(SecurityTokenProvider provider, bool isEncryptionOn, TimeSpan timeout, SecurityTokenAuthenticator authenticator)
{
SecurityToken token = GetToken(provider, this.Target, timeout);
if (isEncryptionOn)
{
EnsureOutgoingIdentity(token, authenticator);
}
return token;
}
public SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
: this(tokenAuthenticator, securityTokenResolver, attachmentMode, tokenParameters, false)
{
}
public override void OnOpen(TimeSpan timeout)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
base.OnOpen(timeoutHelper.RemainingTime());
if (this.Factory.ActAsInitiator)
{
// 1. Create a token requirement for the provider
InitiatorServiceModelSecurityTokenRequirement tokenProviderRequirement = CreateInitiatorTokenRequirement();
// 2. Create a provider
SecurityTokenProvider tokenProvider = this.Factory.SecurityTokenManager.CreateSecurityTokenProvider(tokenProviderRequirement);
SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, timeoutHelper.RemainingTime());
if (this.Factory.SecurityTokenParameters.HasAsymmetricKey)
{
this.initiatorAsymmetricTokenProvider = tokenProvider;
}
else
{
this.initiatorSymmetricTokenProvider = tokenProvider;
}
// 3. Create a token requirement for authenticator
InitiatorServiceModelSecurityTokenRequirement tokenAuthenticatorRequirement = CreateInitiatorTokenRequirement();
// 4. Create authenticator (we dont support out of band resolvers on the client side
SecurityTokenResolver outOfBandTokenResolver;
this.initiatorTokenAuthenticator = this.Factory.SecurityTokenManager.CreateSecurityTokenAuthenticator(tokenAuthenticatorRequirement, out outOfBandTokenResolver);
SecurityUtils.OpenTokenAuthenticatorIfRequired(this.initiatorTokenAuthenticator, timeoutHelper.RemainingTime());
}
}
/// <summary>
/// The purpose of this method is to set our WrappedTokenCache as the token cache for SCT's.
/// And to set our OnIssuedToken callback when in cookie mode.
/// We have to use reflection here as this is a private method.
/// </summary>
static void SetWrappedTokenCache(
WrappedTokenCache wrappedTokenCache,
SecurityTokenAuthenticator sta,
WrappedSessionSecurityTokenAuthenticator wssta,
SctClaimsHandler claimsHandler )
{
if ( sta is SecuritySessionSecurityTokenAuthenticator )
{
( sta as SecuritySessionSecurityTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is AcceleratedTokenAuthenticator )
{
( sta as AcceleratedTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is SpnegoTokenAuthenticator )
{
( sta as SpnegoTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is TlsnegoTokenAuthenticator )
{
( sta as TlsnegoTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
// we need to special case this as the OnTokenIssued callback is not hooked up in the cookie mode case.
IIssuanceSecurityTokenAuthenticator issuanceTokenAuthenticator = sta as IIssuanceSecurityTokenAuthenticator;
if ( issuanceTokenAuthenticator != null )
{
issuanceTokenAuthenticator.IssuedSecurityTokenHandler = claimsHandler.OnTokenIssued;
issuanceTokenAuthenticator.RenewedSecurityTokenHandler = claimsHandler.OnTokenRenewed;
}
}
public GetTwoTokensAndSetUpSecurityAsyncResult(Message m, MessageSecurityProtocol binding,
SecurityTokenProvider primaryProvider, SecurityTokenProvider secondaryProvider, bool doIdentityChecks, SecurityTokenAuthenticator identityCheckAuthenticator,
SecurityProtocolCorrelationState oldCorrelationState,
TimeSpan timeout,
AsyncCallback callback, object state)
: base(m, binding, timeout, callback, state)
{
this.message = m;
this.binding = binding;
this.primaryProvider = primaryProvider;
this.secondaryProvider = secondaryProvider;
this.doIdentityChecks = doIdentityChecks;
this.identityCheckAuthenticator = identityCheckAuthenticator;
this.oldCorrelationState = oldCorrelationState;
}
protected void PrepareAuthenticator ()
{
authenticator = CreateTokenAuthenticator (RecipientParameters, out auth_token_resolver);
}
private void AddSupportingTokenAuthenticators(SupportingTokenParameters supportingTokenParameters, bool isOptional, IList <SupportingTokenAuthenticatorSpecification> authenticatorSpecList)
{
for (int i = 0; i < supportingTokenParameters.Endorsing.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Endorsing[i], SecurityTokenAttachmentMode.Endorsing);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Endorsing, supportingTokenParameters.Endorsing[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.SignedEndorsing.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEndorsing[i], SecurityTokenAttachmentMode.SignedEndorsing);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEndorsing, supportingTokenParameters.SignedEndorsing[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.SignedEncrypted.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.SignedEncrypted[i], SecurityTokenAttachmentMode.SignedEncrypted);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.SignedEncrypted, supportingTokenParameters.SignedEncrypted[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
for (int i = 0; i < supportingTokenParameters.Signed.Count; ++i)
{
SecurityTokenRequirement requirement = this.CreateRecipientSecurityTokenRequirement(supportingTokenParameters.Signed[i], SecurityTokenAttachmentMode.Signed);
try
{
System.IdentityModel.Selectors.SecurityTokenResolver resolver;
System.IdentityModel.Selectors.SecurityTokenAuthenticator authenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out resolver);
SupportingTokenAuthenticatorSpecification authenticatorSpec = new SupportingTokenAuthenticatorSpecification(authenticator, resolver, SecurityTokenAttachmentMode.Signed, supportingTokenParameters.Signed[i], isOptional);
authenticatorSpecList.Add(authenticatorSpec);
}
catch (Exception e)
{
if (!isOptional || Fx.IsFatal(e))
{
throw;
}
}
}
}
public void SetIdentityCheckAuthenticator(SecurityTokenAuthenticator authenticator)
{
}