// message handlers
protected virtual void ParseMessageBody(Message message, out string context, out RequestSecurityToken requestSecurityToken, out RequestSecurityTokenResponse requestSecurityTokenResponse)
{
requestSecurityToken = null;
requestSecurityTokenResponse = null;
if (message.Headers.Action == this.RequestSecurityTokenAction.Value)
{
XmlDictionaryReader reader = message.GetReaderAtBodyContents();
using (reader)
{
requestSecurityToken = RequestSecurityToken.CreateFrom(this.StandardsManager, reader);
message.ReadFromBodyContentsToEnd(reader);
}
context = requestSecurityToken.Context;
}
else if (message.Headers.Action == this.RequestSecurityTokenResponseAction.Value)
{
XmlDictionaryReader reader = message.GetReaderAtBodyContents();
using (reader)
{
requestSecurityTokenResponse = RequestSecurityTokenResponse.CreateFrom(this.StandardsManager, reader);
message.ReadFromBodyContentsToEnd(reader);
}
context = requestSecurityTokenResponse.Context;
}
else
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.InvalidActionForNegotiationMessage, message.Headers.Action)), message);
}
}
protected override BodyWriter GetNextOutgoingMessageBody(Message incomingMessage, AcceleratedTokenProviderState negotiationState)
{
ThrowIfFault(incomingMessage, TargetAddress);
if (incomingMessage.Headers.Action != RequestSecurityTokenResponseAction.Value)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidActionForNegotiationMessage, incomingMessage.Headers.Action)), incomingMessage);
}
// get the claims corresponding to the server
SecurityMessageProperty serverContextProperty = incomingMessage.Properties.Security;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (serverContextProperty != null && serverContextProperty.ServiceSecurityContext != null)
{
authorizationPolicies = serverContextProperty.ServiceSecurityContext.AuthorizationPolicies;
}
else
{
authorizationPolicies = EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
RequestSecurityTokenResponse rstr = null;
XmlDictionaryReader bodyReader = incomingMessage.GetReaderAtBodyContents();
using (bodyReader)
{
if (StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005)
{
rstr = RequestSecurityTokenResponse.CreateFrom(StandardsManager, bodyReader);
}
else if (StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrust13)
{
RequestSecurityTokenResponseCollection rstrc = StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(bodyReader);
foreach (RequestSecurityTokenResponse rstrItem in rstrc.RstrCollection)
{
if (rstr != null)
{
// More than one RSTR is found. So throw an exception.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.MoreThanOneRSTRInRSTRC));
}
rstr = rstrItem;
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
incomingMessage.ReadFromBodyContentsToEnd(bodyReader);
}
if (rstr.Context != negotiationState.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.BadSecurityNegotiationContext), incomingMessage);
}
byte[] keyEntropy = negotiationState.GetRequestorEntropy();
GenericXmlSecurityToken serviceToken = rstr.GetIssuedToken(null, null, _keyEntropyMode, keyEntropy, SecurityContextTokenUri, authorizationPolicies, SecurityAlgorithmSuite.DefaultSymmetricKeyLength, false);
negotiationState.SetServiceToken(serviceToken);
return(null);
}
protected override BodyWriter GetNextOutgoingMessageBody(Message incomingMessage, AcceleratedTokenProviderState negotiationState)
{
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
IssuanceTokenProviderBase <AcceleratedTokenProviderState> .ThrowIfFault(incomingMessage, base.TargetAddress);
if (incomingMessage.Headers.Action != this.RequestSecurityTokenResponseAction.Value)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidActionForNegotiationMessage", new object[] { incomingMessage.Headers.Action })), incomingMessage);
}
SecurityMessageProperty security = incomingMessage.Properties.Security;
if ((security != null) && (security.ServiceSecurityContext != null))
{
authorizationPolicies = security.ServiceSecurityContext.AuthorizationPolicies;
}
else
{
authorizationPolicies = System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance;
}
RequestSecurityTokenResponse response = null;
XmlDictionaryReader readerAtBodyContents = incomingMessage.GetReaderAtBodyContents();
using (readerAtBodyContents)
{
if (base.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrustFeb2005)
{
response = RequestSecurityTokenResponse.CreateFrom(base.StandardsManager, readerAtBodyContents);
}
else
{
if (base.StandardsManager.MessageSecurityVersion.TrustVersion != TrustVersion.WSTrust13)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
}
foreach (RequestSecurityTokenResponse response2 in base.StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(readerAtBodyContents).RstrCollection)
{
if (response != null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("MoreThanOneRSTRInRSTRC")));
}
response = response2;
}
}
incomingMessage.ReadFromBodyContentsToEnd(readerAtBodyContents);
}
if (response.Context != negotiationState.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("BadSecurityNegotiationContext")), incomingMessage);
}
byte[] requestorEntropy = negotiationState.GetRequestorEntropy();
GenericXmlSecurityToken serviceToken = response.GetIssuedToken(null, null, this.keyEntropyMode, requestorEntropy, base.SecurityContextTokenUri, authorizationPolicies, base.SecurityAlgorithmSuite.DefaultSymmetricKeyLength, false);
negotiationState.SetServiceToken(serviceToken);
return(null);
}
protected override BodyWriter GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
{
byte[] negotiationData;
try
{
IssuanceTokenProviderBase <SspiNegotiationTokenProviderState> .ThrowIfFault(incomingMessage, base.TargetAddress);
}
catch (FaultException exception)
{
if (!exception.Code.IsSenderFault)
{
throw;
}
if (!(exception.Code.SubCode.Name == "FailedAuthentication") && !(exception.Code.SubCode.Name == "FailedAuthentication"))
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("FailedSspiNegotiation"), exception), incomingMessage);
}
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("AuthenticationOfClientFailed"), exception), incomingMessage);
}
RequestSecurityTokenResponse rstr = null;
RequestSecurityTokenResponse authenticatorRstr = null;
XmlDictionaryReader readerAtBodyContents = incomingMessage.GetReaderAtBodyContents();
using (readerAtBodyContents)
{
if (base.StandardsManager.TrustDriver.IsAtRequestSecurityTokenResponseCollection(readerAtBodyContents))
{
using (IEnumerator <RequestSecurityTokenResponse> enumerator = base.StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(readerAtBodyContents).RstrCollection.GetEnumerator())
{
enumerator.MoveNext();
rstr = enumerator.Current;
if (enumerator.MoveNext())
{
authenticatorRstr = enumerator.Current;
}
}
if (authenticatorRstr == null)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("AuthenticatorNotPresentInRSTRCollection")), incomingMessage);
}
if (authenticatorRstr.Context != rstr.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("RSTRAuthenticatorHasBadContext")), incomingMessage);
}
this.AddToDigest(sspiState, rstr, true, true);
}
else if (base.StandardsManager.TrustDriver.IsAtRequestSecurityTokenResponse(readerAtBodyContents))
{
rstr = RequestSecurityTokenResponse.CreateFrom(base.StandardsManager, readerAtBodyContents);
this.AddToDigest(sspiState, rstr, true, false);
}
else
{
base.StandardsManager.TrustDriver.OnRSTRorRSTRCMissingException();
}
incomingMessage.ReadFromBodyContentsToEnd(readerAtBodyContents);
}
if (rstr.Context != sspiState.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("BadSecurityNegotiationContext")), incomingMessage);
}
BinaryNegotiation binaryNegotiation = rstr.GetBinaryNegotiation();
if (binaryNegotiation != null)
{
this.ValidateIncomingBinaryNegotiation(binaryNegotiation);
negotiationData = binaryNegotiation.GetNegotiationData();
}
else
{
negotiationData = null;
}
if ((negotiationData == null) && !sspiState.SspiNegotiation.IsCompleted)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NoBinaryNegoToReceive")), incomingMessage);
}
if ((negotiationData == null) && sspiState.SspiNegotiation.IsCompleted)
{
this.OnNegotiationComplete(sspiState, rstr, authenticatorRstr);
return(null);
}
byte[] outgoingBlob = sspiState.SspiNegotiation.GetOutgoingBlob(negotiationData, System.ServiceModel.Security.SecurityUtils.GetChannelBindingFromMessage(incomingMessage), null);
if ((outgoingBlob == null) && !sspiState.SspiNegotiation.IsCompleted)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NoBinaryNegoToSend")), incomingMessage);
}
if ((outgoingBlob == null) && sspiState.SspiNegotiation.IsCompleted)
{
this.OnNegotiationComplete(sspiState, rstr, authenticatorRstr);
return(null);
}
return(this.PrepareRstr(sspiState, outgoingBlob));
}
protected override BodyWriter GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
{
try
{
ThrowIfFault(incomingMessage, this.TargetAddress);
}
catch (FaultException fault)
{
if (fault.Code.IsSenderFault)
{
if (fault.Code.SubCode.Name == TrustApr2004Strings.FailedAuthenticationFaultCode || fault.Code.SubCode.Name == TrustFeb2005Strings.FailedAuthenticationFaultCode)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.AuthenticationOfClientFailed), fault), incomingMessage);
}
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.FailedSspiNegotiation), fault), incomingMessage);
}
else
{
throw;
}
}
RequestSecurityTokenResponse negotiationRstr = null;
RequestSecurityTokenResponse authenticatorRstr = null;
XmlDictionaryReader bodyReader = incomingMessage.GetReaderAtBodyContents();
using (bodyReader)
{
if (this.StandardsManager.TrustDriver.IsAtRequestSecurityTokenResponseCollection(bodyReader))
{
RequestSecurityTokenResponseCollection rstrCollection = this.StandardsManager.TrustDriver.CreateRequestSecurityTokenResponseCollection(bodyReader);
using (IEnumerator <RequestSecurityTokenResponse> enumerator = rstrCollection.RstrCollection.GetEnumerator())
{
enumerator.MoveNext();
negotiationRstr = enumerator.Current;
if (enumerator.MoveNext())
{
authenticatorRstr = enumerator.Current;
}
}
if (authenticatorRstr == null)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.AuthenticatorNotPresentInRSTRCollection)), incomingMessage);
}
else if (authenticatorRstr.Context != negotiationRstr.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.RSTRAuthenticatorHasBadContext)), incomingMessage);
}
AddToDigest(sspiState, negotiationRstr, true, true);
}
else if (this.StandardsManager.TrustDriver.IsAtRequestSecurityTokenResponse(bodyReader))
{
negotiationRstr = RequestSecurityTokenResponse.CreateFrom(this.StandardsManager, bodyReader);
AddToDigest(sspiState, negotiationRstr, true, false);
}
else
{
this.StandardsManager.TrustDriver.OnRSTRorRSTRCMissingException();
}
incomingMessage.ReadFromBodyContentsToEnd(bodyReader);
}
if (negotiationRstr.Context != sspiState.Context)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.BadSecurityNegotiationContext)), incomingMessage);
}
BinaryNegotiation incomingBinaryNego = negotiationRstr.GetBinaryNegotiation();
byte[] incomingBlob;
if (incomingBinaryNego != null)
{
ValidateIncomingBinaryNegotiation(incomingBinaryNego);
incomingBlob = incomingBinaryNego.GetNegotiationData();
}
else
{
incomingBlob = null;
}
BodyWriter nextMessageBody;
if (incomingBlob == null && sspiState.SspiNegotiation.IsCompleted == false)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.NoBinaryNegoToReceive)), incomingMessage);
}
else if (incomingBlob == null && sspiState.SspiNegotiation.IsCompleted == true)
{
// the incoming RSTR must have the negotiated token
OnNegotiationComplete(sspiState, negotiationRstr, authenticatorRstr);
nextMessageBody = null;
}
else
{
// we got an incoming blob. Process it and see if there is an outgoing blob
byte[] outgoingBlob = sspiState.SspiNegotiation.GetOutgoingBlob(incomingBlob,
SecurityUtils.GetChannelBindingFromMessage(incomingMessage),
null);
if (outgoingBlob == null && sspiState.SspiNegotiation.IsCompleted == false)
{
throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.NoBinaryNegoToSend)), incomingMessage);
}
else if (outgoingBlob == null && sspiState.SspiNegotiation.IsCompleted == true)
{
// the incoming RSTR had the last blob. It must have the token too
this.OnNegotiationComplete(sspiState, negotiationRstr, authenticatorRstr);
nextMessageBody = null;
}
else
{
nextMessageBody = PrepareRstr(sspiState, outgoingBlob);
}
}
return(nextMessageBody);
}
