SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator();
authenticator.IsClientAnonymous = !requireClientCertificate;
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = isCookieMode;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement);
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
// audit settings
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return(authenticator);
}
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement }));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator {
IsClientAnonymous = !requireClientCertificate
};
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = flag;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement);
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return(authenticator);
}
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement }));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator {
IsClientAnonymous = !requireClientCertificate
};
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = flag;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement);
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return authenticator;
}
SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator();
authenticator.IsClientAnonymous = !requireClientCertificate;
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = isCookieMode;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement);
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
// audit settings
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return authenticator;
}
