// Applies authentication for requests where credentials are passed directly in the HTTP headers.
private SecurityPrincipal AuthenticateCachedCredentials(string authenticationToken)
{
string username, password;
if ((object)authenticationToken == null)
{
return(null);
}
// Get the user's credentials from the credential cache
if (!SessionHandler.TryGetCachedCredentials(authenticationToken, out username, out password))
{
return(null);
}
// Create the security provider that will authenticate the user's credentials
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(username, autoRefresh: false);
securityProvider.Password = password;
securityProvider.Authenticate();
// Return the security principal that will be used for role-based authorization
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
return(new SecurityPrincipal(securityIdentity));
}
public ActionConfirmation ValidateUser(UserDto userToValidate)
{
Person user;
try
{
_securityProvider.Authenticate(userToValidate.UserName, userToValidate.Password);
if (!_securityProvider.IsAuthenticated)
{
return(ActionConfirmation.CreateFailureConfirmation("Invalid network user name or password"));
}
user = _personRepository.GetByUserName(userToValidate.UserName);
if (user == null)
{
return(ActionConfirmation.CreateFailureConfirmation("User not found"));
}
return(ActionConfirmation.CreateSuccessConfirmation(""));
}
catch (InvalidPasswordException)
{
return(ActionConfirmation.CreateFailureConfirmation("Invalid network user name or password"));
}
catch (NetworkUserNotFoundException)
{
return(ActionConfirmation.CreateFailureConfirmation("Invalid Network User Name or Password"));
}
catch (Exception ex)
{
throw new Exception("Encountered an error while attempting to validate username and password", ex);
}
}
/// <summary>
/// Refreshes the provider managed by this <see cref="CacheContext"/>.
/// </summary>
public bool Refresh()
{
try
{
ISecurityProvider provider = _Provider;
if ((object)provider == null)
{
return(false);
}
if (provider.CanRefreshData)
{
provider.RefreshData();
}
provider.Authenticate();
LastRefreshTime = DateTime.UtcNow;
return(true);
}
catch (ObjectDisposedException)
{
m_disposed = true;
return(false);
}
}
/// <summary>
/// Changes user password.
/// </summary>
/// <param name="sender">Source of this event.</param>
/// <param name="e">Arguments of this event.</param>
protected void ChangeButton_Click(object sender, EventArgs e)
{
try
{
// Initialize the security provider.
ISecurityProvider provider = SecurityProviderUtility.CreateProvider(ChangePasswordUsername.Text);
if (provider.CanChangePassword)
{
// Attempt to change password.
if (provider.ChangePassword(ChangePasswordOldPassword.Text, ChangePasswordNewPassword.Text))
{
// Password changed successfully.
if (provider.Authenticate(ChangePasswordNewPassword.Text))
{
// Password authenticated successfully.
SecurityProviderCache.CurrentProvider = provider;
Response.Redirect(GetReferrerUrl(), false);
}
else
{
// Show why authentication failed.
if (!ShowFailureReason(provider))
{
ShowMessage("Authentication was not successful.", true);
}
}
}
else
{
// Show why password change failed.
if (!ShowFailureReason(provider))
{
ShowMessage("Password change was not successful.", true);
}
}
}
else
{
// Changing password is not supported.
ShowMessage("Account does not support password change.", true);
}
}
catch (SecurityException ex)
{
// Show security related error messages.
ShowMessage(ex.Message.EnsureEnd('.'), true);
}
catch (Exception ex)
{
// Show ambiguous message for other errors.
ShowMessage("Password change failed due to an unexpected error.", true);
System.Diagnostics.Trace.WriteLine(string.Format("Password change error: \r\n {0}", ex));
}
finally
{
ChangePasswordOldPassword.Focus();
}
}
private void SecureForm_Load(object sender, EventArgs e)
{
try
{
// Don't proceed if the form is opened in design mode
if (DesignMode)
{
return;
}
// Check if the resource is excluded from being secured
string resource = GetResourceName();
if (!SecurityProviderUtility.IsResourceSecurable(resource))
{
return;
}
// Set up security provider for passthrough authentication
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(WindowsIdentity.GetCurrent().Name);
securityProvider.PassthroughPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
securityProvider.Authenticate();
// Setup the security principal for role-based security
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
SecurityPrincipal = new SecurityPrincipal(securityIdentity);
// Verify that the current thread principal has been authenticated
if (!SecurityPrincipal.Identity.IsAuthenticated)
{
throw new SecurityException($"Authentication failed for user '{SecurityPrincipal.Identity.Name}'");
}
// Perform a top-level permission check on the resource being accessed
if (!SecurityProviderUtility.IsResourceAccessible(resource, SecurityPrincipal))
{
throw new SecurityException($"Access to '{resource}' is denied");
}
// Set up the current thread principal
// NOTE: Provided for backwards compatibility;
// recommended to use the SecurityPrincipal instead
Thread.CurrentPrincipal = SecurityPrincipal;
}
catch (Exception ex)
{
if (ExceptionHandler is null)
{
throw;
}
ExceptionHandler(ex);
}
}
/// <summary>
/// Authenticates a user and caches the security context upon successful authentication for subsequent use.
/// </summary>
/// <param name="username">Username of the user.</param>
/// <param name="password">Password of the user.</param>
/// <returns>An <see cref="UserData"/> object of the user.</returns>
public UserData Authenticate(string username, string password)
{
ISecurityProvider provider = SecurityProviderUtility.CreateProvider(username);
if (provider.Authenticate(password))
{
SecurityProviderCache.CurrentProvider = provider;
}
return(provider.UserData);
}
private void ValidateCurrentProvider()
{
if (CurrentProvider == null)
{
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(Thread.CurrentPrincipal.Identity.Name);
securityProvider.PassthroughPrincipal = Thread.CurrentPrincipal;
securityProvider.Authenticate();
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
Thread.CurrentPrincipal = new SecurityPrincipal(securityIdentity);
}
}
/// <summary>
/// Authenticates a user and caches the security context upon successful authentication for subsequent use.
/// </summary>
/// <param name="username">Username of the user.</param>
/// <param name="password">Password of the user.</param>
/// <returns>An <see cref="UserData"/> object of the user.</returns>
public UserData Authenticate(string username, string password)
{
ISecurityProvider securityProvider = SecurityProviderUtility.CreateProvider(username);
securityProvider.Password = password;
if (securityProvider.Authenticate())
{
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
Thread.CurrentPrincipal = new SecurityPrincipal(securityIdentity);
}
return(securityProvider.UserData);
}
/// <summary>
/// Refreshes the provider managed by this <see cref="CacheContext"/>.
/// </summary>
public bool Refresh()
{
ISecurityProvider provider = Provider;
if ((object)provider == null)
{
return(false);
}
provider.RefreshData();
provider.Authenticate();
m_lastRefreshTime = DateTime.UtcNow;
return(true);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The user credentials.
/// </param>
/// <param name="flags">the flags</param>
/// <returns>
/// The auth payload
/// </returns>
internal static AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
if (authorizers.ContainsKey(credentials.SecurityProviderName) == true)
{
ISecurityProvider securityProvider = authorizers[credentials.SecurityProviderName];
result = securityProvider.Authenticate(credentials, flags);
}
else
{
Log.Warn("Unregistered security provider was specified: {0}", credentials.SecurityProviderName);
}
return(result);
}
/// <summary>
/// Attempts to reauthenticate the current thread principal
/// after their provider has been removed from the cache.
/// </summary>
/// <returns>True if the user successfully reauthenticated; false otherwise.</returns>
public static bool ReauthenticateCurrentPrincipal()
{
IPrincipal currentPrincipal;
SecurityIdentity identity;
ISecurityProvider provider = null;
string password = null;
bool authenticated;
currentPrincipal = Thread.CurrentPrincipal;
if ((object)currentPrincipal == null)
{
return(false);
}
identity = currentPrincipal.Identity as SecurityIdentity;
if ((object)identity != null)
{
provider = identity.Provider;
}
if ((object)provider != null)
{
password = provider.Password;
}
// Reset the current principal
WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent();
if ((object)currentIdentity != null)
{
Thread.CurrentPrincipal = new WindowsPrincipal(currentIdentity);
}
// Create a new provider associated with current identity
provider = SecurityProviderUtility.CreateProvider(currentPrincipal.Identity.Name);
// Re-authenticate user
authenticated = provider.Authenticate(password);
// Re-cache current provider for user
CurrentProvider = provider;
return(authenticated);
}
public async Task <ActionResult> Authenticate(AuthenticateModel authModel)
{
var authInfo = await _securityProvider.Authenticate(authModel.Email, authModel.Password);
if (!authInfo.Result.Succeeded)
{
return(BadRequest(new IdentityError
{
Code = "InvalidCredentials",
Description = "Invalid email or password."
}));
}
return(Ok(new AuthResultModel
{
User = _mapper.Map <UserModel>(authInfo.User),
Token = authInfo.Token
}));
}
// Applies authentication for requests where credentials are passed directly in the HTTP headers.
private SecurityPrincipal AuthenticateBasic(string credentials)
{
string username, password;
// Get the user's credentials from the HTTP headers
if (!TryParseCredentials(credentials, out username, out password))
{
return(null);
}
// Create the security provider that will authenticate the user's credentials
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(username, autoRefresh: false);
securityProvider.Password = password;
securityProvider.Authenticate();
// Return the security principal that will be used for role-based authorization
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
return(new SecurityPrincipal(securityIdentity));
}
private ActionResult ValidateAdminRequest()
{
string username = HttpContext.User.Identity.Name;
ISecurityProvider securityProvider = SecurityProviderUtility.CreateProvider(username);
securityProvider.PassthroughPrincipal = HttpContext.User;
if (!securityProvider.Authenticate())
{
return(new HttpStatusCodeResult(HttpStatusCode.Forbidden));
}
SecurityIdentity approverIdentity = new SecurityIdentity(securityProvider);
SecurityPrincipal approverPrincipal = new SecurityPrincipal(approverIdentity);
if (!approverPrincipal.IsInRole("Administrator"))
{
return(new HttpStatusCodeResult(HttpStatusCode.Forbidden));
}
return(null);
}
// Applies authentication for requests using Windows pass-through authentication.
public static SecurityPrincipal AuthenticatePassthrough(IPrincipal user)
{
string username = user?.Identity.Name;
if ((object)username == null)
{
return(null);
}
// Get the principal used for verifying the user's pass-through authentication
IPrincipal passthroughPrincipal = user;
// Create the security provider that will verify the user's pass-through authentication
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(username, passthroughPrincipal, false);
securityProvider.Authenticate();
// Return the security principal that will be used for role-based authorization
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
return(new SecurityPrincipal(securityIdentity));
}
private void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
// Check if access to resource is to be secured.
string resource = GetResourceName();
if (!IsAccessSecured(resource))
{
return;
}
SecurityPrincipal securityPrincipal = Thread.CurrentPrincipal as SecurityPrincipal;
if ((object)securityPrincipal == null)
{
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(Thread.CurrentPrincipal.Identity.Name);
securityProvider.PassthroughPrincipal = Thread.CurrentPrincipal;
securityProvider.Authenticate();
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
securityPrincipal = new SecurityPrincipal(securityIdentity);
Thread.CurrentPrincipal = securityPrincipal;
}
if (!m_application.User.Identity.IsAuthenticated)
{
// Failed to authenticate user.
Redirect(HttpStatusCode.Unauthorized);
}
if (IsAccessRestricted() ||
!SecurityProviderUtility.IsResourceAccessible(resource, securityPrincipal))
{
// User does not have access to the resource.
Redirect(HttpStatusCode.Forbidden);
}
}
public void Configuration(IAppBuilder app)
{
app.Use((context, next) =>
{
context.Response.Headers.Remove("Server");
return(next.Invoke());
});
app.UseStageMarker(PipelineStage.PostAcquireState);
// Modify the JSON serializer to serialize dates as UTC - otherwise, timezone will not be appended
// to date strings and browsers will select whatever timezone suits them
JsonSerializerSettings settings = JsonUtility.CreateDefaultSerializerSettings();
settings.DateTimeZoneHandling = DateTimeZoneHandling.Utc;
JsonSerializer serializer = JsonSerializer.Create(settings);
GlobalHost.DependencyResolver.Register(typeof(JsonSerializer), () => serializer);
// Load security hub in application domain before establishing SignalR hub configuration
using (new SecurityHub()) { }
// Enable GSF role-based security authentication w/o Logon Page
// Configuration Windows Authentication for self-hosted web service
HttpListener listener = (HttpListener)app.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemeSelectorDelegate = AuthenticationSchemeForClient;
app.Use((context, next) =>
{
string username = context.Request.User?.Identity.Name;
if ((object)username == null)
{
return(null);
}
// Get the principal used for verifying the user's pass-through authentication
IPrincipal passthroughPrincipal = context.Request.User;
// Create the security provider that will verify the user's pass-through authentication
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(username, passthroughPrincipal, false);
securityProvider.Authenticate();
// Return the security principal that will be used for role-based authorization
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
context.Request.User = new SecurityPrincipal(securityIdentity);
return(next.Invoke());
});
HubConfiguration hubConfig = new HubConfiguration();
HttpConfiguration httpConfig = new HttpConfiguration();
// Enabled detailed client errors
hubConfig.EnableDetailedErrors = true;
// Enable GSF session management
//httpConfig.EnableSessions(AuthenticationOptions);
// Enable GSF role-based security authentication with Logon Page
//app.UseAuthentication(AuthenticationOptions);
string allowedDomainList = ConfigurationFile.Current.Settings["systemSettings"]["AllowedDomainList"]?.Value;
if (allowedDomainList == "*")
{
app.UseCors(CorsOptions.AllowAll);
}
else if ((object)allowedDomainList != null)
{
httpConfig.EnableCors(new System.Web.Http.Cors.EnableCorsAttribute(allowedDomainList, "*", "*"));
}
// Load ServiceHub SignalR class
app.MapSignalR(hubConfig);
// Set configuration to use reflection to setup routes
httpConfig.MapHttpAttributeRoutes(new CustomDirectRouteProvider());
// Load the WebPageController class and assign its routes
app.UseWebApi(httpConfig);
// Setup resolver for web page controller instances
app.UseWebPageController(WebServer.Default, Program.Host.DefaultWebPage, Program.Host.Model, typeof(AppModel) /*, AuthenticationOptions*/);
httpConfig.IncludeErrorDetailPolicy = IncludeErrorDetailPolicy.Always;
// Check for configuration issues before first request
httpConfig.EnsureInitialized();
}
/// <summary>
/// Logins the user.
/// </summary>
/// <param name="sender">Source of this event.</param>
/// <param name="e">Arguments of this event.</param>
protected void LoginButton_Click(object sender, EventArgs e)
{
try
{
// Initialize the security provider.
ISecurityProvider provider = SecurityProviderUtility.CreateProvider(LoginUsername.Text);
if (provider.Authenticate(LoginPassword.Text))
{
// Credentials were authenticated successfully.
SecurityProviderCache.CurrentProvider = provider;
if (RememberUsername.Checked)
{
Response.Cookies[CookieName][UsernameKey] = LoginUsername.Text;
Response.Cookies[CookieName].Expires = DateTime.Now.AddYears(1);
}
else
{
Response.Cookies[CookieName][UsernameKey] = string.Empty;
Response.Cookies[CookieName].Expires = DateTime.Now.AddYears(-1);
}
// Redirect to the referring page.
Response.Redirect(GetReferrerUrl(), false);
}
else
{
// Check why authentication failed.
if (provider.UserData.PasswordChangeDateTime != DateTime.MinValue &&
provider.UserData.PasswordChangeDateTime <= DateTime.UtcNow)
{
// User must change password.
if (provider.CanChangePassword)
{
Response.Redirect(GetRedirectUrl(PasswordChangeStatusCode), false);
}
else
{
ShowMessage("Account password has expired.", true);
}
}
else
{
// Show why login failed.
if (!ShowFailureReason(provider))
{
ShowMessage("Authentication was not successful.", true);
}
}
}
}
catch (SecurityException ex)
{
// Show security related error messages.
ShowMessage(ex.Message.EnsureEnd('.'), true);
}
catch (Exception ex)
{
// Show ambiguous message for other errors.
ShowMessage("Login failed due to an unexpected error.", true);
System.Diagnostics.Trace.WriteLine(string.Format("Login error: \r\n {0}", ex));
}
finally
{
LoginPassword.Focus();
}
}
private void SecureWindow_Initialized(object sender, EventArgs e)
{
// Don't proceed if the window is opened in design mode
if (DesignerProperties.GetIsInDesignMode(this))
{
return;
}
// Check if the resource is excluded from being secured
string resource = GetResourceName();
if (ResourceAccessiblity != ResourceAccessiblityMode.AlwaysIncluded &&
(ResourceAccessiblity == ResourceAccessiblityMode.AlwaysExcluded ||
!SecurityProviderUtility.IsResourceSecurable(resource)))
{
return;
}
try
{
// Setup the security provider for role-based security
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(WindowsIdentity.GetCurrent().Name);
securityProvider.PassthroughPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
securityProvider.Authenticate();
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
SecurityPrincipal = new SecurityPrincipal(securityIdentity);
}
catch (Exception ex)
{
ShowSecurityDialog(DisplayType.AccessDenied, "Error loading security provider: " + ex.Message);
return;
}
// Verify that the security principal has been authenticated
if (!SecurityPrincipal.Identity.IsAuthenticated || ForceLoginDisplay)
{
ISecurityProvider securityProvider = SecurityPrincipal.Identity.Provider;
// See if user's password has expired
if (securityProvider.UserData.IsDefined && securityProvider.UserData.PasswordChangeDateTime <= DateTime.UtcNow)
{
ShowSecurityDialog(DisplayType.ChangePassword, string.Format("Your password has expired. {0} You must change your password to continue.", securityProvider.AuthenticationFailureReason));
}
else
{
ShowSecurityDialog(DisplayType.Login);
}
}
// Perform a top-level permission check on the resource being accessed
if (!string.IsNullOrEmpty(resource))
{
// Stay in a dialog display loop until either access to resource is available or user exits
while (!m_shutdownRequested && !IsResourceAccessible(resource))
{
// Access to resource is denied
ShowSecurityDialog(DisplayType.AccessDenied);
}
}
}
/// <summary>
/// Attempts to change user's password.
/// </summary>
/// <param name="sender">Source of this event.</param>
/// <param name="e">Arguments of this event.</param>
private void ButtonChange_Click(object sender, RoutedEventArgs e)
{
try
{
// Check if old and new password are different
if (TextBoxOldPassword.Password == TextBoxNewPassword.Password)
{
throw new Exception("New password cannot be same as old password.");
}
// Check is new password and confirm password are same
if (TextBoxNewPassword.Password != TextBoxConfirmPassword.Password)
{
throw new Exception("New password and confirm password should be same.");
}
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(TextBoxChangePasswordUserName.Text);
securityProvider.SecurePassword = TextBoxNewPassword.SecurePassword;
if (securityProvider.CanChangePassword)
{
// Attempt to change password
if (securityProvider.ChangePassword(TextBoxOldPassword.Password, TextBoxNewPassword.Password) &&
securityProvider.Authenticate())
{
// Password changed and authenticated successfully
DisplayErrorMessage("Password changed successfully.");
// Setup security principal for subsequent uses
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
SecurityPrincipal = new SecurityPrincipal(securityIdentity);
ClearErrorMessage();
ExitSuccess = true;
}
else
{
// Show why password change failed
if (!ShowFailureReason(securityProvider))
{
if (!securityProvider.IsUserAuthenticated)
{
DisplayErrorMessage("Authentication was not successful.");
}
else
{
DisplayErrorMessage("Password change was not successful.");
}
if (string.IsNullOrWhiteSpace(TextBoxChangePasswordUserName.Text))
{
TextBoxChangePasswordUserName.Focus();
}
else
{
TextBoxOldPassword.Focus();
}
}
}
}
else
{
DisplayErrorMessage("Account does not support password change.");
}
}
catch (Exception ex)
{
DisplayErrorMessage("Change password failed: " + ex.Message);
TextBoxOldPassword.Focus();
}
}
/// <summary>
/// Evaluates the <paramref name="evaluationContext"/> and initializes security.
/// </summary>
/// <param name="evaluationContext">An <see cref="EvaluationContext"/> object.</param>
/// <param name="state">Custom state of the <see cref="SecurityPolicy"/>.</param>
/// <returns></returns>
public virtual bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// In order for this to work properly security on the binding must be configured to use windows security.
// When this is done the caller's windows identity is available to us here and can be used to derive from
// it the security principal that can be used by WCF service code downstream for implementing security.
object property;
if (evaluationContext.Properties.TryGetValue("Identities", out property))
{
// Extract and assign the caller's windows identity to current thread if available.
IList <IIdentity> identities = property as List <IIdentity>;
if ((object)identities == null)
{
throw new SecurityException(string.Format("Null Identities in Evaluation Context for '{0}'", Thread.CurrentPrincipal.Identity));
}
foreach (IIdentity identity in identities)
{
if (identity is WindowsIdentity)
{
Thread.CurrentPrincipal = new WindowsPrincipal((WindowsIdentity)identity);
break;
}
}
}
string resource = GetResourceName();
if (SecurityProviderUtility.IsResourceSecurable(resource))
{
// Initialize the security principal from caller's windows identity if uninitialized.
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(Thread.CurrentPrincipal.Identity.Name);
securityProvider.PassthroughPrincipal = Thread.CurrentPrincipal;
securityProvider.Authenticate();
// Set up the security principal to provide role-based security.
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
Thread.CurrentPrincipal = new SecurityPrincipal(securityIdentity);
// Setup the principal to be attached to the thread on which WCF service will execute.
evaluationContext.Properties["Principal"] = Thread.CurrentPrincipal;
// Verify that the current thread principal has been authenticated.
if (!Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
throw new SecurityException(string.Format("Authentication failed for user '{0}'", Thread.CurrentPrincipal.Identity.Name));
}
// Perform a top-level permission check on the resource being accessed.
if (!SecurityProviderUtility.IsResourceAccessible(resource, Thread.CurrentPrincipal))
{
throw new SecurityException(string.Format("Access to '{0}' is denied", resource));
}
return(true);
}
// Setup the principal to be attached to the thread on which WCF service will execute.
evaluationContext.Properties["Principal"] = Thread.CurrentPrincipal;
return(true);
}
