internal static bool TryCreate(SecurityBindingElement sbe, TransportBindingElement transport, PrivacyNoticeBindingElement privacy, ReliableSessionBindingElement rsbe, TransactionFlowBindingElement tfbe, out Binding binding) { WSFederationHttpSecurityMode mode; WSFederationHttpSecurity security2; bool isReliableSession = rsbe != null; binding = null; HttpTransportSecurity transportSecurity = new HttpTransportSecurity(); if (!WSFederationHttpBinding.GetSecurityModeFromTransport(transport, transportSecurity, out mode)) { return false; } HttpsTransportBindingElement element = transport as HttpsTransportBindingElement; if (((element != null) && (element.MessageSecurityVersion != null)) && (element.MessageSecurityVersion.SecurityPolicyVersion != WS2007MessageSecurityVersion.SecurityPolicyVersion)) { return false; } if (TryCreateSecurity(sbe, mode, transportSecurity, isReliableSession, out security2)) { binding = new WS2007FederationHttpBinding(security2, privacy, isReliableSession); } if ((rsbe != null) && (rsbe.ReliableMessagingVersion != ReliableMessagingVersion.WSReliableMessaging11)) { return false; } if ((tfbe != null) && (tfbe.TransactionProtocol != TransactionProtocol.WSAtomicTransaction11)) { return false; } return (binding != null); }
protected virtual SecurityBindingElement ApplyMessageSecurity(SecurityBindingElement securityBindingElement) { if (securityBindingElement == null) { throw new ArgumentNullException("securityBindingElement"); } if (TrustVersion.WSTrustFeb2005 == _trustVersion) { securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; } else { securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; } if (_enableRsaProofKeys) { RsaSecurityTokenParameters item = new RsaSecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never, RequireDerivedKeys = false }; securityBindingElement.OptionalEndpointSupportingTokenParameters.Endorsing.Add(item); } return securityBindingElement; }
internal static bool TryCreate(SecurityBindingElement sbe, out MessageSecurityOverMsmq messageSecurity) { MessageCredentialType none; messageSecurity = null; if (sbe == null) { return false; } SymmetricSecurityBindingElement element = sbe as SymmetricSecurityBindingElement; if (element == null) { return false; } if ((sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) && (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11)) { return false; } if (element.IncludeTimestamp) { return false; } bool flag = false; if (SecurityBindingElement.IsAnonymousForCertificateBinding(sbe)) { none = MessageCredentialType.None; } else if (SecurityBindingElement.IsUserNameForCertificateBinding(sbe)) { none = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsMutualCertificateBinding(sbe)) { none = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsKerberosBinding(sbe)) { none = MessageCredentialType.Windows; flag = true; } else { IssuedSecurityTokenParameters parameters; if (!SecurityBindingElement.IsIssuedTokenForCertificateBinding(sbe, out parameters)) { return false; } if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return false; } none = MessageCredentialType.IssuedToken; } messageSecurity = new MessageSecurityOverMsmq(); messageSecurity.ClientCredentialType = none; if ((none != MessageCredentialType.IssuedToken) && !flag) { messageSecurity.AlgorithmSuite = element.DefaultAlgorithmSuite; } return true; }
private void Initialize() { _securityBindingElement = CreateSecurityBindingElement(); _textEncodingBindingElement = CreateTextEncodingBindingElement(); //_httpsTransportBindingElement = CreateHttpsTransportBindingElement(); _httpTransportBindingElement = CreateHttpTransportBindingElement(); }
public SpnegoTokenProvider(System.IdentityModel.SafeFreeCredentials credentialsHandle, SecurityBindingElement securityBindingElement) : base(securityBindingElement) { this.allowedImpersonationLevel = TokenImpersonationLevel.Identification; this.identityVerifier = System.ServiceModel.Security.IdentityVerifier.CreateDefault(); this.allowNtlm = true; this.authenticateServer = true; this.interactiveNegoExLogonEnabled = true; this.credentialsHandle = credentialsHandle; }
private void Initialize() { _securityBindingElement = CreateSecurityBindingElement(); _reliableSessionBindingElement = CreateReliableSessionBindingElement(); _mtomEncodingBindingElement = CreateMtomEncodingBindingElement(); _httpsTransportBindingElement = CreateHttpsTransportBindingElement() as HttpsTransportBindingElement; }
protected SecureConversationSecurityTokenParameters(SecureConversationSecurityTokenParameters other) : base(other) { _requireCancellation = other._requireCancellation; _canRenewSession = other._canRenewSession; if (other._bootstrapSecurityBindingElement != null) _bootstrapSecurityBindingElement = (SecurityBindingElement)other._bootstrapSecurityBindingElement.Clone(); if (other._issuerBindingContext != null) _issuerBindingContext = other._issuerBindingContext.Clone(); }
public SecureConversationSecurityTokenParameters ( SecurityBindingElement element, bool requireCancellation, ChannelProtectionRequirements requirements) { this.element = element; this.cancellable = requireCancellation; if (requirements == null) this.requirements = new ChannelProtectionRequirements (default_channel_protection_requirements); else this.requirements = new ChannelProtectionRequirements (requirements); }
protected SecureConversationSecurityTokenParameters(SecureConversationSecurityTokenParameters other) : base(other) { this.requireCancellation = other.requireCancellation; this.canRenewSession = other.canRenewSession; if (other.bootstrapSecurityBindingElement != null) this.bootstrapSecurityBindingElement = (SecurityBindingElement)other.bootstrapSecurityBindingElement.Clone(); if (other.bootstrapProtectionRequirements != null) this.bootstrapProtectionRequirements = new ChannelProtectionRequirements(other.bootstrapProtectionRequirements); if (other.issuerBindingContext != null) this.issuerBindingContext = other.issuerBindingContext.Clone(); }
private void Initialize() { _securityBindingElement = CreateSecurityBindingElement(); //_securityBindingElement = CreateTransportSecurityBindingElement(); _reliableSessionBindingElement = CreateReliableSessionBindingElement(); //binding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8)); _mtomEncodingBindingElement = CreateMtomEncodingBindingElement(); _httpsTransportBindingElement = CreateHttpsTransportBindingElement() as HttpsTransportBindingElement; }
static IEnumerable<SecurityTokenParameters> EnumerateNestedTokenParameters(SecurityBindingElement element) { foreach (SecurityTokenParameters parameters in EnumerateTokenParameters(element)) { if (parameters is SecureConversationSecurityTokenParameters) { SecurityBindingElement nestedElement = ((SecureConversationSecurityTokenParameters)parameters).BootstrapSecurityBindingElement; foreach (SecurityTokenParameters nestedParameters in EnumerateTokenParameters(nestedElement)) { yield return nestedParameters; } } } }
// This is effectively just a copy of WSHttpBinding.TryCreate(), only it news up the 2007 version internal new static bool TryCreate(SecurityBindingElement sbe, TransportBindingElement transport, ReliableSessionBindingElement rsbe, TransactionFlowBindingElement tfbe, out Binding binding) { bool isReliableSession = (rsbe != null); binding = null; // reverse GetTransport HttpTransportSecurity transportSecurity = WSHttpSecurity.GetDefaultHttpTransportSecurity(); UnifiedSecurityMode mode; if (!WSHttpBinding.GetSecurityModeFromTransport(transport, transportSecurity, out mode)) { return false; } HttpsTransportBindingElement httpsBinding = transport as HttpsTransportBindingElement; if (httpsBinding != null && httpsBinding.MessageSecurityVersion != null) { if (httpsBinding.MessageSecurityVersion.SecurityPolicyVersion != WS2007MessageSecurityVersion.SecurityPolicyVersion) { return false; } } WSHttpSecurity security; if (WS2007HttpBinding.TryCreateSecurity(sbe, mode, transportSecurity, isReliableSession, out security)) { WS2007HttpBinding ws2007HttpBinding = new WS2007HttpBinding(security, isReliableSession); bool allowCookies; if (!WSHttpBinding.TryGetAllowCookiesFromTransport(transport, out allowCookies)) { return false; } ws2007HttpBinding.AllowCookies = allowCookies; binding = ws2007HttpBinding; } if (rsbe != null && rsbe.ReliableMessagingVersion != ReliableMessagingVersion.WSReliableMessaging11) { return false; } if (tfbe != null && tfbe.TransactionProtocol != TransactionProtocol.WSAtomicTransaction11) { return false; } return binding != null; }
internal static bool TryCreate(SecurityBindingElement sbe, NetMsmqSecurityMode mode, out NetMsmqSecurity security) { MessageSecurityOverMsmq msmq; security = null; if (!MessageSecurityOverMsmq.TryCreate(sbe, out msmq)) { msmq = null; } security = new NetMsmqSecurity(mode, null, msmq); if (sbe != null) { return SecurityElementBase.AreBindingsMatching(security.CreateMessageSecurity(), sbe, false); } return true; }
private static bool HasSupportingTokens(SecurityBindingElement binding) { if (((binding.EndpointSupportingTokenParameters.Endorsing.Count > 0) || (binding.EndpointSupportingTokenParameters.SignedEndorsing.Count > 0)) || ((binding.EndpointSupportingTokenParameters.SignedEncrypted.Count > 0) || (binding.EndpointSupportingTokenParameters.Signed.Count > 0))) { return true; } foreach (SupportingTokenParameters parameters in binding.OperationSupportingTokenParameters.Values) { if (((parameters.Endorsing.Count > 0) || (parameters.SignedEndorsing.Count > 0)) || ((parameters.SignedEncrypted.Count > 0) || (parameters.Signed.Count > 0))) { return true; } } return false; }
internal static bool TryCreate(SecurityBindingElement sbe, out WSDualHttpSecurity security) { security = null; if (sbe == null) security = new WSDualHttpSecurity(WSDualHttpSecurityMode.None, null); else { MessageSecurityOverHttp messageSecurity; if (!MessageSecurityOverHttp.TryCreate(sbe, false, true, out messageSecurity)) return false; security = new WSDualHttpSecurity(WSDualHttpSecurityMode.Message, messageSecurity); } // the last check: make sure that security binding element match the incoming security return SecurityElement.AreBindingsMatching(security.CreateMessageSecurity(), sbe); }
protected override SecurityBindingElement CreateMessageSecurity() { SymmetricSecurityBindingElement element = new SymmetricSecurityBindingElement(); element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; // if (!Security.Message.EstablishSecurityContext) // element.SetKeyDerivation (false); IssuedSecurityTokenParameters istp = new IssuedSecurityTokenParameters(); // FIXME: issuer binding must be secure. istp.IssuerBinding = new CustomBinding( new TextMessageEncodingBindingElement(), GetTransport()); element.EndpointSupportingTokenParameters.Endorsing.Add(istp); if (Security.Message.NegotiateServiceCredential) { element.ProtectionTokenParameters = // FIXME: fill proper parameters new SslSecurityTokenParameters(false, true); } else { element.ProtectionTokenParameters = new X509SecurityTokenParameters(); } // if (!Security.Message.EstablishSecurityContext) // return element; // SecureConversation enabled ChannelProtectionRequirements reqs = new ChannelProtectionRequirements(); // FIXME: fill the reqs // FIXME: for TransportWithMessageCredential mode, // return TransportSecurityBindingElement. return(SecurityBindingElement.CreateSecureConversationBindingElement( // FIXME: requireCancellation element, true, reqs)); }
void ImportOperationScopeSupportingTokensPolicy(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding) { foreach (OperationDescription operation in policyContext.Contract.Operations) { string requestAction = null; foreach (MessageDescription message in operation.Messages) { if (message.Direction == MessageDirection.Input) { requestAction = message.Action; break; } } SupportingTokenParameters requirements = new SupportingTokenParameters(); SupportingTokenParameters optionalRequirements = new SupportingTokenParameters(); ICollection<XmlElement> operationBindingAssertions = policyContext.GetOperationBindingAssertions(operation); this.ImportSupportingTokenAssertions(importer, policyContext, operationBindingAssertions, requirements, optionalRequirements); if (requirements.Endorsing.Count > 0 || requirements.Signed.Count > 0 || requirements.SignedEncrypted.Count > 0 || requirements.SignedEndorsing.Count > 0) { if (requestAction != null) { binding.OperationSupportingTokenParameters[requestAction] = requirements; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.CannotImportSupportingTokensForOperationWithoutRequestAction))); } } if (optionalRequirements.Endorsing.Count > 0 || optionalRequirements.Signed.Count > 0 || optionalRequirements.SignedEncrypted.Count > 0 || optionalRequirements.SignedEndorsing.Count > 0) { if (requestAction != null) { binding.OptionalOperationSupportingTokenParameters[requestAction] = optionalRequirements; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.CannotImportSupportingTokensForOperationWithoutRequestAction))); } } } }
public SecureConversationSecurityTokenParameters( SecurityBindingElement element, bool requireCancellation, ChannelProtectionRequirements requirements) { this.element = element; this.cancellable = requireCancellation; if (requirements == null) { this.requirements = new ChannelProtectionRequirements(default_channel_protection_requirements); } else { this.requirements = new ChannelProtectionRequirements(requirements); } }
public override BindingElementCollection CreateBindingElements() { BindingElement security = SecurityBindingElement.CreateSecureConversationBindingElement( SecurityBindingElement.CreateUserNameForSslBindingElement(true)); MessageEncodingBindingElement encoding = (MessageEncodingBindingElement) new BinaryMessageEncodingBindingElement(); return(new BindingElementCollection(new[] { security, encoding, transport, })); }
SecurityStandardsManager GetConfiguredSecurityStandardsManager(Binding binding) { if (binding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); } SecurityBindingElement securityBindingElement = binding.CreateBindingElements().Find <SecurityBindingElement>(); if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("binding", SR.GetString(SR.NoSecurityBindingElementFound)); } return(new SecurityStandardsManager(securityBindingElement.MessageSecurityVersion, new WSSecurityTokenSerializer(securityBindingElement.MessageSecurityVersion.SecurityVersion))); }
public static Binding CreateCustomBinding() { //<snippet20> // Create an empty CustomBinding to populate CustomBinding binding = new CustomBinding(); // Create a SymmetricSecurityBindingElement. SymmetricSecurityBindingElement ssbe = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); // Add the SymmetricSecurityBindingElement to the BindingElementCollection. binding.Elements.Add(ssbe); binding.Elements.Add(new TextMessageEncodingBindingElement()); binding.Elements.Add(new HttpTransportBindingElement()); return(new CustomBinding(binding)); //</snippet20> }
internal static bool TryCreate(SecurityBindingElement sbe, NetMsmqSecurityMode mode, out NetMsmqSecurity security) { MessageSecurityOverMsmq msmq; security = null; if (!MessageSecurityOverMsmq.TryCreate(sbe, out msmq)) { msmq = null; } security = new NetMsmqSecurity(mode, null, msmq); if (sbe != null) { return(SecurityElementBase.AreBindingsMatching(security.CreateMessageSecurity(), sbe, false)); } return(true); }
static bool BindingRequiresAuthentication(BindingElementCollection elements) { SecurityBindingElement element = elements.Find <SecurityBindingElement>(); if (element != null) { foreach (SecurityTokenParameters parameters in EnumerateNestedTokenParameters(element)) { if (parameters is SspiSecurityTokenParameters) { return(true); } } } return(false); }
SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator(); authenticator.IsClientAnonymous = !requireClientCertificate; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = isCookieMode; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement); // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } // audit settings authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return(authenticator); }
internal static bool TryCreate(SecurityBindingElement sbe, out BasicHttpMessageSecurity security, out bool isSecureTransportMode) { BasicHttpMessageCredentialType userName; security = null; isSecureTransportMode = false; if (!sbe.DoNotEmitTrust) { return(false); } if (!sbe.IsSetKeyDerivation(false)) { return(false); } if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Lax) { return(false); } if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) { return(false); } if (!SecurityBindingElement.IsMutualCertificateBinding(sbe, true)) { isSecureTransportMode = true; if (!SecurityBindingElement.IsCertificateOverTransportBinding(sbe)) { if (!SecurityBindingElement.IsUserNameOverTransportBinding(sbe)) { return(false); } userName = BasicHttpMessageCredentialType.UserName; } else { userName = BasicHttpMessageCredentialType.Certificate; } } else { userName = BasicHttpMessageCredentialType.Certificate; } security = new BasicHttpMessageSecurity(); security.ClientCredentialType = userName; security.AlgorithmSuite = sbe.DefaultAlgorithmSuite; return(true); }
// This method reverses the CreateMessageSecurity(bool) method internal static bool TryCreate(SecurityBindingElement sbe, out BasicHttpMessageSecurity security, out bool isSecureTransportMode) { Fx.Assert(null != sbe, string.Empty); security = null; isSecureTransportMode = false; if (!sbe.IsSetKeyDerivation(false)) { return(false); } if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Lax) { return(false); } if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) { return(false); } BasicHttpMessageCredentialType credentialType; if (!SecurityBindingElement.IsMutualCertificateBinding(sbe, true)) { isSecureTransportMode = true; if (SecurityBindingElement.IsCertificateOverTransportBinding(sbe)) { credentialType = BasicHttpMessageCredentialType.Certificate; } else if (SecurityBindingElement.IsUserNameOverTransportBinding(sbe)) { credentialType = BasicHttpMessageCredentialType.UserName; } else { return(false); } } else { credentialType = BasicHttpMessageCredentialType.Certificate; } security = new BasicHttpMessageSecurity(); security.ClientCredentialType = credentialType; return(true); }
static void Main(string[] args) { // Configure the issued token parameters with the correct settings IssuedSecurityTokenParameters itp = new IssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"); itp.IssuerMetadataAddress = new EndpointAddress("http://localhost:6000/STS/mex"); itp.IssuerAddress = new EndpointAddress("http://localhost:6000/STS"); // Create the security binding element SecurityBindingElement sbe = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(itp); sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; // Create the HTTP transport binding element HttpTransportBindingElement httpBE = new HttpTransportBindingElement(); // Create the custom binding using the prepared binding elements CustomBinding binding = new CustomBinding(sbe, httpBE); Uri serviceUri = new Uri("http://localhost:6002/Service2"); using (ServiceHost host = new ServiceHost(typeof(Service2), serviceUri)) { host.AddServiceEndpoint(typeof(IService2), binding, ""); host.Credentials.ServiceCertificate.SetCertificate("CN=localhost", StoreLocation.LocalMachine, StoreName.My); // Enable metadata generation via HTTP GET ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; host.Description.Behaviors.Add(smb); host.AddServiceEndpoint(typeof(IMetadataExchange), MetadataExchangeBindings.CreateMexHttpBinding(), "mex"); // Configure the service host to use the Windows Identity Foundation ServiceConfiguration configuration = new ServiceConfiguration(); configuration.IssuerNameRegistry = new TrustedIssuerNameRegistry(); configuration.SecurityTokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add(serviceUri); FederatedServiceCredentials.ConfigureServiceHost(host, configuration); host.Open(); Console.WriteLine("Service2 started, press ENTER to stop ..."); Console.ReadLine(); host.Close(); } }
internal SecurityBindingElement CreateMessageSecurity(bool isSecureTransportMode) { SecurityBindingElement algorithmSuite; if (!isSecureTransportMode) { if (this.clientCredentialType != BasicHttpMessageCredentialType.Certificate) { throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.BasicHttpMessageSecurityRequiresCertificate, new object[0]))); } algorithmSuite = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true); } else { MessageSecurityVersion wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; switch (this.clientCredentialType) { case BasicHttpMessageCredentialType.UserName: { algorithmSuite = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); algorithmSuite.MessageSecurityVersion = wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite; algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax; algorithmSuite.SetKeyDerivation(false); InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true); return(algorithmSuite); } case BasicHttpMessageCredentialType.Certificate: { algorithmSuite = SecurityBindingElement.CreateCertificateOverTransportBindingElement(wSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite; algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax; algorithmSuite.SetKeyDerivation(false); InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true); return(algorithmSuite); } } Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("Unsupported basic http message credential type"); throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } algorithmSuite.DefaultAlgorithmSuite = this.AlgorithmSuite; algorithmSuite.SecurityHeaderLayout = SecurityHeaderLayout.Lax; algorithmSuite.SetKeyDerivation(false); InvokeHelper.InvokeInstanceSet(algorithmSuite.GetType(), algorithmSuite, "DoNotEmitTrust", true); return(algorithmSuite); }
private Binding CreateIssuedTokenOverTransportBinding() { var securityTokenParameters = new IssuedSecurityTokenParameters { KeyType = SecurityKeyType.AsymmetricKey, IssuerBinding = CreateKerberosOverTransportBinding(), }; var securityBindingElement = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(securityTokenParameters); securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; var customBinding = new CustomBinding("Custom"); customBinding.Elements.Insert(0, securityBindingElement); return(customBinding); }
private void InitializeKeyEntropyMode() { // Default to combined entropy unless another option is specified in the issuer's security binding element. // In previous versions of .NET WsTrust token providers, it was possible to set the default key entropy mode in client credentials. // That scenario does not seem to be needed in .NET Core WsTrust scenarios, so key entropy mode is simply being read from the issuer's // security binding element. If, in the future, it's necessary to change the default (if some scenarios don't have a security binding // element, for example), that could be done by adding a DefaultKeyEntropyMode property to WsTrustChannelCredentials and moving // the code that calculates KeyEntropyMode out to WSTrustChannelSecurityTokenManager since it can set this property // when it creates the provider and fall back to the credentials' default value if no security binding element is present. KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; SecurityBindingElement securityBindingElement = IssuerBinding?.CreateBindingElements().Find <SecurityBindingElement>(); if (securityBindingElement != null) { KeyEntropyMode = securityBindingElement.KeyEntropyMode; } }
private TrustVersion GetTrustVersion() { TrustVersion trustVersion = _trustVersion; if (trustVersion == null) { BindingElementCollection elements = Endpoint.Binding.CreateBindingElements(); SecurityBindingElement sbe = elements.Find <SecurityBindingElement>(); if (null == sbe) { throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID3269))); } trustVersion = sbe.MessageSecurityVersion.TrustVersion; } return(trustVersion); }
private void CreateBinding() { //<snippet8> CustomBinding binding = new CustomBinding(); // The following binding exposes a DNS identity. binding.Elements.Add(SecurityBindingElement. CreateSecureConversationBindingElement( SecurityBindingElement. CreateIssuedTokenForSslBindingElement( new IssuedSecurityTokenParameters()))); // The following element requires a UPN or SPN identity. binding.Elements.Add(new WindowsStreamSecurityBindingElement()); binding.Elements.Add(new TcpTransportBindingElement()); //</snippet8> }
public SecureConversationSecurityTokenParameters(SecurityBindingElement bootstrapSecurityBindingElement, bool requireCancellation, bool canRenewSession, ChannelProtectionRequirements bootstrapProtectionRequirements) : base() { this.bootstrapSecurityBindingElement = bootstrapSecurityBindingElement; this.canRenewSession = canRenewSession; if (bootstrapProtectionRequirements != null) this.bootstrapProtectionRequirements = new ChannelProtectionRequirements(bootstrapProtectionRequirements); else { this.bootstrapProtectionRequirements = new ChannelProtectionRequirements(); this.bootstrapProtectionRequirements.IncomingEncryptionParts.AddParts(new MessagePartSpecification(true)); this.bootstrapProtectionRequirements.IncomingSignatureParts.AddParts(new MessagePartSpecification(true)); this.bootstrapProtectionRequirements.OutgoingEncryptionParts.AddParts(new MessagePartSpecification(true)); this.bootstrapProtectionRequirements.OutgoingSignatureParts.AddParts(new MessagePartSpecification(true)); } this.requireCancellation = requireCancellation; }
internal static bool TryCreate(SecurityBindingElement sbe, out BasicHttpMessageSecurity security, out bool isSecureTransportMode) { BasicHttpMessageCredentialType userName; security = null; isSecureTransportMode = false; if (!sbe.DoNotEmitTrust) { return false; } if (!sbe.IsSetKeyDerivation(false)) { return false; } if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Lax) { return false; } if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) { return false; } if (!SecurityBindingElement.IsMutualCertificateBinding(sbe, true)) { isSecureTransportMode = true; if (!SecurityBindingElement.IsCertificateOverTransportBinding(sbe)) { if (!SecurityBindingElement.IsUserNameOverTransportBinding(sbe)) { return false; } userName = BasicHttpMessageCredentialType.UserName; } else { userName = BasicHttpMessageCredentialType.Certificate; } } else { userName = BasicHttpMessageCredentialType.Certificate; } security = new BasicHttpMessageSecurity(); security.ClientCredentialType = userName; security.AlgorithmSuite = sbe.DefaultAlgorithmSuite; return true; }
/// <summary> /// Initializes the binding. /// </summary> /// <param name="namespaceUris">The namespace uris.</param> /// <param name="factory">The factory.</param> /// <param name="configuration">The configuration.</param> /// <param name="description">The description.</param> public UaHttpsSoapBinding( NamespaceTable namespaceUris, EncodeableFactory factory, EndpointConfiguration configuration, EndpointDescription description) : base(namespaceUris, factory, configuration) { if (description != null && description.SecurityMode != MessageSecurityMode.None) { TransportSecurityBindingElement bootstrap = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); bootstrap.IncludeTimestamp = true; bootstrap.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; bootstrap.SecurityHeaderLayout = SecurityHeaderLayout.Strict; m_security = SecurityBindingElement.CreateSecureConversationBindingElement(bootstrap); m_security.IncludeTimestamp = true; m_security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; m_security.SecurityHeaderLayout = SecurityHeaderLayout.Strict; } m_encoding = new TextMessageEncodingBindingElement(MessageVersion.Soap12WSAddressing10, Encoding.UTF8); // WCF does not distinguish between arrays and byte string. int maxArrayLength = configuration.MaxArrayLength; if (configuration.MaxArrayLength < configuration.MaxByteStringLength) { maxArrayLength = configuration.MaxByteStringLength; } m_encoding.ReaderQuotas.MaxArrayLength = maxArrayLength; m_encoding.ReaderQuotas.MaxStringContentLength = configuration.MaxStringLength; m_encoding.ReaderQuotas.MaxBytesPerRead = Int32.MaxValue; m_encoding.ReaderQuotas.MaxDepth = Int32.MaxValue; m_encoding.ReaderQuotas.MaxNameTableCharCount = Int32.MaxValue; m_transport = new HttpsTransportBindingElement(); m_transport.AllowCookies = false; m_transport.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; m_transport.ManualAddressing = false; m_transport.MaxBufferSize = configuration.MaxMessageSize; m_transport.MaxReceivedMessageSize = configuration.MaxMessageSize; m_transport.TransferMode = TransferMode.Buffered; }
protected override SecurityBindingElement CreateSecurityBindingElement() { SecurityBindingElement element; IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this._tokenType, this._issuerAddress, this._issuerBinding) { KeyType = this._keyType, IssuerMetadataAddress = this._issuerMetadataAddress }; if (this._keyType == SecurityKeyType.SymmetricKey) { issuedParameters.KeySize = this._algorithmSuite.DefaultSymmetricKeyLength; } else { issuedParameters.KeySize = 0; } if (this._claimTypeRequirements != null) { foreach (ClaimTypeRequirement requirement in this._claimTypeRequirements) { issuedParameters.ClaimTypeRequirements.Add(requirement); } } this.AddAlgorithmParameters(this._algorithmSuite, base.TrustVersion, this._keyType, ref issuedParameters); if (SecurityMode.Message == base.SecurityMode) { element = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters); } else { if (SecurityMode.TransportWithMessageCredential != base.SecurityMode) { throw new InvalidOperationException("ID3226"); } element = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters); } element.DefaultAlgorithmSuite = this._algorithmSuite; element.IncludeTimestamp = true; return(element); }
protected static T GetClient <T>(string endpoint, SecureString password) { //Create binding element for security var asymmetricSecurityBindingElement = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion. WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10 ); asymmetricSecurityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; asymmetricSecurityBindingElement.EnableUnsecuredResponse = true; asymmetricSecurityBindingElement.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign; asymmetricSecurityBindingElement.IncludeTimestamp = true; asymmetricSecurityBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15; //Explicit accept secured answers from endpoint asymmetricSecurityBindingElement.AllowSerializedSigningTokenOnReply = true; //Create binding element for encoding var encodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8); //Create binding element for transport var httpsTransportBindingElement = new HttpsTransportBindingElement { RequireClientCertificate = true, AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous }; var cbinding = new CustomBinding(); cbinding.Elements.Add(asymmetricSecurityBindingElement); cbinding.Elements.Add(encodingBindingElement); cbinding.Elements.Add(httpsTransportBindingElement); var endPointUri = new Uri(EndPointUrl); var address = new EndpointAddress(new Uri(endPointUri, endpoint)); var factory = new ChannelFactory <T>(cbinding, address); var certClient = GetEmbeddedCertificate(ClientCertPath, password); var certService = GetEmbeddedCertificate(ServerCertPath); //Explicit prevent check on chain of trust factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None; factory.Credentials.ClientCertificate.Certificate = certClient; factory.Credentials.ServiceCertificate.DefaultCertificate = certService; return(factory.CreateChannel()); }
private static SecurityBindingElement CreateSecurityBindingElement() { SymmetricSecurityBindingElement sbe = SecurityBindingElement.CreateUserNameForSslBindingElement(); //sbe.IncludeTimestamp = false; //sbe.LocalServiceSettings.DetectReplays = false; sbe.ProtectionTokenParameters = new X509SecurityTokenParameters(); // This "Never" is somehow mandatory (though I wonder why ...) sbe.ProtectionTokenParameters.InclusionMode = SecurityTokenInclusionMode.Never; sbe.MessageSecurityVersion = MessageSecurityVersion.Default; //sbe.RequireSignatureConfirmation = true; //sbe.KeyEntropyMode = SecurityKeyEntropyMode.ServerEntropy; sbe.SetKeyDerivation(false); sbe.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; return(sbe); }
internal SecurityBindingElement CreateSecurityBindingElement() { SymmetricSecurityBindingElement element; bool flag = false; switch (this.clientCredentialType) { case MessageCredentialType.None: element = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case MessageCredentialType.Windows: element = SecurityBindingElement.CreateKerberosBindingElement(); flag = true; break; case MessageCredentialType.UserName: element = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case MessageCredentialType.Certificate: element = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(); break; case MessageCredentialType.IssuedToken: element = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; if (this.wasAlgorithmSuiteSet || !flag) { element.DefaultAlgorithmSuite = this.AlgorithmSuite; } else if (flag) { element.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault; } element.IncludeTimestamp = false; element.LocalServiceSettings.DetectReplays = false; element.LocalClientSettings.DetectReplays = false; return(element); }
internal static bool TryCreate(SecurityBindingElement sbe, out WSDualHttpSecurity security) { security = null; if (sbe == null) { security = new WSDualHttpSecurity(WSDualHttpSecurityMode.None, null); } else { MessageSecurityOverHttp http; if (!MessageSecurityOverHttp.TryCreate <MessageSecurityOverHttp>(sbe, false, true, out http)) { return(false); } security = new WSDualHttpSecurity(WSDualHttpSecurityMode.Message, http); } return(SecurityElementBase.AreBindingsMatching(security.CreateMessageSecurity(), sbe)); }
public SecureConversationSecurityTokenParameters(SecurityBindingElement bootstrapSecurityBindingElement, bool requireCancellation, bool canRenewSession, ChannelProtectionRequirements bootstrapProtectionRequirements) : base() { BootstrapSecurityBindingElement = bootstrapSecurityBindingElement; CanRenewSession = canRenewSession; if (bootstrapProtectionRequirements != null) { _bootstrapProtectionRequirements = new ChannelProtectionRequirements(bootstrapProtectionRequirements); } else { _bootstrapProtectionRequirements = new ChannelProtectionRequirements(); _bootstrapProtectionRequirements.IncomingEncryptionParts.AddParts(new MessagePartSpecification(true)); _bootstrapProtectionRequirements.IncomingSignatureParts.AddParts(new MessagePartSpecification(true)); _bootstrapProtectionRequirements.OutgoingEncryptionParts.AddParts(new MessagePartSpecification(true)); _bootstrapProtectionRequirements.OutgoingSignatureParts.AddParts(new MessagePartSpecification(true)); } RequireCancellation = requireCancellation; }
public override BindingElementCollection CreateBindingElements() { // return collection of BindingElements BindingElementCollection bindingElements = new BindingElementCollection(); // order of BindingElements is important // add security SecurityBindingElement wsSecurity = CreateMessageSecurity(); if (wsSecurity != null) { bindingElements.Add(wsSecurity); } // add encoding (text or mtom) bindingElements.Add(encoding); // add transport bindingElements.Add(GetTransport()); return(bindingElements.Clone()); }
internal static bool TryCreate(SecurityBindingElement sbe, out WSDualHttpSecurity security) { security = null; if (sbe == null) { security = new WSDualHttpSecurity(WSDualHttpSecurityMode.None, null); } else { MessageSecurityOverHttp http; if (!MessageSecurityOverHttp.TryCreate<MessageSecurityOverHttp>(sbe, false, true, out http)) { return false; } security = new WSDualHttpSecurity(WSDualHttpSecurityMode.Message, http); } return SecurityElementBase.AreBindingsMatching(security.CreateMessageSecurity(), sbe); }
// Summary: // Searches a security binding element for a single IssuedSecurityTokenParameters. This method will throw an // argument exception if more than one is found. // // Parameters: // securityBindingEle - The SecurityBindingElement to search. // // Return Value: // Returns an IssuedSecurityTokenParameters if one is found, otherwise null. // static IssuedSecurityTokenParameters TryGetNextStsIssuedTokenParameters(SecurityBindingElement securityBindingEle) { if (securityBindingEle == null) { return(null); } // // This object can have a value assigned to it exactly once. After one assignment of a non-null value // any other non-null assignment will cause the object to throw an argument excaption. // ThrowOnMultipleAssignment <IssuedSecurityTokenParameters> issuedTokenParameters = new ThrowOnMultipleAssignment <IssuedSecurityTokenParameters>(SR.GetString(SR.TooManyIssuedSecurityTokenParameters)); FindInfoCardIssuerBinding(securityBindingEle, issuedTokenParameters); return(issuedTokenParameters.Value); }
protected SecureConversationSecurityTokenParameters(SecureConversationSecurityTokenParameters other) : base(other) { this.requireCancellation = other.requireCancellation; this.canRenewSession = other.canRenewSession; if (other.bootstrapSecurityBindingElement != null) { this.bootstrapSecurityBindingElement = (SecurityBindingElement)other.bootstrapSecurityBindingElement.Clone(); } if (other.bootstrapProtectionRequirements != null) { this.bootstrapProtectionRequirements = new ChannelProtectionRequirements(other.bootstrapProtectionRequirements); } if (other.issuerBindingContext != null) { this.issuerBindingContext = other.issuerBindingContext.Clone(); } }
private static ChannelFactory <WebApiNetTerrain.INetTerrainWebApi> CreateConnectionFactory(string url, string username, string password) { var security = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); security.EnableUnsecuredResponse = true; security.AllowInsecureTransport = true; var customBinding = new CustomBinding(security, new TextMessageEncodingBindingElement(), new HttpTransportBindingElement()); EndpointAddress endpointAddress = new EndpointAddress(new Uri(url)); ChannelFactory <WebApiNetTerrain.INetTerrainWebApi> factory = new ChannelFactory <WebApiNetTerrain.INetTerrainWebApi>(customBinding, endpointAddress); factory.Credentials.UserName.UserName = username; factory.Credentials.UserName.Password = password; return(factory); }
//<snippet1> // This method returns a custom binding created from a WSHttpBinding. Alter the method // to use the appropriate binding for your service, with the appropriate settings. public static Binding CreateCustomBinding(TimeSpan clockSkew) { WSHttpBinding standardBinding = new WSHttpBinding(SecurityMode.Message, true); CustomBinding myCustomBinding = new CustomBinding(standardBinding); SymmetricSecurityBindingElement security = myCustomBinding.Elements.Find<SymmetricSecurityBindingElement>(); security.LocalClientSettings.MaxClockSkew = clockSkew; security.LocalServiceSettings.MaxClockSkew = clockSkew; // Get the System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters SecureConversationSecurityTokenParameters secureTokenParams = (SecureConversationSecurityTokenParameters)security.ProtectionTokenParameters; // From the collection, get the bootstrap element. SecurityBindingElement bootstrap = secureTokenParams.BootstrapSecurityBindingElement; // Set the MaxClockSkew on the bootstrap element. bootstrap.LocalClientSettings.MaxClockSkew = clockSkew; bootstrap.LocalServiceSettings.MaxClockSkew = clockSkew; return myCustomBinding; }
internal static bool TryCreate(SecurityBindingElement wsSecurity, SecurityMode mode, bool isReliableSessionEnabled, BindingElement transportSecurity, TcpTransportSecurity tcpTransportSecurity, out NetTcpSecurity security) { security = null; MessageSecurityOverTcp messageSecurity = null; if (mode == SecurityMode.Message) { if (!MessageSecurityOverTcp.TryCreate(wsSecurity, isReliableSessionEnabled, null, out messageSecurity)) { return false; } } else if ((mode == SecurityMode.TransportWithMessageCredential) && !MessageSecurityOverTcp.TryCreate(wsSecurity, isReliableSessionEnabled, transportSecurity, out messageSecurity)) { return false; } security = new NetTcpSecurity(mode, tcpTransportSecurity, messageSecurity); return SecurityElementBase.AreBindingsMatching(security.CreateMessageSecurity(isReliableSessionEnabled), wsSecurity, false); }
SecurityBindingElement CreateSecurityBindingElement() { SecurityBindingElement element; switch (Security.Mode) { case BasicHttpSecurityMode.Message: #if MOBILE || XAMMAC_4_5 throw new NotImplementedException(); #else if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { throw new InvalidOperationException("When Message security is enabled in a BasicHttpBinding, the message security credential type must be BasicHttpMessageCredentialType.Certificate."); } element = SecurityBindingElement.CreateMutualCertificateBindingElement( MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); break; #endif case BasicHttpSecurityMode.TransportWithMessageCredential: #if MOBILE || XAMMAC_4_5 throw new NotImplementedException(); #else if (Security.Message.ClientCredentialType != BasicHttpMessageCredentialType.Certificate) { // FIXME: pass proper security token parameters. element = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); } else { element = new AsymmetricSecurityBindingElement(); } break; #endif default: return(null); } #if !MOBILE && !XAMMAC_4_5 element.SetKeyDerivation(false); element.SecurityHeaderLayout = SecurityHeaderLayout.Lax; #endif return(element); }
internal new static bool TryCreate(SecurityBindingElement sbe, TransportBindingElement transport, PrivacyNoticeBindingElement privacy, ReliableSessionBindingElement rsbe, TransactionFlowBindingElement tfbe, out Binding binding) { bool isReliableSession = (rsbe != null); binding = null; // reverse GetTransport HttpTransportSecurity transportSecurity = new HttpTransportSecurity(); WSFederationHttpSecurityMode mode; if (!WSFederationHttpBinding.GetSecurityModeFromTransport(transport, transportSecurity, out mode)) { return(false); } HttpsTransportBindingElement httpsBinding = transport as HttpsTransportBindingElement; if (httpsBinding != null && httpsBinding.MessageSecurityVersion != null) { if (httpsBinding.MessageSecurityVersion.SecurityPolicyVersion != s_WS2007MessageSecurityVersion.SecurityPolicyVersion) { return(false); } } WSFederationHttpSecurity security; if (WS2007FederationHttpBinding.TryCreateSecurity(sbe, mode, transportSecurity, isReliableSession, out security)) { binding = new WS2007FederationHttpBinding(security, privacy, isReliableSession); } if (rsbe != null && rsbe.ReliableMessagingVersion != ReliableMessagingVersion.WSReliableMessaging11) { return(false); } if (tfbe != null && tfbe.TransactionProtocol != TransactionProtocol.WSAtomicTransaction11) { return(false); } return(binding != null); }
internal static bool TryCreate(SecurityBindingElement sbe, WSFederationHttpSecurityMode mode, HttpTransportSecurity transportSecurity, bool isReliableSessionEnabled, MessageSecurityVersion version, out WSFederationHttpSecurity security) { security = null; FederatedMessageSecurityOverHttp messageSecurity = null; if (sbe == null) { mode = WSFederationHttpSecurityMode.None; } else { mode &= WSFederationHttpSecurityMode.TransportWithMessageCredential | WSFederationHttpSecurityMode.Message; if (!FederatedMessageSecurityOverHttp.TryCreate(sbe, mode == WSFederationHttpSecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version, out messageSecurity)) { return false; } } security = new WSFederationHttpSecurity(mode, messageSecurity); return true; }
private void ImportEndpointScopeMessageBindingAssertions(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding) { XmlElement assertion = null; WSSecurityPolicy policy; this.ImportSupportingTokenAssertions(importer, policyContext, policyContext.GetBindingAssertions(), binding.EndpointSupportingTokenParameters, binding.OptionalEndpointSupportingTokenParameters); if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out policy)) { if (!policy.TryImportWsspWssAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion) && (assertion != null)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UnsupportedSecurityPolicyAssertion", new object[] { assertion.OuterXml }))); } if (!policy.TryImportWsspTrustAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion) && (assertion != null)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("UnsupportedSecurityPolicyAssertion", new object[] { assertion.OuterXml }))); } } if (assertion == null) { binding.DoNotEmitTrust = true; } }
internal new static bool TryCreate(SecurityBindingElement sbe, TransportBindingElement transport, PrivacyNoticeBindingElement privacy, ReliableSessionBindingElement rsbe, TransactionFlowBindingElement tfbe, out Binding binding) { bool isReliableSession = (rsbe != null); binding = null; // reverse GetTransport HttpTransportSecurity transportSecurity = new HttpTransportSecurity(); WSFederationHttpSecurityMode mode; if (!WSFederationHttpBinding.GetSecurityModeFromTransport(transport, transportSecurity, out mode)) { return false; } HttpsTransportBindingElement httpsBinding = transport as HttpsTransportBindingElement; if (httpsBinding != null && httpsBinding.MessageSecurityVersion != null) { if (httpsBinding.MessageSecurityVersion.SecurityPolicyVersion != WS2007MessageSecurityVersion.SecurityPolicyVersion) { return false; } } WSFederationHttpSecurity security; if (WS2007FederationHttpBinding.TryCreateSecurity(sbe, mode, transportSecurity, isReliableSession, out security)) { binding = new WS2007FederationHttpBinding(security, privacy, isReliableSession); } if (rsbe != null && rsbe.ReliableMessagingVersion != ReliableMessagingVersion.WSReliableMessaging11) { return false; } if (tfbe != null && tfbe.TransactionProtocol != TransactionProtocol.WSAtomicTransaction11) { return false; } return binding != null; }
// This method reverses the CreateMessageSecurity(bool) method internal static bool TryCreate(SecurityBindingElement sbe, out BasicHttpMessageSecurity security, out bool isSecureTransportMode) { Fx.Assert(null != sbe, string.Empty); security = null; isSecureTransportMode = false; if (!sbe.IsSetKeyDerivation(false)) return false; if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Lax) return false; if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) return false; BasicHttpMessageCredentialType credentialType; if (!SecurityBindingElement.IsMutualCertificateBinding(sbe, true)) { isSecureTransportMode = true; if (SecurityBindingElement.IsCertificateOverTransportBinding(sbe)) { credentialType = BasicHttpMessageCredentialType.Certificate; } else if (SecurityBindingElement.IsUserNameOverTransportBinding(sbe)) { credentialType = BasicHttpMessageCredentialType.UserName; } else { return false; } } else { credentialType = BasicHttpMessageCredentialType.Certificate; } security = new BasicHttpMessageSecurity(); security.ClientCredentialType = credentialType; return true; }
internal static bool TryCreate(SecurityBindingElement sbe, TransportBindingElement transport, ReliableSessionBindingElement rsbe, TransactionFlowBindingElement tfbe, out Binding binding) { UnifiedSecurityMode mode; WSHttpSecurity security2; bool isReliableSession = rsbe != null; binding = null; HttpTransportSecurity defaultHttpTransportSecurity = WSHttpSecurity.GetDefaultHttpTransportSecurity(); if (!WSHttpBinding.GetSecurityModeFromTransport(transport, defaultHttpTransportSecurity, out mode)) { return false; } HttpsTransportBindingElement element = transport as HttpsTransportBindingElement; if (((element != null) && (element.MessageSecurityVersion != null)) && (element.MessageSecurityVersion.SecurityPolicyVersion != WS2007MessageSecurityVersion.SecurityPolicyVersion)) { return false; } if (TryCreateSecurity(sbe, mode, defaultHttpTransportSecurity, isReliableSession, out security2)) { bool flag2; WS2007HttpBinding binding2 = new WS2007HttpBinding(security2, isReliableSession); if (!WSHttpBinding.TryGetAllowCookiesFromTransport(transport, out flag2)) { return false; } binding2.AllowCookies = flag2; binding = binding2; } if ((rsbe != null) && (rsbe.ReliableMessagingVersion != ReliableMessagingVersion.WSReliableMessaging11)) { return false; } if ((tfbe != null) && (tfbe.TransactionProtocol != TransactionProtocol.WSAtomicTransaction11)) { return false; } return (binding != null); }
internal static bool TryCreate(SecurityBindingElement sbe, WSFederationHttpSecurityMode mode, HttpTransportSecurity transportSecurity, bool isReliableSessionEnabled, MessageSecurityVersion version, out WSFederationHttpSecurity security) { security = null; FederatedMessageSecurityOverHttp messageSecurity = null; if (sbe == null) { mode = WSFederationHttpSecurityMode.None; } else { mode &= WSFederationHttpSecurityMode.Message | WSFederationHttpSecurityMode.TransportWithMessageCredential; Fx.Assert(WSFederationHttpSecurityModeHelper.IsDefined(mode), string.Format("Invalid WSFederationHttpSecurityMode value: {0}", mode.ToString())); if (!FederatedMessageSecurityOverHttp.TryCreate(sbe, mode == WSFederationHttpSecurityMode.TransportWithMessageCredential, isReliableSessionEnabled, version, out messageSecurity)) return false; } security = new WSFederationHttpSecurity(mode, messageSecurity); return true; }
protected bool TryImportWsspTrustAssertion(string trustName, MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion) { if (binding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); } if (assertions == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("assertions"); } bool result = true; Collection<Collection<XmlElement>> alternatives; if (TryImportWsspAssertion(assertions, trustName, out assertion) && TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) { foreach (Collection<XmlElement> alternative in alternatives) { TryImportWsspAssertion(alternative, MustSupportIssuedTokensName); bool requireClientEntropy = TryImportWsspAssertion(alternative, RequireClientEntropyName); bool requireServerEntropy = TryImportWsspAssertion(alternative, RequireServerEntropyName); if (trustName == Trust13Name) { // We are just reading this optional element. TryImportWsspAssertion(alternative, RequireAppliesTo); } if (alternative.Count == 0) { if (requireClientEntropy) { if (requireServerEntropy) { binding.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; } else { binding.KeyEntropyMode = SecurityKeyEntropyMode.ClientEntropy; } } else if (requireServerEntropy) { binding.KeyEntropyMode = SecurityKeyEntropyMode.ServerEntropy; } result = true; break; } else { result = false; } } } return result; }
public abstract bool TryImportWsspTrustAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion);
public virtual bool TryImportWsspWssAssertion(MetadataImporter importer, ICollection<XmlElement> assertions, SecurityBindingElement binding, out XmlElement assertion) { if (binding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); } if (assertions == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("assertions"); } bool result = true; Collection<Collection<XmlElement>> alternatives; if (TryImportWsspAssertion(assertions, Wss10Name, out assertion)) { if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) { foreach (Collection<XmlElement> alternative in alternatives) { TryImportWsspAssertion(alternative, MustSupportRefKeyIdentifierName); TryImportWsspAssertion(alternative, MustSupportRefIssuerSerialName); if (alternative.Count == 0) { binding.MessageSecurityVersion = this.GetSupportedMessageSecurityVersion(SecurityVersion.WSSecurity10); result = true; break; } else { result = false; } } } } else if (TryImportWsspAssertion(assertions, Wss11Name, out assertion)) { if (TryGetNestedPolicyAlternatives(importer, assertion, out alternatives)) { foreach (Collection<XmlElement> alternative in alternatives) { TryImportWsspAssertion(alternative, MustSupportRefKeyIdentifierName); TryImportWsspAssertion(alternative, MustSupportRefIssuerSerialName); TryImportWsspAssertion(alternative, MustSupportRefThumbprintName); TryImportWsspAssertion(alternative, MustSupportRefEncryptedKeyName); bool requireSignatureConfirmation = TryImportWsspAssertion(alternative, RequireSignatureConfirmationName); if (alternative.Count == 0) { binding.MessageSecurityVersion = this.GetSupportedMessageSecurityVersion(SecurityVersion.WSSecurity11); if (binding is SymmetricSecurityBindingElement) { ((SymmetricSecurityBindingElement)binding).RequireSignatureConfirmation = requireSignatureConfirmation; } else if (binding is AsymmetricSecurityBindingElement) { ((AsymmetricSecurityBindingElement)binding).RequireSignatureConfirmation = requireSignatureConfirmation; } result = true; break; } else { result = false; } } } } return result; }
public virtual XmlElement CreateWsspWssAssertion(MetadataExporter exporter, SecurityBindingElement binding) { if (binding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("binding"); } if (binding.MessageSecurityVersion.SecurityVersion == SecurityVersion.WSSecurity10) { return CreateWsspWss10Assertion(exporter); } else if (binding.MessageSecurityVersion.SecurityVersion == SecurityVersion.WSSecurity11) { if (binding is SymmetricSecurityBindingElement) { return CreateWsspWss11Assertion(exporter, ((SymmetricSecurityBindingElement)binding).RequireSignatureConfirmation); } else if (binding is AsymmetricSecurityBindingElement) { return CreateWsspWss11Assertion(exporter, ((AsymmetricSecurityBindingElement)binding).RequireSignatureConfirmation); } else { return CreateWsspWss11Assertion(exporter, false); } } else { return null; } }