static bool GetMapToWindowsSetting(X509SecurityTokenHandler securityTokenHandler)
        {
            if (securityTokenHandler == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityTokenHandler");
            }

            return(securityTokenHandler.MapToWindows);
        }
        /// <summary>
        /// Initializes an instance of <see cref="WrappedX509SecurityTokenAuthenticator"/>
        /// </summary>
        /// <param name="wrappedX509SecurityTokenHandler">X509SecurityTokenHandler to wrap.</param>
        /// <param name="exceptionMapper">Converts token validation exceptions to SOAP faults.</param>
        public WrappedX509SecurityTokenAuthenticator(
            X509SecurityTokenHandler wrappedX509SecurityTokenHandler,
            ExceptionMapper exceptionMapper)
            : base(X509CertificateValidator.None, GetMapToWindowsSetting(wrappedX509SecurityTokenHandler), true)
        {
            if (wrappedX509SecurityTokenHandler == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wrappedX509SecurityTokenHandler");
            }

            if (exceptionMapper == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("exceptionMapper");
            }

            _wrappedX509SecurityTokenHandler = wrappedX509SecurityTokenHandler;
            _exceptionMapper = exceptionMapper;
        }
Exemple #3
0
        /// <summary>
        /// Creates a <see cref="WindowsIdentity"/> associated with a given X509 certificate.
        /// </summary>
        /// <param name="x509Certificate">The certificate to use to map to the associated <see cref="WindowsIdentity"/></param>
        /// <returns></returns>
        public static WindowsIdentity CertificateLogon(X509Certificate2 x509Certificate)
        {
            // for Vista, LsaLogon supporting mapping cert to NTToken
            if (Environment.OSVersion.Version.Major >= CryptoHelper.WindowsVistaMajorNumber)
            {
                return(X509SecurityTokenHandler.KerberosCertificateLogon(x509Certificate));
            }
            else
            {
                // Downlevel, S4U over PrincipalName SubjectAltNames
                string upn = x509Certificate.GetNameInfo(X509NameType.UpnName, false);
                if (string.IsNullOrEmpty(upn))
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.ID4067,
                                                                                                                                X509Util.GetCertificateId(x509Certificate))));
                }

                return(new WindowsIdentity(upn));
            }
        }
Exemple #4
0
        /// <summary>
        /// Overriden from the base class. Creates the requested Token Authenticator.
        /// Looks up the list of Token Handlers registered with the token Manager
        /// based on the TokenType Uri in the SecurityTokenRequirement. If none is found,
        /// then the call is delegated to the inner Token Manager.
        /// </summary>
        /// <param name="tokenRequirement">Security Token Requirement for which the Authenticator should be created.</param>
        /// <param name="outOfBandTokenResolver">Token resolver that resolves any out-of-band tokens.</param>
        /// <returns>Instance of Security Token Authenticator.</returns>
        /// <exception cref="ArgumentNullException">'tokenRequirement' parameter is null.</exception>
        /// <exception cref="NotSupportedException">No Authenticator is registered for the given token type.</exception>
        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }

            outOfBandTokenResolver = null;

            // Check for a registered authenticator
            SecurityTokenAuthenticator securityTokenAuthenticator = null;

            string tokenType = tokenRequirement.TokenType;

            //
            // When the TokenRequirement.TokenType is null, we treat this as a SAML issued token case. It may be SAML 1.1 or SAML 2.0.
            //
            if (String.IsNullOrEmpty(tokenType))
            {
                return(CreateSamlSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
            }

            //
            // When the TokenType is set, build a token authenticator for the specified token type.
            //
            SecurityTokenHandler securityTokenHandler = _securityTokenHandlerCollection[tokenType];

            if ((securityTokenHandler != null) && (securityTokenHandler.CanValidateToken))
            {
                outOfBandTokenResolver = GetDefaultOutOfBandTokenResolver();

                if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.UserName))
                {
                    UserNameSecurityTokenHandler upSecurityTokenHandler = securityTokenHandler as UserNameSecurityTokenHandler;
                    if (upSecurityTokenHandler == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(UserNameSecurityTokenHandler))));
                    }
                    securityTokenAuthenticator = new WrappedUserNameSecurityTokenAuthenticator(upSecurityTokenHandler, _exceptionMapper);
                }
                else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Kerberos))
                {
                    securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
                }
                else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Rsa))
                {
                    RsaSecurityTokenHandler rsaSecurityTokenHandler = securityTokenHandler as RsaSecurityTokenHandler;
                    if (rsaSecurityTokenHandler == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(RsaSecurityTokenHandler))));
                    }
                    securityTokenAuthenticator = new WrappedRsaSecurityTokenAuthenticator(rsaSecurityTokenHandler, _exceptionMapper);
                }
                else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.X509Certificate))
                {
                    X509SecurityTokenHandler x509SecurityTokenHandler = securityTokenHandler as X509SecurityTokenHandler;
                    if (x509SecurityTokenHandler == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(X509SecurityTokenHandler))));
                    }
                    securityTokenAuthenticator = new WrappedX509SecurityTokenAuthenticator(x509SecurityTokenHandler, _exceptionMapper);
                }
                else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.SamlTokenProfile11) ||
                         StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSamlTokenProfile11))
                {
                    SamlSecurityTokenHandler saml11SecurityTokenHandler = securityTokenHandler as SamlSecurityTokenHandler;
                    if (saml11SecurityTokenHandler == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(SamlSecurityTokenHandler))));
                    }

                    if (saml11SecurityTokenHandler.Configuration == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
                    }

                    securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
                    // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
                    outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
                }
                else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Saml2TokenProfile11) ||
                         StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSaml2TokenProfile11))
                {
                    Saml2SecurityTokenHandler saml2SecurityTokenHandler = securityTokenHandler as Saml2SecurityTokenHandler;
                    if (saml2SecurityTokenHandler == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                                  new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(Saml2SecurityTokenHandler))));
                    }

                    if (saml2SecurityTokenHandler.Configuration == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
                    }

                    securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
                    // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
                    outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
                }
                else if (StringComparer.Ordinal.Equals(tokenType, ServiceModelSecurityTokenTypes.SecureConversation))
                {
                    RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
                    if (tr == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
                    }

                    securityTokenAuthenticator = SetupSecureConversationWrapper(tr, securityTokenHandler as SessionSecurityTokenHandler, out outOfBandTokenResolver);
                }
                else
                {
                    securityTokenAuthenticator = new SecurityTokenAuthenticatorAdapter(securityTokenHandler, _exceptionMapper);
                }
            }
            else
            {
                if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
                    tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
                    tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
                    tokenType == ServiceModelSecurityTokenTypes.SecurityContext ||
                    tokenType == ServiceModelSecurityTokenTypes.Spnego)
                {
                    RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
                    if (tr == null)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
                    }

                    securityTokenAuthenticator = SetupSecureConversationWrapper(tr, null, out outOfBandTokenResolver);
                }
                else
                {
                    securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
                }
            }

            return(securityTokenAuthenticator);
        }