Exemple #1
0
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            var ranges = IPAddressRange.GetConfiguredRanges(m_sectionName).ToList();

            if (ranges.Count == 0)
            {
                return BehaviorMethodAction.Stop;
            }

            bool isAllowed = false;

            foreach (var range in ranges)
            {
                if (range.IsInRange(serviceContext.GetHttpContext().Request.UserHostAddress))
                {
                    isAllowed = true;
                    break;
                }
            }

            return isAllowed ? BehaviorMethodAction.Execute : BehaviorMethodAction.Stop;
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            if (serviceContext.Cache == null)
            {
                throw new InvalidOperationException(Resources.Global.UnableToInitializeCache);
            }

            string remoteAddress = serviceContext.Request.ServerVariables.RemoteAddress;

            if (String.IsNullOrEmpty(remoteAddress))
            {
                return BehaviorMethodAction.Execute;
            }

            string cacheKey = String.Concat("throttle-", serviceContext.Request.Url.GetLeftPart(UriPartial.Path), "-", remoteAddress);

            if (serviceContext.Cache.Contains(cacheKey))
            {
                SetStatus((HttpStatusCode) 429, Resources.Global.TooManyRequests);
                return BehaviorMethodAction.Stop;
            }

            serviceContext.Cache.Add(cacheKey, true, DateTime.Now.AddMilliseconds(m_delayInMilliseconds), CachePriority.Low);
            return BehaviorMethodAction.Execute;
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            if (RequiresSsl && AuthorizeConnection(serviceContext.Request) == BehaviorMethodAction.Stop)
            {
                SetStatusDescription(Resources.Global.HttpsRequiredStatusDescription);
                return BehaviorMethodAction.Stop;
            }

            AuthorizationHeader header;

            if (!AuthorizationHeaderParser.TryParse(serviceContext.Request.Headers.Authorization, serviceContext.Request.Headers.ContentCharsetEncoding, out header) ||
                !AuthenticationType.Equals(header.AuthenticationType, StringComparison.OrdinalIgnoreCase))
            {
                serviceContext.Response.SetStatus(HttpStatusCode.Unauthorized, Resources.Global.Unauthorized);
                GenerateAuthenticationHeader(serviceContext);
                return BehaviorMethodAction.Stop;
            }

            Credentials credentials = m_authorizationManager.GetCredentials(header.UserName);

            if (credentials == null || !String.Equals(header.Password, credentials.Password, StringComparison.Ordinal))
            {
                GenerateAuthenticationHeader(serviceContext);
                return BehaviorMethodAction.Stop;
            }

            serviceContext.User = new GenericPrincipal(new GenericIdentity(header.UserName, AuthenticationType), credentials.GetRoles());
            return BehaviorMethodAction.Execute;
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            string userId, signatureHash;
            DateTime timestamp;

            if (!TryGetRequestedSignature(serviceContext.Request, out userId, out signatureHash, out timestamp) ||
                String.IsNullOrWhiteSpace(userId) ||
                String.IsNullOrWhiteSpace(signatureHash))
            {
                serviceContext.Response.SetStatus(HttpStatusCode.Unauthorized, Global.Unauthorized);
                return BehaviorMethodAction.Stop;
            }

            if (!IsRequestedSignatureValid(serviceContext, signatureHash, timestamp))
            {
                serviceContext.Response.SetStatus(HttpStatusCode.Unauthorized, Global.Unauthorized);
                return BehaviorMethodAction.Stop;
            }

            string hashedServerSignature = HashSignature(serviceContext.Request, userId, GenerateServerSignature(serviceContext, userId, timestamp));

            return signatureHash == hashedServerSignature ? BehaviorMethodAction.Execute : BehaviorMethodAction.Stop;
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            if (!serviceContext.Request.IsAjax)
            {
                return BehaviorMethodAction.Stop;
            }

            return BehaviorMethodAction.Execute;
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            if (!serviceContext.Request.IsAjax)
            {
                SetStatus(HttpStatusCode.NotFound, Resources.Global.NotFound);
                return BehaviorMethodAction.Stop;
            }

            return BehaviorMethodAction.Execute;
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            var sessionInfo = new SessionInfo(serviceContext.Request.Headers.TryGet("X-SpeechCycle-SmartCare-ApplicationID"),
                                              serviceContext.Request.Headers.TryGet("X-SpeechCycle-SmartCare-CustomerID"),
                                              serviceContext.Request.Headers.TryGet("X-SpeechCycle-SmartCare-SessionID"),
                                              serviceContext.Request.Headers.TryGet("X-SpeechCycle-SmartCare-CultureCode"),
                                              serviceContext.Request.Headers.TryGet("X-SpeechCycle-SmartCare-Environment"));

            if (String.IsNullOrEmpty(sessionInfo.ApplicationId) || String.IsNullOrEmpty(sessionInfo.CustomerId) ||
                String.IsNullOrEmpty(sessionInfo.Environment) || sessionInfo.SessionId == Guid.Empty)
            {
                return BehaviorMethodAction.Stop;
            }

            serviceContext.Request.ResourceBag.SessionInfo = sessionInfo;
            return BehaviorMethodAction.Execute;
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            if (EnableLoadBalancerSupport && !serviceContext.Request.IsSecure)
            {
                return BehaviorMethodAction.Stop;
            }

            if (!EnableLoadBalancerSupport && !String.Equals("https", serviceContext.Request.Url.Scheme, StringComparison.OrdinalIgnoreCase))
            {
                return BehaviorMethodAction.Stop;
            }

            return BehaviorMethodAction.Execute;
        }
        public void MethodAuthorizingContextShouldBePopulatedForPostHttpMethod()
        {
            var service = new TestService();

            MethodInfo method = service.GetType().GetMethod("Post");
            Assert.That(method, Is.Not.Null);

            var behaviorContext = new MethodAuthorizingContext(service, method);
            Assert.That(behaviorContext.Service, Is.SameAs(service));
            Assert.That(behaviorContext.Method, Is.SameAs(method));
            Assert.That(behaviorContext.GetServiceContractType(), Is.EqualTo(typeof(ITestService)));
            Assert.That(behaviorContext.GetServiceType(), Is.EqualTo(typeof(TestService)));
            Assert.That(behaviorContext.GetMethodName(), Is.EqualTo(method.Name));

            var httpMethods = behaviorContext.GetSupportedHttpMethods().ToList();
            Assert.That(httpMethods.Contains(HttpMethod.Get), Is.False);
            Assert.That(httpMethods.Contains(HttpMethod.Head), Is.False);
            Assert.That(httpMethods.Contains(HttpMethod.Post), Is.True);
            Assert.That(httpMethods.Contains(HttpMethod.Put), Is.False);
            Assert.That(httpMethods.Contains(HttpMethod.Patch), Is.False);
            Assert.That(httpMethods.Contains(HttpMethod.Delete), Is.False);
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            if (!serviceContext.IsAuthenticated)
            {
                SetStatusDescription(Resources.Global.Forbidden);
                return BehaviorMethodAction.Stop;
            }

            bool isInRole = IsUserInRole(serviceContext.User);

            if (!isInRole)
            {
                SetStatusDescription(Resources.Global.Forbidden);
                return BehaviorMethodAction.Stop;
            }

            return BehaviorMethodAction.Execute;
        }
        void ISecureServiceBehavior.OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            if (OnMethodAuthorizing(serviceContext, behaviorContext) == BehaviorMethodAction.Stop)
            {
                HttpStatusCode statusCode = serviceContext.Response.GetStatusCode();

                if (statusCode != HttpStatusCode.Unauthorized && statusCode != m_statusCode)
                {
                    throw new HttpResponseException(m_statusCode, m_statusDescription);
                }

                throw new HttpResponseException(statusCode, serviceContext.Response.GetStatusDescription());
            }

            HttpCachePolicyBase cache = serviceContext.GetHttpContext().Response.Cache;
            cache.SetProxyMaxAge(new TimeSpan(0L));
            cache.AddValidationCallback(CacheValidationHandler, new CacheValidationHandlerData(serviceContext, behaviorContext));
        }
        /// <summary>
        /// Called during the authorization process before a service method or behavior is executed.
        /// </summary>
        /// <param name="serviceContext">The service context.</param>
        /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
        /// <returns>A service method action.</returns>
        public override BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
        {
            if (serviceContext == null)
            {
                throw new ArgumentNullException("serviceContext");
            }

            AuthorizationHeader header;

            if (!AuthorizationHeaderParser.TryParse(serviceContext.Request.Headers.Authorization, serviceContext.Request.Headers.ContentCharsetEncoding, out header) ||
                !AuthenticationType.Equals(header.AuthenticationType, StringComparison.OrdinalIgnoreCase))
            {
                serviceContext.Response.SetStatus(HttpStatusCode.Unauthorized, Resources.Global.Unauthorized);
                GenerateAuthenticationHeader(serviceContext, false);
                return BehaviorMethodAction.Stop;
            }

            Credentials credentials = m_authorizationManager.GetCredentials(header.UserName);

            if (credentials == null)
            {
                GenerateAuthenticationHeader(serviceContext, false);
                return BehaviorMethodAction.Stop;
            }

            Tuple<bool, bool> responseValidationResult = ValidateResponse(serviceContext, header, credentials);

            if (!responseValidationResult.Item1)
            {
                GenerateAuthenticationHeader(serviceContext, responseValidationResult.Item2);
                return BehaviorMethodAction.Stop;
            }

            serviceContext.User = new GenericPrincipal(new GenericIdentity(header.UserName, AuthenticationType), credentials.GetRoles());
            return BehaviorMethodAction.Execute;
        }
 /// <summary>
 /// Called during the authorization process before a service method or behavior is executed.
 /// </summary>
 /// <param name="serviceContext">The service context.</param>
 /// <param name="behaviorContext">The "method authorizing" behavior context.</param>
 /// <returns>A service method action.</returns>
 public virtual BehaviorMethodAction OnMethodAuthorizing(IServiceContext serviceContext, MethodAuthorizingContext behaviorContext)
 {
     return BehaviorMethodAction.Stop;
 }