public KerberosReceiverSecurityToken ReadFromCache(string contextUsername)
{
IAppCache appCache = new CachingService();
KerberosReceiverSecurityToken token = appCache.Get <KerberosReceiverSecurityToken>(contextUsername.ToLower());
return(token);
}
internal ReadOnlyCollection <IAuthorizationPolicy> ValidateToken(SecurityToken token, ChannelBinding channelBinding, ExtendedProtectionPolicy protectionPolicy)
{
KerberosReceiverSecurityToken kerberosToken = (KerberosReceiverSecurityToken)token;
kerberosToken.Initialize(this.credentialsHandle, channelBinding, protectionPolicy);
return(this.innerAuthenticator.ValidateToken(kerberosToken));
}
public void DeleteFromCache(string contextUsername)
{
IAppCache appCache = new CachingService();
KerberosReceiverSecurityToken token = appCache.Get <KerberosReceiverSecurityToken>(contextUsername.ToLower());
if (token != null)
{
appCache.Remove(contextUsername.ToLower());
}
}
/// <summary>
/// This method is called at the being of the thread that processes a request.
/// </summary>
protected override OperationContext ValidateRequest(RequestHeader requestHeader, RequestType requestType)
{
OperationContext context = base.ValidateRequest(requestHeader, requestType);
if (requestType == RequestType.Write)
{
// reject all writes if no user provided.
if (context.UserIdentity.TokenType == UserTokenType.Anonymous)
{
// construct translation object with default text.
TranslationInfo info = new TranslationInfo(
"NoWriteAllowed",
"en-US",
"Must provide a valid windows user before calling write.");
// create an exception with a vendor defined sub-code.
throw new ServiceResultException(new ServiceResult(
StatusCodes.BadUserAccessDenied,
"NoWriteAllowed",
Namespaces.UserAuthentication,
new LocalizedText(info)));
}
#if TODO
SecurityToken securityToken = context.UserIdentity.GetSecurityToken();
// check for a kerberso token.
KerberosReceiverSecurityToken kerberosToken = securityToken as KerberosReceiverSecurityToken;
if (kerberosToken != null)
{
ImpersonationContext impersonationContext = new ImpersonationContext();
impersonationContext.Context = kerberosToken.WindowsIdentity.Impersonate();
lock (this.m_lock)
{
m_contexts.Add(context.RequestId, impersonationContext);
}
}
// check for a user name token.
UserNameSecurityToken userNameToken = securityToken as UserNameSecurityToken;
if (userNameToken != null)
{
LogonUser(context, userNameToken);
}
#endif
}
return(context);
}
public KerberosReceiverSecurityToken WriteToCache(string contextUsername, string contextPassword)
{
KerberosSecurityTokenProvider provider =
new KerberosSecurityTokenProvider("YOURSPN",
TokenImpersonationLevel.Impersonation,
new NetworkCredential(contextUsername.ToLower(), contextPassword, "yourdomain"));
KerberosRequestorSecurityToken requestorToken = provider.GetToken(TimeSpan.FromMinutes(double.Parse(ConfigurationManager.AppSettings["KerberosTokenExpiration"]))) as KerberosRequestorSecurityToken;
KerberosReceiverSecurityToken receiverToken = new KerberosReceiverSecurityToken(requestorToken.GetRequest());
IAppCache appCache = new CachingService();
KerberosReceiverSecurityToken tokenFactory() => receiverToken;
return(appCache.GetOrAdd(contextUsername.ToLower(), tokenFactory)); // this will either add the token or get the token if it exists
}
/// <summary>
/// Validates a Kerberos WSS user token.
/// </summary>
private SecurityToken ParseAndVerifyKerberosToken(byte[] tokenData)
{
XmlDocument document = new XmlDocument();
XmlNodeReader reader = null;
try
{
document.InnerXml = new UTF8Encoding().GetString(tokenData).Trim();
reader = new XmlNodeReader(document.DocumentElement);
SecurityToken securityToken = new WSSecurityTokenSerializer().ReadToken(reader, null);
KerberosReceiverSecurityToken receiver = securityToken as KerberosReceiverSecurityToken;
KerberosSecurityTokenAuthenticator authenticator = new KerberosSecurityTokenAuthenticator();
if (authenticator.CanValidateToken(receiver))
{
authenticator.ValidateToken(receiver);
}
return(securityToken);
}
catch (Exception e)
{
// construct translation object with default text.
TranslationInfo info = new TranslationInfo(
"InvalidKerberosToken",
"en-US",
"'{0}' is not a valid Kerberos token.",
document.DocumentElement.LocalName);
// create an exception with a vendor defined sub-code.
throw new ServiceResultException(new ServiceResult(
e,
StatusCodes.BadIdentityTokenRejected,
"InvalidKerberosToken",
Namespaces.Hsl,
new LocalizedText(info)));
}
finally
{
if (reader != null)
{
reader.Close();
}
}
}
public KerberosReceiverSecurityToken GenerateReceiver()
{
KerberosReceiverSecurityToken receiverToken = null;
//string SPN1 = "HTTP/s001nd-sp-api1.BG.local BG\a001-dpdservice";
string SPN = "HTTP/s001nd-sp-api1.BG.local";// garage\dpd_service";
var currUserName = HttpContext.Current.User.Identity.Name;
var WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
//KerberosSecurityTokenProvider provider1 =
// new KerberosSecurityTokenProvider(SPN,
// TokenImpersonationLevel.Impersonation,
// new NetworkCredential("dpd_service", "123", "Garage"));
//KerberosSecurityTokenProvider provider2 =
// new KerberosSecurityTokenProvider(SPN,
// TokenImpersonationLevel.Impersonation,
// CredentialCache.DefaultNetworkCredentials);
KerberosSecurityTokenProvider provider3 =
new KerberosSecurityTokenProvider(SPN,
TokenImpersonationLevel.Impersonation);
//KerberosSecurityTokenProvider provider4 =
// new KerberosSecurityTokenProvider(SPN);
try
{
KerberosRequestorSecurityToken requestorToken = provider3.GetToken(TimeSpan.FromMinutes(180)) as KerberosRequestorSecurityToken;
var abRequest = requestorToken.GetRequest();
var sId = requestorToken.Id;
KerberosReceiverSecurityToken oReceivedToken = new KerberosReceiverSecurityToken(abRequest, sId);
using (FileStream fstream = new FileStream(@"C:\DPD500LOG\good_note.txt", FileMode.OpenOrCreate))
{
// var oAuthenticator = new KerberosSecurityTokenAuthenticator();
// var oCol = oAuthenticator.ValidateToken(oReceivedToken);
// foreach (var o in oCol)
// {
// Console.WriteLine(o.Id);
// }
// преобразуем строку в байты
byte[] array = System.Text.Encoding.Default.GetBytes(oReceivedToken.Id);// exception.ToString());
// запись массива байтов в файл
fstream.Write(array, 0, array.Length);
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
using (FileStream fstream = new FileStream(@"C:\DPD500LOG\error_note.txt", FileMode.OpenOrCreate))
{
// преобразуем строку в байты
byte[] array = System.Text.Encoding.Default.GetBytes(ex.Message);// exception.ToString());
// запись массива байтов в файл
fstream.Write(array, 0, array.Length);
}
}
return(receiverToken);
}
/// <summary>
/// Initializes the object with a .NET security token
/// </summary>
private void Initialize(SecurityToken token)
{
if (token == null)
{
throw new ArgumentNullException("token");
}
m_token = token;
UserNameSecurityToken usernameToken = token as UserNameSecurityToken;
if (usernameToken != null)
{
m_displayName = usernameToken.UserName;
m_tokenType = UserTokenType.UserName;
m_issuedTokenType = null;
return;
}
X509SecurityToken x509Token = token as X509SecurityToken;
if (x509Token != null)
{
m_displayName = x509Token.Certificate.Subject;
m_tokenType = UserTokenType.Certificate;
m_issuedTokenType = null;
return;
}
KerberosReceiverSecurityToken kerberosToken1 = token as KerberosReceiverSecurityToken;
if (kerberosToken1 != null)
{
m_displayName = kerberosToken1.WindowsIdentity.Name;
m_tokenType = UserTokenType.IssuedToken;
m_issuedTokenType = new XmlQualifiedName("", "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1");
return;
}
KerberosRequestorSecurityToken kerberosToken2 = token as KerberosRequestorSecurityToken;
if (kerberosToken2 != null)
{
m_displayName = kerberosToken2.ServicePrincipalName;
m_tokenType = UserTokenType.IssuedToken;
m_issuedTokenType = new XmlQualifiedName("", "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1");
return;
}
SamlSecurityToken samlToken = token as SamlSecurityToken;
if (samlToken != null)
{
m_displayName = "SAML";
// find the subject of the SAML assertion.
foreach (SamlStatement statement in samlToken.Assertion.Statements)
{
SamlAttributeStatement attribute = statement as SamlAttributeStatement;
if (attribute != null)
{
m_displayName = attribute.SamlSubject.Name;
break;
}
}
m_tokenType = UserTokenType.IssuedToken;
m_issuedTokenType = new XmlQualifiedName("", "urn:oasis:names:tc:SAML:1.0:assertion");
return;
}
m_displayName = UserTokenType.IssuedToken.ToString();
m_tokenType = UserTokenType.IssuedToken;
}
