public void ImpersonationLevel_IfClaimsToWindowsTokenService_ShouldReturnImpersonation_OtherwiseIdentification() { var expectedImpersonationLevel = this.ClaimsToWindowsTokenService ? TokenImpersonationLevel.Impersonation : TokenImpersonationLevel.Identification; var windowsIdentity = S4UClient.UpnLogon(this.UserPrincipalName); this.ImpersonationLevelTest(expectedImpersonationLevel, windowsIdentity); }
protected static WindowsIdentity RetrieveWindowsIdentityForCurrentUserBasedOnClaim() { IClaimsIdentity identity = Thread.CurrentPrincipal.Identity as ClaimsIdentity; if (identity == null) { throw new InvalidOperationException("Current Thread Identity is not a valid Claims Identity."); } string upn = null; var correctClaimType = identity.Claims.Where(claim => StringComparer.Ordinal.Equals(ClaimTypes.Upn, claim.ClaimType)); correctClaimType.ForEach(c => upn = c.Value); if (string.IsNullOrEmpty(upn)) { throw new InvalidOperationException("Current Thread Identity is not a valid Windows Identity."); } WindowsIdentity windowsIdentity; using (WindowsIdentity.Impersonate(IntPtr.Zero)) windowsIdentity = S4UClient.UpnLogon(upn); return(windowsIdentity); }
public ICredentials GetCredentials(Uri uri, ICredentials failedCredentials) { //If we're running under Claims authentication, impersonate the thread user //by calling the Claims to Windows Token Service and call the remote site using //the impersonated credentials. NOTE: The Claims to Windows Token Service must be running. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity) { IClaimsIdentity identity = (ClaimsIdentity)System.Threading.Thread.CurrentPrincipal.Identity; var firstClaim = identity.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.Upn); if (firstClaim == null) { throw new InvalidOperationException("No UPN claim found"); } string upn = firstClaim.Value; if (String.IsNullOrEmpty(upn)) { throw new InvalidOperationException("A UPN claim was found, however, the value was empty."); } var currentIdentity = S4UClient.UpnLogon(upn); m_ctxt = currentIdentity.Impersonate(); } return(CredentialCache.DefaultNetworkCredentials); }
/// <summary> /// This method accesses the back-end service PrintIdentityService doing impersonation. /// </summary> /// <param name="address">The back end service address.</param> /// <exception cref="AccessException">When the address is null or empty string.</exception> public void Access(string address) { if (string.IsNullOrEmpty(address)) { throw new Exception("Address is null or empty"); } // Gets the current identity and extracts the UPN claim. IClaimsIdentity identity = ( ClaimsIdentity )Thread.CurrentPrincipal.Identity; string upn = null; foreach (Claim claim in identity.Claims) { if (StringComparer.Ordinal.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.Upn, claim.ClaimType)) { upn = claim.Value; } } // Performs the UPN logon through the C2WTS service. WindowsIdentity windowsIdentity = null; if (!String.IsNullOrEmpty(upn)) { try { windowsIdentity = S4UClient.UpnLogon(upn); } catch (SecurityAccessDeniedException) { Console.WriteLine("Could not map the upn claim to a valid windows identity."); return; } } else { throw new Exception("No UPN claim found"); } using (WindowsImpersonationContext ctxt = windowsIdentity.Impersonate()) { CallService(address); } }
protected override WindowsIdentity CreateWindowsIdentity(string upn) { var windowsIdentity = S4UClient.UpnLogon(upn); return(new WindowsIdentity(windowsIdentity.Token, "Federation", WindowsAccountType.Normal, true)); }
public object Ajax(string url, object settings) { //If we're running under Claims authentication, impersonate the thread user //by calling the Claims to Windows Token Service and call the remote site using //the impersonated credentials. NOTE: The Claims to Windows Token Service must be running. WindowsImpersonationContext ctxt = null; if (Thread.CurrentPrincipal.Identity is ClaimsIdentity) { IClaimsIdentity identity = (ClaimsIdentity)System.Threading.Thread.CurrentPrincipal.Identity; var firstClaim = identity.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.Upn); if (firstClaim == null) { throw new InvalidOperationException("No UPN claim found"); } var upn = firstClaim.Value; if (String.IsNullOrEmpty(upn)) { throw new InvalidOperationException("A UPN claim was found, however, the value was empty."); } var currentIdentity = S4UClient.UpnLogon(upn); ctxt = currentIdentity.Impersonate(); } try { var noCachePolicy = new HttpRequestCachePolicy(HttpRequestCacheLevel.NoCacheNoStore); var targetUri = ObtainTargetUri(url); var request = (HttpWebRequest)WebRequest.Create(targetUri); request.CachePolicy = noCachePolicy; //TODO: Make this configurable. //Get the proxy from the concrete instance. var proxyAddress = ObtainDefaultProxyAddress(); //If the proxy address is defined, create a new proxy with the address, otherwise, use the system proxy. request.Proxy = proxyAddress.IsNullOrWhiteSpace() == false ? new WebProxy(proxyAddress, true, null, CredentialCache.DefaultNetworkCredentials) : WebRequest.GetSystemWebProxy(); if (request.Proxy != null) { request.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials; } var dataType = AjaxDataType.Unknown; //If a settings parameter is defined, coerce it and set properties on the request object. var ajaxSettings = JurassicHelper.Coerce <AjaxSettingsInstance>(Engine, settings); if (ajaxSettings != null) { if (ajaxSettings.UseDefaultCredentials == false) { //if the "credentials" setting is set on the ajaxsettingsinstance, use those credentials instead. if (ajaxSettings.Credentials != null && ajaxSettings.Credentials != Null.Value && ajaxSettings.Credentials != Undefined.Value && ajaxSettings.Credentials is NetworkCredentialInstance) { request.Credentials = (ajaxSettings.Credentials as NetworkCredentialInstance).NetworkCredential; } //Otherwise, use the username/password/domain if specified. else if (String.IsNullOrEmpty(ajaxSettings.Username) == false || String.IsNullOrEmpty(ajaxSettings.Password) == false || String.IsNullOrEmpty(ajaxSettings.Domain) == false) { request.Credentials = new NetworkCredential(ajaxSettings.Username, ajaxSettings.Password, ajaxSettings.Domain); } } else { request.UseDefaultCredentials = true; request.Credentials = CredentialCache.DefaultNetworkCredentials; } if (String.IsNullOrEmpty(ajaxSettings.Accept) == false) { request.Accept = ajaxSettings.Accept; } if (ajaxSettings.Proxy != null && ajaxSettings.Proxy != Undefined.Value && ajaxSettings.Proxy != Null.Value) { var proxySettings = JurassicHelper.Coerce <ProxySettingsInstance>(Engine, ajaxSettings.Proxy); if (proxySettings != null) { if (String.IsNullOrEmpty(proxySettings.Address) == false) { try { var proxy = new WebProxy(proxySettings.Address, true); request.Proxy = proxy; } catch { /* do nothing */ } } if (proxySettings.UseDefaultCredentials) { request.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials; } } } if (String.IsNullOrEmpty(ajaxSettings.DataType) == false) { switch (ajaxSettings.DataType.ToLowerInvariant()) { case "json": dataType = AjaxDataType.Json; break; case "xml": dataType = AjaxDataType.Xml; break; case "raw": dataType = AjaxDataType.Raw; break; default: dataType = AjaxDataType.Unknown; break; } } if (String.IsNullOrEmpty(ajaxSettings.Method) == false) { request.Method = ajaxSettings.Method; } if (String.IsNullOrEmpty(ajaxSettings.UserAgent) == false) { request.UserAgent = ajaxSettings.UserAgent; } if (String.IsNullOrEmpty(ajaxSettings.ContentType) == false) { request.ContentType = ajaxSettings.ContentType; } if (String.IsNullOrEmpty(ajaxSettings.Referer) == false) { request.Referer = ajaxSettings.Referer; } } else { request.Accept = "application/json"; } //Get some not-serialized properties from the original webinstance if (settings != Null.Value && settings != Undefined.Value && settings is ObjectInstance) { var settingsObj = settings as ObjectInstance; if (settingsObj.HasProperty("headers")) { var headersObj = settingsObj.GetPropertyValue("headers"); if (headersObj != Null.Value && headersObj != Undefined.Value && headersObj is ObjectInstance) { var headersObjInstance = headersObj as ObjectInstance; foreach (var prop in headersObjInstance.Properties) { try { request.Headers.Set(prop.Name, TypeConverter.ToString(prop.Value)); } catch (Exception) { //Ignore it. } } } } if (settingsObj.HasProperty("timeout")) { var timeoutObj = settingsObj.GetPropertyValue("timeout"); request.Timeout = TypeConverter.ToInteger(timeoutObj); } if (settingsObj.HasProperty("body")) { var bodyObj = settingsObj.GetPropertyValue("body"); if (bodyObj != Null.Value && bodyObj != Undefined.Value) { var bodyByteArray = bodyObj as Base64EncodedByteArrayInstance; if (bodyByteArray != null) { var requestStream = request.GetRequestStream(); requestStream.Write(bodyByteArray.Data, 0, bodyByteArray.Data.Length); requestStream.Close(); } else { var data = Encoding.UTF8.GetBytes(TypeConverter.ToString(bodyObj)); var requestStream = request.GetRequestStream(); requestStream.Write(data, 0, data.Length); requestStream.Close(); } } } } if (ajaxSettings != null && ajaxSettings.Async) { var tcs = new TaskCompletionSource <object>(); try { request.BeginGetResponse(iar => { HttpWebResponse response = null; try { response = (HttpWebResponse)request.EndGetResponse(iar); var resultObject = GetResultFromResponse(response, dataType); tcs.SetResult(resultObject); } catch (Exception exc) { tcs.SetException(exc); } finally { if (response != null) { response.Close(); } } }, null); } catch (Exception exc) { tcs.SetException(exc); } return(new DeferredInstance(Engine.Object.InstancePrototype, tcs.Task)); } object result; try { var syncResponse = (HttpWebResponse)request.GetResponse(); result = GetResultFromResponse(syncResponse, dataType); } catch (WebException e) { //The request failed -- usually a 400 var httpResponse = e.Response as HttpWebResponse; result = httpResponse == null ? null : new HttpWebResponseInstance(Engine.Object.InstancePrototype, httpResponse); } catch (Exception ex) { LogAjaxException(ex); throw; } return(result); } finally { if (ctxt != null) { ctxt.Dispose(); } } }