private async Task <SecurityMessageProperty> CreateClientSecurityAsync(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { IIdentity remoteIdentity = negotiateStream.RemoteIdentity; SecurityToken token; ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies; WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts, _ldapSettings); if (remoteIdentity is WindowsIdentity) { WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity; SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false); token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType); } else { ClaimsIdentity claimsIdentity = new ClaimsIdentity(remoteIdentity); token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value); } authorizationPolicies = await authenticator.ValidateTokenAsync(token); SecurityMessageProperty clientSecurity = new SecurityMessageProperty { TransportToken = new SecurityTokenSpecification(token, authorizationPolicies), ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies) }; return(clientSecurity); }
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { IIdentity remoteIdentity = negotiateStream.RemoteIdentity; SecurityToken token; ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies; if (remoteIdentity is WindowsIdentity) { WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity; Security.SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false); WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts); token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType); authorizationPolicies = authenticator.ValidateToken(token); } else { token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value); GenericSecurityTokenAuthenticator authenticator = new GenericSecurityTokenAuthenticator(); authorizationPolicies = authenticator.ValidateToken(token); } SecurityMessageProperty clientSecurity = new SecurityMessageProperty(); clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies); clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies); return(clientSecurity); }
private PeerHashToken() { this.id = SecurityUniqueId.Create().Value; this.effectiveTime = DateTime.UtcNow; this.expirationTime = DateTime.UtcNow.AddHours(10.0); this.CheckValidity(); }
public PeerHashToken(byte[] authenticator) { this.id = SecurityUniqueId.Create().Value; this.effectiveTime = DateTime.UtcNow; this.expirationTime = DateTime.UtcNow.AddHours(10.0); this.authenticator = authenticator; this.CheckValidity(); }
public PeerHashToken(X509Certificate2 certificate, string password) { this.id = SecurityUniqueId.Create().Value; this.effectiveTime = DateTime.UtcNow; this.expirationTime = DateTime.UtcNow.AddHours(10.0); this.authenticator = PeerSecurityHelpers.ComputeHash(certificate, password); this.CheckValidity(); }
private SecurityMessageProperty ProcessAuthentication(WindowsIdentity identity, string authenticationType) { System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, false); SecurityToken token = new WindowsSecurityToken(identity, SecurityUniqueId.Create().Value, authenticationType); ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.windowsTokenAuthenticator.ValidateToken(token); return(new SecurityMessageProperty { TransportToken = new SecurityTokenSpecification(token, tokenPolicies), ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies) }); }
private SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity; System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false); WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts); SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType); ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = authenticator.ValidateToken(token); this.clientSecurity = new SecurityMessageProperty(); this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies); this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies); return(this.clientSecurity); }
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver) { string id; string userName; string password; ParseToken(reader, out id, out userName, out password); if (id == null) { id = SecurityUniqueId.Create().Value; } return(new USerNameSecurityToken(userName, password, id)); }
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity; SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false); WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts); // When NegotiateStream returns a WindowsIdentity the AuthenticationType is passed in the constructor to WindowsIdentity // by it's internal NegoState class. If this changes, then the call to remoteIdentity.AuthenticationType could fail if the // current process token doesn't have sufficient priviledges. It is a first class exception, and caught by the CLR // null is returned. SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType); ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = authenticator.ValidateToken(token); this.clientSecurity = new SecurityMessageProperty(); this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies); this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies); return this.clientSecurity; }
private RsaSecurityToken(RSACryptoServiceProvider rsa, bool ownsRsa) { if (rsa == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rsa"); } this.rsa = rsa; this.id = SecurityUniqueId.Create().Value; this.effectiveTime = DateTime.UtcNow; if (ownsRsa) { this.keyContainerInfo = rsa.CspKeyContainerInfo; rsa.PersistKeyInCsp = true; this.rsaHandle = GCHandle.Alloc(rsa); } else { GC.SuppressFinalize(this); } }
// This is defense-in-depth. // Rsa finalizer can throw and bring down the process if in finalizer context. // This internal ctor is used by SM's IssuedSecurityTokenProvider. // If ownsRsa=true, this class will take ownership of the Rsa object and provides // a reliable finalizing/disposing of Rsa object. The GCHandle is used to ensure // order in finalizer sequence. RsaSecurityToken(RSACryptoServiceProvider rsa, bool ownsRsa) { if (rsa == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rsa"); } this.rsa = rsa; this.id = SecurityUniqueId.Create().Value; this.effectiveTime = DateTime.UtcNow; if (ownsRsa) { // This also key pair generation. // This must be called before PersistKeyInCsp to avoid a handle to go out of scope. this.keyContainerInfo = rsa.CspKeyContainerInfo; // We will handle key file deletion rsa.PersistKeyInCsp = true; this.rsaHandle = GCHandle.Alloc(rsa); } else { GC.SuppressFinalize(this); } }
public BinarySecretSecurityToken(byte[] key) : this(SecurityUniqueId.Create().Value, key) { }
protected override SecurityToken GetTokenCore(TimeSpan timeout) { return(new KerberosRequestorSecurityToken(_innerProvider.ServicePrincipalName, _innerProvider.TokenImpersonationLevel, _innerProvider.NetworkCredential, SecurityUniqueId.Create().Value)); }
public KerberosRequestorSecurityToken(string servicePrincipalName) : this(servicePrincipalName, TokenImpersonationLevel.Impersonation, null, SecurityUniqueId.Create().Value, null) { }
public RsaSecurityToken(RSA rsa) : this(rsa, SecurityUniqueId.Create().Value) { }
public WindowsSecurityToken(System.Security.Principal.WindowsIdentity windowsIdentity) : this(windowsIdentity, SecurityUniqueId.Create().Value) { }
internal X509SecurityToken(X509Certificate2 certificate, bool clone, bool disposable) : this(certificate, SecurityUniqueId.Create().Value, clone, disposable) { }
public void ReadFrom(XmlDictionaryReader reader, long maxBufferSize) { ValidateReadState(); reader.MoveToStartElement(OpeningElementName, NamespaceUri); this.encoding = reader.GetAttribute(EncodingAttribute, null); this.id = reader.GetAttribute(XD.XmlEncryptionDictionary.Id, null) ?? SecurityUniqueId.Create().Value; this.wsuId = reader.GetAttribute(XD.XmlEncryptionDictionary.Id, XD.UtilityDictionary.Namespace) ?? SecurityUniqueId.Create().Value; this.mimeType = reader.GetAttribute(MimeTypeAttribute, null); this.type = reader.GetAttribute(TypeAttribute, null); ReadAdditionalAttributes(reader); reader.Read(); if (reader.IsStartElement(EncryptionMethodElement.ElementName, NamespaceUri)) { this.encryptionMethod.ReadFrom(reader); } if (this.tokenSerializer.CanReadKeyIdentifier(reader)) { XmlElement xml = null; XmlDictionaryReader localReader; if (this.ShouldReadXmlReferenceKeyInfoClause) { // We create the dom only when needed to not affect perf. XmlDocument doc = new XmlDocument(); xml = (doc.ReadNode(reader) as XmlElement); localReader = XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(xml)); } else { localReader = reader; } try { this.KeyIdentifier = this.tokenSerializer.ReadKeyIdentifier(localReader); } catch (Exception e) { // In case when the issued token ( custom token) is used as an initiator token; we will fail // to read the keyIdentifierClause using the plugged in default serializer. So We need to try to read it as an XmlReferencekeyIdentifierClause // if it is the client side. if (Fx.IsFatal(e) || !this.ShouldReadXmlReferenceKeyInfoClause) { throw; } this.keyIdentifier = ReadGenericXmlSecurityKeyIdentifier(XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(xml)), e); } } reader.ReadStartElement(CipherDataElementName, EncryptedType.NamespaceUri); reader.ReadStartElement(CipherValueElementName, EncryptedType.NamespaceUri); if (maxBufferSize == 0) { ReadCipherData(reader); } else { ReadCipherData(reader, maxBufferSize); } reader.ReadEndElement(); // CipherValue reader.ReadEndElement(); // CipherData ReadAdditionalElements(reader); reader.ReadEndElement(); // OpeningElementName this.State = EncryptionState.Read; }
public KerberosReceiverSecurityToken(byte[] request) : this(request, SecurityUniqueId.Create().Value) { }
public BinarySecretSecurityToken(int keySizeInBits) : this(SecurityUniqueId.Create().Value, keySizeInBits) { }
public NonceToken(int keySizeInBits) : base(SecurityUniqueId.Create().Value, keySizeInBits, false) { }
public NonceToken(byte[] key) : this(SecurityUniqueId.Create().Value, key) { }
public UserNameSecurityToken(string userName, string password) : this(userName, password, SecurityUniqueId.Create().Value) { }
public X509SecurityToken(X509Certificate2 certificate) : this(certificate, SecurityUniqueId.Create().Value) { }
internal Task <SecurityToken> GetTokenAsync(CancellationToken cancellationToken, ChannelBinding channelbinding) { return(Task.FromResult((SecurityToken) new KerberosRequestorSecurityToken(this.innerProvider.ServicePrincipalName, this.innerProvider.TokenImpersonationLevel, this.innerProvider.NetworkCredential, SecurityUniqueId.Create().Value))); }
public WindowsSecurityToken(WindowsIdentity windowsIdentity) : this(windowsIdentity, SecurityUniqueId.Create().Value) { }
internal X509WindowsSecurityToken(X509Certificate2 certificate, WindowsIdentity windowsIdentity, string authenticationType, bool clone) : this(certificate, windowsIdentity, authenticationType, SecurityUniqueId.Create().Value, clone) { }
internal SecurityToken GetToken(CancellationToken cancellationToken, ChannelBinding channelbinding) { return(new KerberosRequestorSecurityToken(ServicePrincipalName, TokenImpersonationLevel, NetworkCredential, SecurityUniqueId.Create().Value)); }
internal SecurityToken GetToken(TimeSpan timeout, ChannelBinding channelbinding) { return(new KerberosRequestorSecurityToken(this.ServicePrincipalName, this.TokenImpersonationLevel, this.NetworkCredential, SecurityUniqueId.Create().Value, channelbinding)); }