protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { WindowsSecurityToken token2 = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(token2.WindowsIdentity, token2.AuthenticationType, this.includeWindowsGroups, token2.ValidTo); return(System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo)); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { WindowsSecurityToken windowsToken = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, _includeWindowsGroups, windowsToken.ValidTo); return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo)); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { try { X509Certificate2 cert = ((X509CertificateClaimSet)evaluationContext.ClaimSets[0]).X509Certificate; string thumbPrint = cert.Thumbprint; string acct = System.Configuration.ConfigurationManager.AppSettings[thumbPrint]; var winId = new System.Security.Principal.WindowsIdentity(acct); var wClaimSet = new WindowsClaimSet(winId); evaluationContext.Properties["Principal"] = new WindowsPrincipal(winId); evaluationContext.AddClaimSet(this, wClaimSet); return(true); } catch (Exception e) { Console.Write(e.Message); return(false); } }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { X509SecurityToken x509Token = (X509SecurityToken)token; this.validator.Validate(x509Token.Certificate); X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, this.cloneHandle); if (!this.mapToWindows) { return(SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo)); } WindowsClaimSet windowsClaimSet; if (token is X509WindowsSecurityToken) { windowsClaimSet = new WindowsClaimSet(((X509WindowsSecurityToken)token).WindowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, this.cloneHandle); } else { // Ensure NT_AUTH chain policy for certificate account mapping X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate); WindowsIdentity windowsIdentity = null; // for Vista, LsaLogon supporting mapping cert to NTToken if (Environment.OSVersion.Version.Major >= SecurityUtils.WindowsVistaMajorNumber) { windowsIdentity = KerberosCertificateLogon(x509Token.Certificate); } else { // Downlevel, S4U over PrincipalName SubjectAltNames string name = x509Token.Certificate.GetNameInfo(X509NameType.UpnName, false); if (string.IsNullOrEmpty(name)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.InvalidNtMapping, SecurityUtils.GetCertificateId(x509Token.Certificate)))); } using (WindowsIdentity initialWindowsIdentity = new WindowsIdentity(name, SecurityUtils.AuthTypeCertMap)) { // This is to make sure that the auth Type is shoved down to the class as the above constructor does not do it. windowsIdentity = new WindowsIdentity(initialWindowsIdentity.Token, SecurityUtils.AuthTypeCertMap); } } windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false); } List <ClaimSet> claimSets = new List <ClaimSet>(2); claimSets.Add(windowsClaimSet); claimSets.Add(x509ClaimSet); List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1); policies.Add(new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo)); return(policies.AsReadOnly()); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { #if SUPPORTS_WINDOWSIDENTITY // NegotiateStream WindowsSecurityToken windowsToken = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo); return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo)); #else // SUPPORTS_WINDOWSIDENTITY throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported); #endif // SUPPORTS_WINDOWSIDENTITY }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password) { if (IsAuthenticated(userName, password)) { var name = userName.Split('\\')[1]; var policies = new List <IAuthorizationPolicy>(1); var claimSet = new WindowsClaimSet(new WindowsIdentity(name), true); policies.Add(new SecurityTokenAuthorizationPolicy(claimSet)); return(policies.AsReadOnly()); } return(null); }
internal static ClaimSet CloneClaimSetIfNecessary(ClaimSet claimSet) { if (claimSet != null) { WindowsClaimSet set = claimSet as WindowsClaimSet; if (set != null) { return(set.Clone()); } } return(claimSet); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { WindowsClaimSet set2; X509SecurityToken token2 = (X509SecurityToken)token; this.validator.Validate(token2.Certificate); X509CertificateClaimSet claimSet = new X509CertificateClaimSet(token2.Certificate, this.cloneHandle); if (!this.mapToWindows) { return(System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo)); } if (token is X509WindowsSecurityToken) { set2 = new WindowsClaimSet(((X509WindowsSecurityToken)token).WindowsIdentity, "SSL/PCT", this.includeWindowsGroups, this.cloneHandle); } else { X509CertificateValidator.NTAuthChainTrust.Validate(token2.Certificate); WindowsIdentity windowsIdentity = null; if (Environment.OSVersion.Version.Major >= 6) { windowsIdentity = KerberosCertificateLogon(token2.Certificate); } else { string nameInfo = token2.Certificate.GetNameInfo(X509NameType.UpnName, false); if (string.IsNullOrEmpty(nameInfo)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("InvalidNtMapping", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(token2.Certificate) }))); } using (WindowsIdentity identity2 = new WindowsIdentity(nameInfo, "SSL/PCT")) { windowsIdentity = new WindowsIdentity(identity2.Token, "SSL/PCT"); } } set2 = new WindowsClaimSet(windowsIdentity, "SSL/PCT", this.includeWindowsGroups, false); } List <ClaimSet> list = new List <ClaimSet>(2) { set2, claimSet }; return(new List <IAuthorizationPolicy>(1) { new UnconditionalPolicy(list.AsReadOnly(), token2.ValidTo) }.AsReadOnly()); }
protected override ValueTask <ReadOnlyCollection <IAuthorizationPolicy> > ValidateTokenCoreAsync(SecurityToken token) { if (token is WindowsSecurityToken) { var windowsToken = (WindowsSecurityToken)token; var claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, _includeWindowsGroups, windowsToken.ValidTo); return(new ValueTask <ReadOnlyCollection <IAuthorizationPolicy> >(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo))); } else { var genericToken = (GenericSecurityToken)token; var claimSet = new WindowsClaimSet(genericToken.GenericIdentity, _includeWindowsGroups, _ldapSettings); return(new ValueTask <ReadOnlyCollection <IAuthorizationPolicy> >(SecurityUtils.CreateAuthorizationPolicies(claimSet))); } }
public string GetSaml11Token() { var claimSets = new List <ClaimSet>(ServiceSecurityContext.Current.AuthorizationContext.ClaimSets); ClaimSet claimSet = claimSets.Find((Predicate <ClaimSet>) delegate(ClaimSet target) { WindowsClaimSet defaultClaimSet = target.Issuer as WindowsClaimSet; return(defaultClaimSet != null); }); var accessControlClaims = claimSet.FindClaims(ClaimTypes.Sid, Rights.PossessProperty); SamlAssertion assertion = Saml11Helper.CreateSamlAssertionFromUserNameClaims(accessControlClaims); SamlSecurityToken token = new SamlSecurityToken(assertion); return(Saml11Helper.SerializeSamlToken(token)); }
internal static ClaimSet CloneClaimSetIfNecessary(ClaimSet claimSet) { if (claimSet != null) { WindowsClaimSet wic = claimSet as WindowsClaimSet; if (wic != null) { return(wic.Clone()); } //X509CertificateClaimSet x509 = claimSet as X509CertificateClaimSet; //if (x509 != null) //{ // return x509.Clone(); //} } return(claimSet); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { X509SecurityToken x509Token = (X509SecurityToken)token; _validator.Validate(x509Token.Certificate); X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, _cloneHandle); if (!MapCertificateToWindowsAccount) { return(SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo)); } WindowsClaimSet windowsClaimSet; if (token is X509WindowsSecurityToken x509token) { windowsClaimSet = new WindowsClaimSet(x509token.WindowsIdentity, SecurityUtils.AuthTypeCertMap, _includeWindowsGroups, _cloneHandle); } else { throw new PlatformNotSupportedException(); // Ensure NT_AUTH chain policy for certificate account mapping //X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate); //WindowsIdentity windowsIdentity = null; //windowsIdentity = KerberosCertificateLogon(x509Token.Certificate); //windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false); } List <ClaimSet> claimSets = new List <ClaimSet>(2) { windowsClaimSet, x509ClaimSet }; List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1) { new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo) }; return(policies.AsReadOnly()); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password) { string domain = null; string[] strings = userName.Split('\\'); if (strings.Length != 1) { if (strings.Length != 2 || string.IsNullOrEmpty(strings[0])) { // Only support one slash and domain cannot be empty (consistent with windowslogon). throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.IncorrectUserNameFormat)); } // This is the downlevel case - domain\userName userName = strings[1]; domain = strings[0]; } const uint LOGON32_PROVIDER_DEFAULT = 0; const uint LOGON32_LOGON_NETWORK_CLEARTEXT = 8; SafeCloseHandle tokenHandle = null; try { if (!NativeMethods.LogonUser(userName, domain, password, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, out tokenHandle)) { int error = Marshal.GetLastWin32Error(); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.FailLogonUser, userName), new Win32Exception(error))); } WindowsIdentity windowsIdentity = new WindowsIdentity(tokenHandle.DangerousGetHandle(), SecurityUtils.AuthTypeBasic); WindowsClaimSet claimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeBasic, this.includeWindowsGroups, false); return(SecurityUtils.CreateAuthorizationPolicies(claimSet, claimSet.ExpirationTime)); } finally { if (tokenHandle != null) { tokenHandle.Close(); } } }
static void Main(string[] args) { var claims = new WindowsClaimSet(WindowsIdentity.GetCurrent()); using (claims) { foreach (var claim in claims) { Console.WriteLine(string.Format("Claim Type: {0}", claim.ClaimType)); Console.WriteLine(string.Format("Resource: {0}", claim.Resource)); Console.WriteLine(string.Format("Right: {0}", claim.Right)); } var accessControlClaims = claims.FindClaims(ClaimTypes.Sid, Rights.PossessProperty); var assertion = CreateSamlAssertionFromWindowsIdentityClaims(accessControlClaims); var token = new SamlSecurityToken(assertion); SerializeSamlTokenToFile(token); Console.ReadKey(); Console.ReadKey(); } }
/// <summary> /// Converts a given set of WCF ClaimSets to IDFx ClaimsIdentity. /// </summary> /// <param name="claimSets">Collection of <see cref="ClaimSet"/> to convert to IDFx.</param> /// <param name="securityTokenHandlerConfiguration">The SecurityTokenHandlerConfiguration to use.</param> /// <returns>ClaimsIdentity</returns> static ClaimsIdentity ConvertToIDFxIdentity(IList <ClaimSet> claimSets, SecurityTokenHandlerConfiguration securityTokenHandlerConfiguration) { if (claimSets == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claimSets"); } ClaimsIdentity claimsIdentity = null; foreach (System.IdentityModel.Claims.ClaimSet claimSet in claimSets) { WindowsClaimSet windowsClaimSet = claimSet as WindowsClaimSet; if (windowsClaimSet != null) { // // The ClaimSet in the authorizationContext is simply a reflection of the NT Token. // The WindowsClaimsIdentity will generate that information properly. So ignore the ClaimSets. // // // WCF does not propogate the WindowsIdentity.AuthenticationType properly. // To avoid WindowsClaimsIdentity.AuthenticationType from throwing, specify // this authenticationType value. Since we only have to handle SPNEGO specify Negotiate. // claimsIdentity = MergeClaims(claimsIdentity, new WindowsIdentity(windowsClaimSet.WindowsIdentity.Token, AuthenticationTypes.Negotiate)); AddAuthenticationMethod(claimsIdentity, AuthenticationMethods.Windows); AddAuthenticationInstantClaim(claimsIdentity, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated)); } else { claimsIdentity = MergeClaims(claimsIdentity, ClaimsConversionHelper.CreateClaimsIdentityFromClaimSet(claimSet)); AddAuthenticationInstantClaim(claimsIdentity, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated)); } } return(claimsIdentity); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (!windowsNegotiation.IsValidContext) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation); if (base.IsClientAnonymous) { return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } using (System.IdentityModel.SafeCloseHandle handle = windowsNegotiation.GetContextToken()) { WindowsIdentity identity = new WindowsIdentity(handle.DangerousGetHandle(), windowsNegotiation.ProtocolName); System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, this.AllowUnauthenticatedCallers); List <IAuthorizationPolicy> list = new List <IAuthorizationPolicy>(1); WindowsClaimSet issuance = new WindowsClaimSet(identity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false); list.Add(new UnconditionalPolicy(issuance, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime))); return(list.AsReadOnly()); } }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password) { string lpszDomain = null; ReadOnlyCollection <IAuthorizationPolicy> onlys; string[] strArray = userName.Split(new char[] { '\\' }); if (strArray.Length != 1) { if ((strArray.Length != 2) || string.IsNullOrEmpty(strArray[0])) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.IdentityModel.SR.GetString("IncorrectUserNameFormat")); } userName = strArray[1]; lpszDomain = strArray[0]; } SafeCloseHandle phToken = null; try { if (!System.IdentityModel.NativeMethods.LogonUser(userName, lpszDomain, password, 8, 0, out phToken)) { int error = Marshal.GetLastWin32Error(); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("FailLogonUser", new object[] { userName }), new Win32Exception(error))); } WindowsIdentity windowsIdentity = new WindowsIdentity(phToken.DangerousGetHandle(), "Basic"); WindowsClaimSet claimSet = new WindowsClaimSet(windowsIdentity, "Basic", this.includeWindowsGroups, false); onlys = System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, claimSet.ExpirationTime); } finally { if (phToken != null) { phToken.Close(); } } return(onlys); }
internal static string GetIdentityNamesFromContext(AuthorizationContext authContext) { if (authContext == null) { return(String.Empty); } StringBuilder str = new StringBuilder(256); for (int i = 0; i < authContext.ClaimSets.Count; ++i) { ClaimSet claimSet = authContext.ClaimSets[i]; // Windows WindowsClaimSet windows = claimSet as WindowsClaimSet; if (windows != null) { #if SUPPORTS_WINDOWSIDENTITY if (str.Length > 0) { str.Append(", "); } AppendIdentityName(str, windows.WindowsIdentity); #else throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported); #endif // SUPPORTS_WINDOWSIDENTITY } else { // X509 X509CertificateClaimSet x509 = claimSet as X509CertificateClaimSet; if (x509 != null) { if (str.Length > 0) { str.Append(", "); } AppendCertificateIdentityName(str, x509.X509Certificate); } } } if (str.Length <= 0) { List <IIdentity> identities = null; object obj; if (authContext.Properties.TryGetValue(SecurityUtils.Identities, out obj)) { identities = obj as List <IIdentity>; } if (identities != null) { for (int i = 0; i < identities.Count; ++i) { IIdentity identity = identities[i]; if (identity != null) { if (str.Length > 0) { str.Append(", "); } AppendIdentityName(str, identity); } } } } return(str.Length <= 0 ? String.Empty : str.ToString()); }
public SecurityTokenAuthorizationPolicy(WindowsClaimSet claims) { this.claims = claims; }