public override void SecureMessage(SoapEnvelope envelope, WSE.Security security)
{
// get server password from database
string password = parentAssertion.Password;
if (password == null)
{
return;
}
// hash password
password = CryptoUtils.SHA1(password);
// create username token
UsernameToken userToken = new UsernameToken(parentAssertion.ServerId.ToString(), password,
PasswordOption.SendNone);
if (parentAssertion.signRequest || parentAssertion.encryptRequest)
{
// Add the token to the SOAP header.
security.Tokens.Add(userToken);
}
if (parentAssertion.signRequest)
{
// Sign the SOAP message by using the UsernameToken.
MessageSignature sig = new MessageSignature(userToken);
security.Elements.Add(sig);
}
if (parentAssertion.encryptRequest)
{
// we don't return any custom SOAP headers
// so, just encrypt a message Body
EncryptedData data = new EncryptedData(userToken);
// encrypt custom headers
for (int index = 0; index < envelope.Header.ChildNodes.Count; index++)
{
XmlElement child = envelope.Header.ChildNodes[index] as XmlElement;
// find all SecureSoapHeader headers marked with a special attribute
if (child != null && child.NamespaceURI == "http://com/SolidCP/server/")
{
// create ID attribute for referencing purposes
string id = Guid.NewGuid().ToString();
child.SetAttribute("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", id);
// Create an encryption reference for the custom SOAP header.
data.AddReference(new EncryptionReference("#" + id));
}
}
security.Elements.Add(data);
}
}
public override void ValidateMessageSecurity(SoapEnvelope envelope, WSE.Security security)
{
if (security != null)
{
ProcessWSERequest(envelope, security);
}
//else if (envelope.Header != null)
// ProcessSoapRequest(envelope);
else// if (HttpContext.Current.Request.Headers["Authorization"] != null)
{
ProcessBasicAuthRequest();
}
}
private bool CheckSignature(SoapEnvelope envelope, WebSecurity security, MessageSignature signature)
{
//
// Now verify which parts of the message were actually signed.
//
SignatureOptions actualOptions = signature.SignatureOptions;
SignatureOptions expectedOptions = SignatureOptions.IncludeSoapBody;
if (security != null && security.Timestamp != null)
{
expectedOptions |= SignatureOptions.IncludeTimestamp;
}
//
// The <Action> and <To> are required addressing elements.
//
expectedOptions |= SignatureOptions.IncludeAction;
expectedOptions |= SignatureOptions.IncludeTo;
if (envelope.Context.Addressing.FaultTo != null && envelope.Context.Addressing.FaultTo.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeFaultTo;
}
if (envelope.Context.Addressing.From != null && envelope.Context.Addressing.From.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeFrom;
}
if (envelope.Context.Addressing.MessageID != null && envelope.Context.Addressing.MessageID.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeMessageId;
}
if (envelope.Context.Addressing.RelatesTo != null && envelope.Context.Addressing.RelatesTo.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeRelatesTo;
}
if (envelope.Context.Addressing.ReplyTo != null && envelope.Context.Addressing.ReplyTo.TargetElement != null)
{
expectedOptions |= SignatureOptions.IncludeReplyTo;
}
//
// Check if the all the expected options are the present.
//
return((expectedOptions & actualOptions) == expectedOptions);
}
public override void ValidateMessageSecurity(SoapEnvelope envelope, WebSecurity security)
{
if (!ServerConfiguration.Security.SecurityEnabled)
{
return;
}
// by default we consider that SOAP messages is not signed
bool IsSigned = false;
// if security element is null
// the call is made not from WSE-enabled client
if (security != null)
{
foreach (ISecurityElement element in security.Elements)
{
if (element is MessageSignature)
{
// The given context contains a Signature element.
MessageSignature sign = element as MessageSignature;
if (CheckSignature(envelope, security, sign))
{
// The SOAP message is signed.
if (sign.SigningToken is UsernameToken)
{
UsernameToken token = sign.SigningToken as UsernameToken;
// The SOAP message is signed
// with a UsernameToken.
IsSigned = true;
}
}
}
}
}
// throw an exception if the message did not pass all the tests
if (!IsSigned)
{
throw new SecurityFault("Message did not meet security requirements.");
}
}
public override void SecureMessage(SoapEnvelope envelope, WSE.Security security)
{
// create username token
UsernameToken userToken = new UsernameToken(parentAssertion.Username, parentAssertion.Password,
PasswordOption.SendNone);
// Add the token to the SOAP header.
security.Tokens.Add(userToken);
// Sign the SOAP message by using the UsernameToken.
MessageSignature sig = new MessageSignature(userToken);
security.Elements.Add(sig);
// Encrypt SOAP message
EncryptedData data = new EncryptedData(userToken);
security.Elements.Add(data);
}
private void ProcessWSERequest(SoapEnvelope envelope, WSE.Security security)
{
// by default we consider that SOAP messages is not signed
bool IsSigned = false;
// if security element is null
// the call is made not from WSE-enabled client
if (security != null)
{
foreach (ISecurityElement element in security.Elements)
{
if (element is MessageSignature)
{
// The given context contains a Signature element.
MessageSignature sign = element as MessageSignature;
if (CheckSignature(envelope, security, sign))
{
// The SOAP message is signed.
if (sign.SigningToken is UsernameToken)
{
UsernameToken token = sign.SigningToken as UsernameToken;
// The SOAP message is signed
// with a UsernameToken.
IsSigned = true;
}
}
}
}
}
// throw an exception if the message did not pass all the tests
if (!IsSigned)
{
throw new SecurityFault("SOAP response should be signed.");
}
// check encryption
bool IsEncrypted = false;
foreach (ISecurityElement element in security.Elements)
{
if (element is EncryptedData)
{
EncryptedData encryptedData = element as EncryptedData;
System.Xml.XmlElement targetElement = encryptedData.TargetElement;
if (SoapHelper.IsBodyElement(targetElement))
{
// The given SOAP message has the Body element Encrypted.
IsEncrypted = true;
}
}
}
if (!IsEncrypted)
{
throw new SecurityFault("SOAP response should be encrypted.");
}
}
private bool CheckSignature(SoapEnvelope envelope, WebSecurity security, MessageSignature signature)
{
//
// Now verify which parts of the message were actually signed.
//
SignatureOptions actualOptions = signature.SignatureOptions;
SignatureOptions expectedOptions = SignatureOptions.IncludeSoapBody;
if (security != null && security.Timestamp != null)
expectedOptions |= SignatureOptions.IncludeTimestamp;
//
// The <Action> and <To> are required addressing elements.
//
expectedOptions |= SignatureOptions.IncludeAction;
expectedOptions |= SignatureOptions.IncludeTo;
if (envelope.Context.Addressing.FaultTo != null && envelope.Context.Addressing.FaultTo.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeFaultTo;
if (envelope.Context.Addressing.From != null && envelope.Context.Addressing.From.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeFrom;
if (envelope.Context.Addressing.MessageID != null && envelope.Context.Addressing.MessageID.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeMessageId;
if (envelope.Context.Addressing.RelatesTo != null && envelope.Context.Addressing.RelatesTo.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeRelatesTo;
if (envelope.Context.Addressing.ReplyTo != null && envelope.Context.Addressing.ReplyTo.TargetElement != null)
expectedOptions |= SignatureOptions.IncludeReplyTo;
//
// Check if the all the expected options are the present.
//
return ((expectedOptions & actualOptions) == expectedOptions);
}
public override void ValidateMessageSecurity(SoapEnvelope envelope, WebSecurity security)
{
if (!ServerConfiguration.Security.SecurityEnabled)
return;
// by default we consider that SOAP messages is not signed
bool IsSigned = false;
// if security element is null
// the call is made not from WSE-enabled client
if (security != null)
{
foreach (ISecurityElement element in security.Elements)
{
if (element is MessageSignature)
{
// The given context contains a Signature element.
MessageSignature sign = element as MessageSignature;
if (CheckSignature(envelope, security, sign))
{
// The SOAP message is signed.
if (sign.SigningToken is UsernameToken)
{
UsernameToken token = sign.SigningToken as UsernameToken;
// The SOAP message is signed
// with a UsernameToken.
IsSigned = true;
}
}
}
}
}
// throw an exception if the message did not pass all the tests
if (!IsSigned)
throw new SecurityFault("Message did not meet security requirements.");
}
