internal void EnsureOutgoingIdentity(EndpointAddress serviceReference, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies) { if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(authorizationPolicies)); } AuthorizationContext ac = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies); EnsureIdentity(serviceReference, ac, SR.IdentityCheckFailedForOutgoingMessage); }
public void CreateDefaultAuthorizationContext() { AuthorizationContext a = AuthorizationContext.CreateDefaultAuthorizationContext(new IAuthorizationPolicy [0]); Assert.AreEqual(DateTime.MaxValue.AddDays(-1), a.ExpirationTime, "#1-1"); Assert.AreEqual(0, a.Properties.Count, "#1-2"); Assert.AreEqual(0, a.ClaimSets.Count, "#1-3"); a = AuthorizationContext.CreateDefaultAuthorizationContext(new IAuthorizationPolicy [] { new MyAuthorizationPolicy() }); Assert.AreEqual(DateTime.MaxValue.AddDays(-1), a.ExpirationTime, "#2-1"); Assert.AreEqual(0, a.Properties.Count, "#2-2"); Assert.AreEqual(0, a.ClaimSets.Count, "#2-3"); }
protected AuthorizationContext EnsureIncomingIdentity(Message message, SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies) { if (token == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoSigningTokenAvailableToDoIncomingIdentityCheck)), message); } AuthorizationContext authContext = (authorizationPolicies != null) ? AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies) : null; if (this.factory.IdentityVerifier != null) { if (this.Target == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoOutgoingEndpointAddressAvailableForDoingIdentityCheckOnReply)), message); } this.factory.IdentityVerifier.EnsureIncomingIdentity(this.Target, authContext); } return(authContext); }
public virtual ClaimSet ResolveClaimSet(SecurityToken token) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } for (int i = 0; i < this.supportingAuthenticators.Count; i++) { if (this.supportingAuthenticators[i].CanValidateToken(token)) { AuthorizationContext context = AuthorizationContext.CreateDefaultAuthorizationContext(this.supportingAuthenticators[i].ValidateToken(token)); if (context.ClaimSets.Count > 0) { return(context.ClaimSets[0]); } } } return(null); }
public static void ReplacePrimaryIdentity(this OperationContext context, IIdentity identity) { var incomingMessageProperties = context.IncomingMessageProperties; if (incomingMessageProperties != null) { var security = incomingMessageProperties.Security ?? (incomingMessageProperties.Security = new SecurityMessageProperty()); var policies = security.ServiceSecurityContext.AuthorizationPolicies.ToList(); policies.Add(new IdentityAuthorizationPolicy(identity)); var authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies); security.ServiceSecurityContext = new ServiceSecurityContext( authorizationContext, new ReadOnlyCollection <IAuthorizationPolicy>(policies)); } }
public virtual ClaimSet ResolveClaimSet(SecurityToken token) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } for (int i = 0; i < this.supportingAuthenticators.Count; ++i) { if (this.supportingAuthenticators[i].CanValidateToken(token)) { ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = this.supportingAuthenticators[i].ValidateToken(token); AuthorizationContext authContext = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies); if (authContext.ClaimSets.Count > 0) { return(authContext.ClaimSets[0]); } } } return(null); }
/// <summary> /// Token Constructor /// </summary> /// <param name="xmlToken">Encrypted xml token</param> public Token(String xmlToken) { byte[] decryptedData = decryptToken(xmlToken); XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8)); m_token = (SamlSecurityToken)WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null); SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List <SecurityTokenAuthenticator>(new SecurityTokenAuthenticator[] { new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator() }), MaximumTokenSkew); if (authenticator.CanValidateToken(m_token)) { ReadOnlyCollection <IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token); m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies); FindIdentityClaims(); } else { throw new Exception("Unable to validate the token."); } }
public ServiceSecurityContext( ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies) : this(AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies), authorizationPolicies) { }
internal static Claim GetPrimaryIdentityClaim(ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies) { return(GetPrimaryIdentityClaim(AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies))); }
/// <summary> /// Token Authentication. Translates the decrypted data into a AuthContext. /// </summary> /// <param name="reader">The token XML reader.</param> /// <param name="audience">The audience that the token must be scoped for. /// Use <c>null</c> to indicate any audience is acceptable.</param> /// <returns> /// The authorization context carried by the token. /// </returns> internal static AuthorizationContext AuthenticateToken(XmlReader reader, Uri audience) { Contract.Ensures(Contract.Result <AuthorizationContext>() != null); // Extensibility Point: // in order to accept different token types, you would need to add additional // code to create an authenticationcontext from the security token. // This code only supports SamlSecurityToken objects. SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken; if (null == token) { throw new InformationCardException("Unable to read security token"); } if (null != token.SecurityKeys && token.SecurityKeys.Count > 0) { throw new InformationCardException("Token Security Keys Exist"); } if (audience == null) { Logger.InfoCard.Warn("SAML token Audience checking will be skipped."); } else { if (token.Assertion.Conditions != null && token.Assertion.Conditions.Conditions != null) { foreach (SamlCondition condition in token.Assertion.Conditions.Conditions) { SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition; if (audienceCondition != null) { Logger.InfoCard.DebugFormat("SAML token audience(s): {0}", audienceCondition.Audiences.ToStringDeferred()); bool match = audienceCondition.Audiences.Contains(audience); if (!match && Logger.InfoCard.IsErrorEnabled) { Logger.InfoCard.ErrorFormat("Expected SAML token audience of {0} but found {1}.", audience.AbsoluteUri, audienceCondition.Audiences.Select(aud => aud.AbsoluteUri).ToStringDeferred()); } // The token is invalid if any condition is not valid. // An audience restriction condition is valid if any audience // matches the Relying Party. InfoCardErrorUtilities.VerifyInfoCard(match, InfoCardStrings.AudienceMismatch); } } } } var samlAuthenticator = new SamlSecurityTokenAuthenticator( new List <SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[] { new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator(), }), MaximumClockSkew); if (audience != null) { samlAuthenticator.AllowedAudienceUris.Add(audience.AbsoluteUri); } return(AuthorizationContext.CreateDefaultAuthorizationContext(samlAuthenticator.ValidateToken(token))); }
public byte[] CreateCookieFromSecurityContext(UniqueId contextId, string id, byte[] key, DateTime tokenEffectiveTime, DateTime tokenExpirationTime, UniqueId keyGeneration, DateTime keyEffectiveTime, DateTime keyExpirationTime, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies) { if (contextId == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("contextId"); } if (key == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key"); } MemoryStream stream = new MemoryStream(); XmlDictionaryWriter writer = XmlDictionaryWriter.CreateBinaryWriter(stream, SctClaimDictionary.Instance, null); SctClaimDictionary dictionary = SctClaimDictionary.Instance; writer.WriteStartElement(dictionary.SecurityContextSecurityToken, dictionary.EmptyString); writer.WriteStartElement(dictionary.Version, dictionary.EmptyString); writer.WriteValue(SupportedPersistanceVersion); writer.WriteEndElement(); if (id != null) { writer.WriteElementString(dictionary.Id, dictionary.EmptyString, id); } XmlHelper.WriteElementStringAsUniqueId(writer, dictionary.ContextId, dictionary.EmptyString, contextId); writer.WriteStartElement(dictionary.Key, dictionary.EmptyString); writer.WriteBase64(key, 0, key.Length); writer.WriteEndElement(); if (keyGeneration != null) { XmlHelper.WriteElementStringAsUniqueId(writer, dictionary.KeyGeneration, dictionary.EmptyString, keyGeneration); } XmlHelper.WriteElementContentAsInt64(writer, dictionary.EffectiveTime, dictionary.EmptyString, tokenEffectiveTime.ToUniversalTime().Ticks); XmlHelper.WriteElementContentAsInt64(writer, dictionary.ExpiryTime, dictionary.EmptyString, tokenExpirationTime.ToUniversalTime().Ticks); XmlHelper.WriteElementContentAsInt64(writer, dictionary.KeyEffectiveTime, dictionary.EmptyString, keyEffectiveTime.ToUniversalTime().Ticks); XmlHelper.WriteElementContentAsInt64(writer, dictionary.KeyExpiryTime, dictionary.EmptyString, keyExpirationTime.ToUniversalTime().Ticks); AuthorizationContext authContext = null; if (authorizationPolicies != null) { authContext = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies); } if (authContext != null && authContext.ClaimSets.Count != 0) { DataContractSerializer identitySerializer = DataContractSerializerDefaults.CreateSerializer(typeof(IIdentity), this.knownTypes, int.MaxValue); DataContractSerializer claimSetSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(ClaimSet), this.knownTypes, int.MaxValue); DataContractSerializer claimSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(Claim), this.knownTypes, int.MaxValue); SctClaimSerializer.SerializeIdentities(authContext, dictionary, writer, identitySerializer); writer.WriteStartElement(dictionary.ClaimSets, dictionary.EmptyString); for (int i = 0; i < authContext.ClaimSets.Count; i++) { SctClaimSerializer.SerializeClaimSet(authContext.ClaimSets[i], dictionary, writer, claimSetSerializer, claimSerializer); } writer.WriteEndElement(); } writer.WriteEndElement(); writer.Flush(); byte[] serializedContext = stream.ToArray(); return(this.securityStateEncoder.EncodeSecurityState(serializedContext)); }