/// <summary> /// Looks for the first FederatedClientCredentialsParameters object in the ChannelParameterCollection /// property on the tokenRequirement. /// </summary> internal FederatedClientCredentialsParameters FindFederatedChannelParameters(SecurityTokenRequirement tokenRequirement) { FederatedClientCredentialsParameters issuedTokenClientCredentialsParameters = null; ChannelParameterCollection channelParameterCollection = null; if (tokenRequirement.TryGetProperty <ChannelParameterCollection>( ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameterCollection)) { if (channelParameterCollection != null) { foreach (object obj in channelParameterCollection) { issuedTokenClientCredentialsParameters = obj as FederatedClientCredentialsParameters; if (issuedTokenClientCredentialsParameters != null) { break; } } } } return(issuedTokenClientCredentialsParameters); }
internal SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, bool disableInfoCard) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } SecurityTokenProvider result = null; if (disableInfoCard || !CardSpaceTryCreateSecurityTokenProviderStub(tokenRequirement, this, out result)) { if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { // this is the uncorrelated duplex case if (parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate); } else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; #pragma warning suppress 56506 // initiatorRequirement will never be null due to the preceding 'is' validation. string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { FederatedClientCredentialsParameters additionalParameters = this.FindFederatedChannelParameters(tokenRequirement); if (additionalParameters != null && additionalParameters.IssuedSecurityToken != null) { return(new SimpleSecurityTokenProvider(additionalParameters.IssuedSecurityToken, tokenRequirement)); } result = CreateIssuedSecurityTokenProvider(initiatorRequirement, additionalParameters); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange) { result = CreateServerX509TokenProvider(initiatorRequirement.TargetAddress); } else { if (parent.ClientCertificate.Certificate == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnClientCredentials))); } result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate); } } else if (tokenType == SecurityTokenTypes.Kerberos) { string spn = GetServicePrincipalName(initiatorRequirement); result = new KerberosSecurityTokenProviderWrapper( new KerberosSecurityTokenProvider(spn, parent.Windows.AllowedImpersonationLevel, SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential)), GetCredentialsHandle(initiatorRequirement)); } else if (tokenType == SecurityTokenTypes.UserName) { if (parent.UserName.UserName == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.UserNamePasswordNotProvidedOnClientCredentials))); } result = new UserNameSecurityTokenProvider(parent.UserName.UserName, parent.UserName.Password); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { if (IsDigestAuthenticationScheme(initiatorRequirement)) { result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.HttpDigest.ClientCredential), true, parent.HttpDigest.AllowedImpersonationLevel); } else { #pragma warning disable 618 // to disable AllowNtlm obsolete wanring. result = new SspiSecurityTokenProvider(SecurityUtils.GetNetworkCredentialOrDefault(parent.Windows.ClientCredential), parent.Windows.AllowNtlm, parent.Windows.AllowedImpersonationLevel); #pragma warning restore 618 } } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { result = CreateSpnegoTokenProvider(initiatorRequirement); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { result = CreateTlsnegoTokenProvider(initiatorRequirement, true); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { result = CreateTlsnegoTokenProvider(initiatorRequirement, false); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { result = CreateSecureConversationSecurityTokenProvider(initiatorRequirement); } } } if ((result == null) && !tokenRequirement.IsOptionalToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement))); } return(result); }
IssuedSecurityTokenProvider CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement, FederatedClientCredentialsParameters actAsOnBehalfOfParameters) { if (initiatorRequirement.TargetAddress == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement)); } SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement)); } EndpointAddress issuerAddress = initiatorRequirement.IssuerAddress; Binding issuerBinding = initiatorRequirement.IssuerBinding; // // If the issuer address is indeed anonymous or null, we will try the local issuer // bool isLocalIssuer = (issuerAddress == null || issuerAddress.Equals(EndpointAddress.AnonymousAddress)); if (isLocalIssuer) { issuerAddress = parent.IssuedToken.LocalIssuerAddress; issuerBinding = parent.IssuedToken.LocalIssuerBinding; } if (issuerAddress == null) { // if issuer address is still null then the user forgot to specify the local issuer throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsAddressNotSet, initiatorRequirement.TargetAddress))); } if (issuerBinding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsBindingNotSet, issuerAddress))); } Uri issuerUri = issuerAddress.Uri; KeyedByTypeCollection <IEndpointBehavior> issuerChannelBehaviors; if (!parent.IssuedToken.IssuerChannelBehaviors.TryGetValue(issuerAddress.Uri, out issuerChannelBehaviors) && isLocalIssuer) { issuerChannelBehaviors = parent.IssuedToken.LocalIssuerChannelBehaviors; } IssuedSecurityTokenProvider federationTokenProvider = new IssuedSecurityTokenProvider(GetCredentialsHandle(initiatorRequirement)); federationTokenProvider.TokenHandlerCollectionManager = this.parent.SecurityTokenHandlerCollectionManager; federationTokenProvider.TargetAddress = initiatorRequirement.TargetAddress; CopyIssuerChannelBehaviorsAndAddSecurityCredentials(federationTokenProvider, issuerChannelBehaviors, issuerAddress); federationTokenProvider.CacheIssuedTokens = parent.IssuedToken.CacheIssuedTokens; federationTokenProvider.IdentityVerifier = securityBindingElement.LocalClientSettings.IdentityVerifier; federationTokenProvider.IssuerAddress = issuerAddress; federationTokenProvider.IssuerBinding = issuerBinding; federationTokenProvider.KeyEntropyMode = GetIssuerBindingKeyEntropyModeOrDefault(issuerBinding); federationTokenProvider.MaxIssuedTokenCachingTime = parent.IssuedToken.MaxIssuedTokenCachingTime; federationTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite; MessageSecurityVersion issuerSecurityVersion; SecurityTokenSerializer issuerSecurityTokenSerializer; IssuedSecurityTokenParameters issuedTokenParameters = initiatorRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); GetIssuerBindingSecurityVersion(issuerBinding, issuedTokenParameters.DefaultMessageSecurityVersion, initiatorRequirement.SecurityBindingElement, out issuerSecurityVersion, out issuerSecurityTokenSerializer); federationTokenProvider.MessageSecurityVersion = issuerSecurityVersion; federationTokenProvider.SecurityTokenSerializer = issuerSecurityTokenSerializer; federationTokenProvider.IssuedTokenRenewalThresholdPercentage = parent.IssuedToken.IssuedTokenRenewalThresholdPercentage; IEnumerable <XmlElement> tokenRequestParameters = issuedTokenParameters.CreateRequestParameters(issuerSecurityVersion, issuerSecurityTokenSerializer); if (tokenRequestParameters != null) { foreach (XmlElement requestParameter in tokenRequestParameters) { federationTokenProvider.TokenRequestParameters.Add(requestParameter); } } ChannelParameterCollection channelParameters; if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameters)) { federationTokenProvider.ChannelParameters = channelParameters; } federationTokenProvider.SetupActAsOnBehalfOfParameters(actAsOnBehalfOfParameters); return(federationTokenProvider); }