private void WriteAuditEvent(AuditLevel auditLevel, X509Certificate2 certificate, WindowsSidIdentity wsid, Exception exception) { try { string clientIdentity = string.Empty; if (certificate != null) { clientIdentity = System.ServiceModel.Security.SecurityUtils.GetCertificateId(certificate); } else if (wsid != null) { clientIdentity = System.ServiceModel.Security.SecurityUtils.GetIdentityName(wsid); } if (auditLevel == AuditLevel.Success) { SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity); } else { SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity, exception); } } catch (Exception exception2) { if (Fx.IsFatal(exception2) || (auditLevel == AuditLevel.Success)) { throw; } DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } }
private void WriteAuditEvent(StreamSecurityUpgradeAcceptor securityUpgradeAcceptor, AuditLevel auditLevel, Exception exception) { if (((this.transportSettings.AuditBehavior.MessageAuthenticationAuditLevel & auditLevel) == auditLevel) && (securityUpgradeAcceptor != null)) { string clientIdentity = string.Empty; SecurityMessageProperty remoteSecurity = securityUpgradeAcceptor.GetRemoteSecurity(); if (remoteSecurity != null) { clientIdentity = GetIdentityNameFromContext(remoteSecurity); } ServiceSecurityAuditBehavior auditBehavior = this.transportSettings.AuditBehavior; if (auditLevel == AuditLevel.Success) { SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(auditBehavior.AuditLogLocation, auditBehavior.SuppressAuditFailure, null, this.Via, clientIdentity); } else { SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(auditBehavior.AuditLogLocation, auditBehavior.SuppressAuditFailure, null, this.Via, clientIdentity, exception); } } }
protected void WriteAuditEvent(AuditLevel auditLevel, string primaryIdentity, Exception exception) { try { if (auditLevel == AuditLevel.Success) { SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, primaryIdentity); } else { SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, primaryIdentity, exception); } } catch (Exception exception2) { if (Fx.IsFatal(exception2) || (auditLevel == AuditLevel.Success)) { throw; } DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } }
public void Authorize(ref MessageRpc rpc) { if (TD.DispatchMessageBeforeAuthorizationIsEnabled()) { TD.DispatchMessageBeforeAuthorization(rpc.EventTraceActivity); } SecurityMessageProperty security = SecurityMessageProperty.GetOrCreate(rpc.Request); security.ExternalAuthorizationPolicies = this.externalAuthorizationPolicies; ServiceAuthorizationManager serviceAuthorizationManager = this.serviceAuthorizationManager ?? DefaultServiceAuthorizationManager; try { if (!serviceAuthorizationManager.CheckAccess(rpc.OperationContext, ref rpc.Request)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateAccessDeniedFaultException()); } } catch (Exception ex) { if (Fx.IsFatal(ex)) { throw; } if (PerformanceCounters.PerformanceCountersEnabled) { PerformanceCounters.AuthorizationFailed(rpc.Operation.Name); } if (AuditLevel.Failure == (this.serviceAuthorizationAuditLevel & AuditLevel.Failure)) { try { string primaryIdentity; string authContextId = null; AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext); authContextId = authContext.Id; } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; authContextId = "<null>"; } SecurityAuditHelper.WriteServiceAuthorizationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action, primaryIdentity, authContextId, serviceAuthorizationManager == DefaultServiceAuthorizationManager ? "<default>" : serviceAuthorizationManager.GetType().Name, ex); } #pragma warning suppress 56500 catch (Exception auditException) { if (Fx.IsFatal(auditException)) { throw; } DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error); } } throw; } if (AuditLevel.Success == (this.serviceAuthorizationAuditLevel & AuditLevel.Success)) { string primaryIdentity; string authContextId; AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext); authContextId = authContext.Id; } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; authContextId = "<null>"; } SecurityAuditHelper.WriteServiceAuthorizationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action, primaryIdentity, authContextId, serviceAuthorizationManager == DefaultServiceAuthorizationManager ? "<default>" : serviceAuthorizationManager.GetType().Name); } }
public void Authenticate(ref MessageRpc rpc) { SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(rpc.Request); ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = orCreate.ServiceSecurityContext.AuthorizationPolicies; try { authorizationPolicies = this.serviceAuthenticationManager.Authenticate(orCreate.ServiceSecurityContext.AuthorizationPolicies, rpc.Channel.ListenUri, ref rpc.Request); if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("AuthenticationManagerShouldNotReturnNull"))); } } catch (Exception exception) { if (Fx.IsFatal(exception)) { throw; } if (PerformanceCounters.PerformanceCountersEnabled) { PerformanceCounters.AuthenticationFailed(rpc.Request, rpc.Channel.ListenUri); } if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure)) { try { string identityNamesFromContext; AuthorizationContext authorizationContext = orCreate.ServiceSecurityContext.AuthorizationContext; if (authorizationContext != null) { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authorizationContext); } else { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, identityNamesFromContext, exception); } catch (Exception exception2) { if (Fx.IsFatal(exception2)) { throw; } DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateFailedAuthenticationFaultException()); } rpc.Request.Properties.Security.ServiceSecurityContext.AuthorizationPolicies = authorizationPolicies; if (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success)) { string name; AuthorizationContext authContext = orCreate.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { name = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authContext); } else { name = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, name); } }
public void Authenticate(ref MessageRpc rpc) { SecurityMessageProperty security = SecurityMessageProperty.GetOrCreate(rpc.Request); ReadOnlyCollection <IAuthorizationPolicy> authPolicy = security.ServiceSecurityContext.AuthorizationPolicies; bool outputTiming = DS.AuthenticationIsEnabled(); Stopwatch sw = null; if (outputTiming) { sw = Stopwatch.StartNew(); } try { authPolicy = this.serviceAuthenticationManager.Authenticate(security.ServiceSecurityContext.AuthorizationPolicies, rpc.Channel.ListenUri, ref rpc.Request); if (authPolicy == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.AuthenticationManagerShouldNotReturnNull))); } if (outputTiming) { DS.Authentication(this.serviceAuthenticationManager.GetType(), true, sw.Elapsed); } } catch (Exception ex) { if (Fx.IsFatal(ex)) { throw; } if (outputTiming) { DS.Authentication(this.serviceAuthenticationManager.GetType(), false, sw.Elapsed); } if (PerformanceCounters.PerformanceCountersEnabled) { PerformanceCounters.AuthenticationFailed(rpc.Request, rpc.Channel.ListenUri); } if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure)) { try { string primaryIdentity; AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext); } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, primaryIdentity, ex); } #pragma warning suppress 56500 catch (Exception auditException) { if (Fx.IsFatal(auditException)) { throw; } DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error); } } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateFailedAuthenticationFaultException()); } rpc.Request.Properties.Security.ServiceSecurityContext.AuthorizationPolicies = authPolicy; if (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success)) { string primaryIdentity; AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext); } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, primaryIdentity); } }
public void Authorize(ref MessageRpc rpc) { SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(rpc.Request); orCreate.ExternalAuthorizationPolicies = this.externalAuthorizationPolicies; ServiceAuthorizationManager manager = this.serviceAuthorizationManager ?? DefaultServiceAuthorizationManager; try { if (!manager.CheckAccess(rpc.OperationContext, ref rpc.Request)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateAccessDeniedFaultException()); } } catch (Exception exception) { if (Fx.IsFatal(exception)) { throw; } if (PerformanceCounters.PerformanceCountersEnabled) { PerformanceCounters.AuthorizationFailed(rpc.Operation.Name); } if (AuditLevel.Failure == (this.serviceAuthorizationAuditLevel & AuditLevel.Failure)) { try { string identityNamesFromContext; string authContextId = null; AuthorizationContext authorizationContext = orCreate.ServiceSecurityContext.AuthorizationContext; if (authorizationContext != null) { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authorizationContext); authContextId = authorizationContext.Id; } else { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; authContextId = "<null>"; } SecurityAuditHelper.WriteServiceAuthorizationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action, identityNamesFromContext, authContextId, (manager == DefaultServiceAuthorizationManager) ? "<default>" : manager.GetType().Name, exception); } catch (Exception exception2) { if (Fx.IsFatal(exception2)) { throw; } DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } } throw; } if (AuditLevel.Success == (this.serviceAuthorizationAuditLevel & AuditLevel.Success)) { string name; string id; AuthorizationContext authContext = orCreate.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { name = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authContext); id = authContext.Id; } else { name = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; id = "<null>"; } SecurityAuditHelper.WriteServiceAuthorizationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action, name, id, (manager == DefaultServiceAuthorizationManager) ? "<default>" : manager.GetType().Name); } }
private IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn) { IDisposable disposable = null; try { if (isSecurityContextImpersonationOn) { if (securityContext == null) { throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SFxSecurityContextPropertyMissingFromRequestMessage")), rpc.Request); } WindowsIdentity windowsIdentity = securityContext.WindowsIdentity; if (windowsIdentity.User == null) { if (securityContext.PrimaryIdentity is WindowsSidIdentity) { WindowsSidIdentity primaryIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity; if (primaryIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid)) { disposable = new WindowsAnonymousIdentity().Impersonate(); goto Label_0103; } using (WindowsIdentity identity3 = new WindowsIdentity(this.GetUpnFromDownlevelName(primaryIdentity.Name), "Kerberos")) { disposable = identity3.Impersonate(); goto Label_0103; } } throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecurityContextDoesNotAllowImpersonation", new object[] { rpc.Operation.Action })), rpc.Request); } disposable = windowsIdentity.Impersonate(); } else if (AspNetEnvironment.Current.RequiresImpersonation && (rpc.HostingProperty != null)) { disposable = rpc.HostingProperty.Impersonate(); } Label_0103: SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.Operation); if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success)) { SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext)); } } catch (Exception exception) { if (Fx.IsFatal(exception)) { throw; } SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.Operation, exception); if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure)) { try { string identityNamesFromContext; if (securityContext != null) { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext); } else { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, identityNamesFromContext, exception); } catch (Exception exception2) { if (Fx.IsFatal(exception2)) { throw; } System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } } throw; } return(disposable); }
IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn) { IDisposable impersonationContext = null; try { if (isSecurityContextImpersonationOn) { if (securityContext == null) { throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SFxSecurityContextPropertyMissingFromRequestMessage)), rpc.Request); } WindowsIdentity impersonationToken = securityContext.WindowsIdentity; if (impersonationToken.User != null) { impersonationContext = impersonationToken.Impersonate(); } else if (securityContext.PrimaryIdentity is WindowsSidIdentity) { WindowsSidIdentity sidIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity; if (sidIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid)) { impersonationContext = new WindowsAnonymousIdentity().Impersonate(); } else { string fullyQualifiedDomainName = GetUpnFromDownlevelName(sidIdentity.Name); using (WindowsIdentity windowsIdentity = new WindowsIdentity(fullyQualifiedDomainName, SecurityUtils.AuthTypeKerberos)) { impersonationContext = windowsIdentity.Impersonate(); } } } else { throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecurityContextDoesNotAllowImpersonation, rpc.Operation.Action)), rpc.Request); } } else if (AspNetEnvironment.Current.RequiresImpersonation) { if (rpc.HostingProperty != null) { impersonationContext = rpc.HostingProperty.Impersonate(); } } SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.EventTraceActivity, rpc.Operation); // update the impersonation succeed audit if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success)) { SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext)); } } catch (Exception ex) { if (Fx.IsFatal(ex)) { throw; } SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.EventTraceActivity, rpc.Operation, ex); // // Update the impersonation failure audit // Copy SecurityAuthorizationBehavior.Audit level to here!!! // if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure)) { try { string primaryIdentity; if (securityContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext); } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, primaryIdentity, ex); } #pragma warning suppress 56500 catch (Exception auditException) { if (Fx.IsFatal(auditException)) { throw; } DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error); } } throw; } return(impersonationContext); }