コード例 #1
0
        public WindowsStreamSecurityUpgradeProvider(WindowsStreamSecurityBindingElement bindingElement,
                                                    BindingContext context, bool isClient)
            : base(context.Binding)
        {
            _extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
            _protectionLevel = bindingElement.ProtectionLevel;
            _scheme          = context.Binding.Scheme;
            _isClient        = isClient;
            _listenUri       = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress);

            SecurityCredentialsManager credentialProvider = context.BindingParameters.Find <SecurityCredentialsManager>();

            if (credentialProvider == null)
            {
                if (isClient)
                {
                    credentialProvider = ClientCredentials.CreateDefaultCredentials();
                }
                else
                {
                    throw ExceptionHelper.PlatformNotSupported("WindowsStreamSecurityUpgradeProvider for server is not supported.");
                }
            }

            _securityTokenManager = credentialProvider.CreateSecurityTokenManager();
        }
コード例 #2
0
        // core Cred lookup code
        static async Task <NetworkCredential> GetSspiCredentialAsync(SspiSecurityTokenProvider tokenProvider,
                                                                     OutWrapper <TokenImpersonationLevel> impersonationLevelWrapper,
                                                                     OutWrapper <bool> allowNtlmWrapper, CancellationToken cancellationToken)
        {
            NetworkCredential credential = null;

            impersonationLevelWrapper.Value = TokenImpersonationLevel.Identification;
            allowNtlmWrapper.Value          = ConnectionOrientedTransportDefaults.AllowNtlm;

            if (tokenProvider != null)
            {
                SspiSecurityToken token = await TransportSecurityHelpers.GetTokenAsync <SspiSecurityToken>(tokenProvider, cancellationToken);

                if (token != null)
                {
                    impersonationLevelWrapper.Value = token.ImpersonationLevel;
                    allowNtlmWrapper.Value          = token.AllowNtlm;
                    if (token.NetworkCredential != null)
                    {
                        credential = token.NetworkCredential;
                        SecurityUtils.FixNetworkCredential(ref credential);
                    }
                }
            }

            // Initialize to the default value if no token provided. A partial trust app should not have access to the
            // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
            // getter will throw under partial trust.
            if (credential == null)
            {
                credential = CredentialCache.DefaultNetworkCredentials;
            }

            return(credential);
        }
        public WindowsStreamSecurityUpgradeProvider(WindowsStreamSecurityBindingElement bindingElement,
                                                    BindingContext context, bool isClient)
            : base(context.Binding)
        {
            this.extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
            this.protectionLevel = bindingElement.ProtectionLevel;
            this.scheme          = context.Binding.Scheme;
            this.isClient        = isClient;
            this.listenUri       = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress);

            SecurityCredentialsManager credentialProvider = context.BindingParameters.Find <SecurityCredentialsManager>();

            if (credentialProvider == null)
            {
                if (isClient)
                {
                    credentialProvider = ClientCredentials.CreateDefaultCredentials();
                }
                else
                {
                    credentialProvider = ServiceCredentials.CreateDefaultCredentials();
                }
            }


            this.securityTokenManager = credentialProvider.CreateSecurityTokenManager();
        }
コード例 #4
0
        public HttpsChannelListener(HttpsTransportBindingElement httpsBindingElement, BindingContext context) : base(httpsBindingElement, context)
        {
            this.requireClientCertificate = httpsBindingElement.RequireClientCertificate;
            SecurityCredentialsManager manager = context.BindingParameters.Find <SecurityCredentialsManager>();

            if (manager == null)
            {
                manager = ServiceCredentials.CreateDefaultCredentials();
            }
            SecurityTokenManager tokenManager = manager.CreateSecurityTokenManager();

            this.certificateAuthenticator = TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress));
            ServiceCredentials credentials = manager as ServiceCredentials;

            if ((credentials != null) && (credentials.ClientCertificate.Authentication.CertificateValidationMode == X509CertificateValidationMode.Custom))
            {
                this.useCustomClientCertificateVerification = true;
            }
            else
            {
                this.useCustomClientCertificateVerification = false;
                X509SecurityTokenAuthenticator certificateAuthenticator = this.certificateAuthenticator as X509SecurityTokenAuthenticator;
                if (certificateAuthenticator != null)
                {
                    this.certificateAuthenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None, certificateAuthenticator.MapCertificateToWindowsAccount, base.ExtractGroupsForWindowsAccounts, false);
                }
            }
            if (this.RequireClientCertificate && (base.AuthenticationScheme != AuthenticationSchemes.Anonymous))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new InvalidOperationException(System.ServiceModel.SR.GetString("HttpAuthSchemeAndClientCert", new object[] { base.AuthenticationScheme })), TraceEventType.Error);
            }
            this.channelBindingProvider = new ChannelBindingProviderHelper();
        }
コード例 #5
0
        private static NetworkCredential GetCredentialCore(AuthenticationSchemes authenticationScheme, SecurityTokenProviderContainer credentialProvider, TimeSpan timeout, out TokenImpersonationLevel impersonationLevel, out AuthenticationLevel authenticationLevel)
        {
            impersonationLevel  = TokenImpersonationLevel.None;
            authenticationLevel = AuthenticationLevel.None;
            NetworkCredential userNameCredential = null;

            switch (authenticationScheme)
            {
            case AuthenticationSchemes.Digest:
                userNameCredential = TransportSecurityHelpers.GetSspiCredential(credentialProvider, timeout, out impersonationLevel, out authenticationLevel);
                ValidateDigestCredential(ref userNameCredential, impersonationLevel);
                return(userNameCredential);

            case AuthenticationSchemes.Negotiate:
                return(TransportSecurityHelpers.GetSspiCredential(credentialProvider, timeout, out impersonationLevel, out authenticationLevel));

            case AuthenticationSchemes.Ntlm:
                userNameCredential = TransportSecurityHelpers.GetSspiCredential(credentialProvider, timeout, out impersonationLevel, out authenticationLevel);
                if (authenticationLevel == AuthenticationLevel.MutualAuthRequired)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("CredentialDisallowsNtlm")));
                }
                return(userNameCredential);

            case AuthenticationSchemes.Basic:
                userNameCredential = TransportSecurityHelpers.GetUserNameCredential(credentialProvider, timeout);
                impersonationLevel = TokenImpersonationLevel.Delegation;
                return(userNameCredential);
            }
            throw Fx.AssertAndThrow("GetCredential: Invalid authentication scheme");
        }
コード例 #6
0
        public static SslStreamSecurityUpgradeProvider CreateServerProvider(SslStreamSecurityBindingElement bindingElement, BindingContext context)
        {
            SecurityCredentialsManager manager = context.BindingParameters.Find <SecurityCredentialsManager>();

            if (manager == null)
            {
                manager = ServiceCredentials.CreateDefaultCredentials();
            }
            Uri listenUri = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress);
            SecurityTokenManager tokenManager = manager.CreateSecurityTokenManager();
            RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement {
                TokenType = SecurityTokenTypes.X509Certificate,
                RequireCryptographicToken = true,
                KeyUsage        = SecurityKeyUsage.Exchange,
                TransportScheme = context.Binding.Scheme,
                ListenUri       = listenUri
            };
            SecurityTokenProvider serverTokenProvider = tokenManager.CreateSecurityTokenProvider(tokenRequirement);

            if (serverTokenProvider == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialsUnableToCreateLocalTokenProvider", new object[] { tokenRequirement })));
            }
            return(new SslStreamSecurityUpgradeProvider(context.Binding, serverTokenProvider, bindingElement.RequireClientCertificate, TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, listenUri), context.Binding.Scheme, bindingElement.IdentityVerifier));
        }
 protected override void OnOpen(TimeSpan timeout)
 {
     if (!this.isClient)
     {
         SecurityTokenRequirement sspiTokenRequirement = TransportSecurityHelpers.CreateSspiTokenRequirement(this.Scheme, this.listenUri);
         this.serverCredential = TransportSecurityHelpers.GetSspiCredential(this.securityTokenManager, sspiTokenRequirement, timeout, out this.extractGroupsForWindowsAccounts);
     }
 }
            internal override void Open(TimeSpan timeout)
            {
                TimeoutHelper helper = new TimeoutHelper(timeout);

                base.Open(helper.RemainingTime());
                System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(this.clientTokenProvider, helper.RemainingTime());
                this.credential = TransportSecurityHelpers.GetSspiCredential(this.clientTokenProvider, helper.RemainingTime(), out this.impersonationLevel, out this.allowNtlm);
            }
コード例 #9
0
 public WindowsStreamSecurityUpgradeInitiator(
     WindowsStreamSecurityUpgradeProvider parent, EndpointAddress remoteAddress, Uri via)
     : base(FramingUpgradeString.Negotiate, remoteAddress, via)
 {
     _parent = parent;
     _clientTokenProvider = TransportSecurityHelpers.GetSspiTokenProvider(
         parent._securityTokenManager, remoteAddress, via, parent.Scheme, out _identityVerifier);
 }
                private bool HandleOpenTokenProviderComplete(IAsyncResult result)
                {
                    System.ServiceModel.Security.SecurityUtils.EndOpenTokenProviderIfRequired(result);
                    IAsyncResult result2 = TransportSecurityHelpers.BeginGetSspiCredential(this.parent.clientTokenProvider, this.timeoutHelper.RemainingTime(), this.onGetSspiCredential, this);

                    if (!result2.CompletedSynchronously)
                    {
                        return(false);
                    }
                    return(this.HandleGetSspiCredentialComplete(result2));
                }
コード例 #11
0
        private SecurityTokenProvider CreateAndOpenCertificateTokenProvider(EndpointAddress target, Uri via, ChannelParameterCollection channelParameters, TimeSpan timeout)
        {
            if (!this.RequireClientCertificate)
            {
                return(null);
            }
            SecurityTokenProvider tokenProvider = TransportSecurityHelpers.GetCertificateTokenProvider(base.SecurityTokenManager, target, via, this.Scheme, channelParameters);

            System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, timeout);
            return(tokenProvider);
        }
コード例 #12
0
        internal SecurityTokenProvider CreateAndOpenCertificateTokenProvider(EndpointAddress target, Uri via, ChannelParameterCollection channelParameters, TimeSpan timeout)
        {
            if (!RequireClientCertificate)
            {
                return(null);
            }
            SecurityTokenProvider certificateProvider = TransportSecurityHelpers.GetCertificateTokenProvider(
                SecurityTokenManager, target, via, Scheme, channelParameters);

            SecurityUtils.OpenTokenProviderIfRequired(certificateProvider, timeout);
            return(certificateProvider);
        }
                bool HandleOpenTokenProviderComplete(IAsyncResult result)
                {
                    SecurityUtils.EndOpenTokenProviderIfRequired(result);
                    IAsyncResult getCredentialResult = TransportSecurityHelpers.BeginGetSspiCredential(
                        parent.clientTokenProvider, timeoutHelper.RemainingTime(), onGetSspiCredential, this);

                    if (!getCredentialResult.CompletedSynchronously)
                    {
                        return(false);
                    }

                    return(HandleGetSspiCredentialComplete(getCredentialResult));
                }
コード例 #14
0
        public HttpsChannelListener(HttpsTransportBindingElement httpsBindingElement, BindingContext context)
            : base(httpsBindingElement, context)
        {
            this.requireClientCertificate        = httpsBindingElement.RequireClientCertificate;
            this.shouldValidateClientCertificate = ShouldValidateClientCertificate(this.requireClientCertificate, context);

            // Pick up the MapCertificateToWindowsAccount setting from the configured token authenticator.
            SecurityCredentialsManager credentialProvider =
                context.BindingParameters.Find <SecurityCredentialsManager>();

            if (credentialProvider == null)
            {
                credentialProvider = ServiceCredentials.CreateDefaultCredentials();
            }
            SecurityTokenManager tokenManager = credentialProvider.CreateSecurityTokenManager();

            this.certificateAuthenticator =
                TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme,
                                                                          TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress));


            ServiceCredentials serviceCredentials = credentialProvider as ServiceCredentials;

            if (serviceCredentials != null &&
                serviceCredentials.ClientCertificate.Authentication.CertificateValidationMode == X509CertificateValidationMode.Custom)
            {
                useCustomClientCertificateVerification = true;
            }
            else
            {
                useCustomClientCertificateVerification = false;

                X509SecurityTokenAuthenticator authenticator = this.certificateAuthenticator as X509SecurityTokenAuthenticator;

                if (authenticator != null)
                {
                    this.certificateAuthenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None,
                                                                                       authenticator.MapCertificateToWindowsAccount, this.ExtractGroupsForWindowsAccounts, false);
                }
            }

            if (this.RequireClientCertificate &&
                this.AuthenticationScheme.IsNotSet(AuthenticationSchemes.Anonymous))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new InvalidOperationException(SR.GetString(
                                                                                                       SR.HttpAuthSchemeAndClientCert, this.AuthenticationScheme)), TraceEventType.Error);
            }

            this.channelBindingProvider = new ChannelBindingProviderHelper();
        }
コード例 #15
0
        static async Task <NetworkCredential> GetCredentialCoreAsync(AuthenticationSchemes authenticationScheme,
                                                                     SecurityTokenProviderContainer credentialProvider, OutWrapper <TokenImpersonationLevel> impersonationLevelWrapper,
                                                                     OutWrapper <AuthenticationLevel> authenticationLevelWrapper, CancellationToken cancellationToken)
        {
            impersonationLevelWrapper.Value  = TokenImpersonationLevel.None;
            authenticationLevelWrapper.Value = AuthenticationLevel.None;

            NetworkCredential result = null;

            switch (authenticationScheme)
            {
            case AuthenticationSchemes.Basic:
                result = await TransportSecurityHelpers.GetUserNameCredentialAsync(credentialProvider, cancellationToken);

                impersonationLevelWrapper.Value = TokenImpersonationLevel.Delegation;
                break;

            case AuthenticationSchemes.Digest:
                result = await TransportSecurityHelpers.GetSspiCredentialAsync(credentialProvider,
                                                                               impersonationLevelWrapper, authenticationLevelWrapper, cancellationToken);

                ValidateDigestCredential(result, impersonationLevelWrapper.Value);
                break;

            case AuthenticationSchemes.Negotiate:
                result = await TransportSecurityHelpers.GetSspiCredentialAsync(credentialProvider,
                                                                               impersonationLevelWrapper, authenticationLevelWrapper, cancellationToken);

                break;

            case AuthenticationSchemes.Ntlm:
                result = await TransportSecurityHelpers.GetSspiCredentialAsync(credentialProvider,
                                                                               impersonationLevelWrapper, authenticationLevelWrapper, cancellationToken);

                if (authenticationLevelWrapper.Value == AuthenticationLevel.MutualAuthRequired)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                              new InvalidOperationException(SR.CredentialDisallowsNtlm));
                }
                break;

            default:
                // The setter for this property should prevent this.
                throw Fx.AssertAndThrow("GetCredential: Invalid authentication scheme");
            }

            return(result);
        }
コード例 #16
0
        private SecurityTokenProviderContainer CreateAndOpenTokenProvider(TimeSpan timeout, AuthenticationSchemes authenticationScheme,
                                                                          EndpointAddress target, Uri via, ChannelParameterCollection channelParameters)
        {
            SecurityTokenProvider tokenProvider = null;

            switch (authenticationScheme)
            {
            case AuthenticationSchemes.Anonymous:
                break;

            case AuthenticationSchemes.Basic:
                tokenProvider = TransportSecurityHelpers.GetUserNameTokenProvider(this.SecurityTokenManager, target, via, this.Scheme, authenticationScheme, channelParameters);
                break;

            case AuthenticationSchemes.Negotiate:
            case AuthenticationSchemes.Ntlm:
                // tokenProvider = TransportSecurityHelpers.GetSspiTokenProvider(this.SecurityTokenManager, target, via, this.Scheme, authenticationScheme, channelParameters);
                // break;
                throw ExceptionHelper.PlatformNotSupported("Negotiate/NTLM not supported yet");

            case AuthenticationSchemes.Digest:
                tokenProvider = TransportSecurityHelpers.GetDigestTokenProvider(this.SecurityTokenManager, target, via, this.Scheme, authenticationScheme, channelParameters);
                break;

            default:
                // The setter for this property should prevent this.
                throw Fx.AssertAndThrow("CreateAndOpenTokenProvider: Invalid authentication scheme");
            }
            SecurityTokenProviderContainer result;

            if (tokenProvider != null)
            {
                result = new SecurityTokenProviderContainer(tokenProvider);
                result.Open(timeout);
            }
            else
            {
                result = null;
            }
            return(result);
        }
コード例 #17
0
        public WindowsStreamSecurityUpgradeProvider(WindowsStreamSecurityBindingElement bindingElement,
                                                    BindingContext context, bool isClient)
            : base(context.Binding)
        {
            Contract.Assert(isClient, ".NET Core and .NET Native does not support server side");

            _extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
            _protectionLevel = bindingElement.ProtectionLevel;
            _scheme          = context.Binding.Scheme;
            _isClient        = isClient;
            _listenUri       = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress);

            SecurityCredentialsManager credentialProvider = context.BindingParameters.Find <SecurityCredentialsManager>();

            if (credentialProvider == null)
            {
                credentialProvider = ClientCredentials.CreateDefaultCredentials();
            }

            _securityTokenManager = credentialProvider.CreateSecurityTokenManager();
        }
コード例 #18
0
            internal override async Task OpenAsync(TimeSpan timeout)
            {
                TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);

                base.Open(timeoutHelper.RemainingTime());

                OutWrapper <TokenImpersonationLevel> impersonationLevelWrapper = new OutWrapper <TokenImpersonationLevel>();
                OutWrapper <bool> allowNtlmWrapper = new OutWrapper <bool>();

                SecurityUtils.OpenTokenProviderIfRequired(_clientTokenProvider, timeoutHelper.RemainingTime());
                _credential = await TransportSecurityHelpers.GetSspiCredentialAsync(
                    _clientTokenProvider,
                    impersonationLevelWrapper,
                    allowNtlmWrapper,
                    timeoutHelper.GetCancellationToken());

                _impersonationLevel = impersonationLevelWrapper.Value;
                _allowNtlm          = allowNtlmWrapper;

                return;
            }
コード例 #19
0
        // core Cred lookup code
        static NetworkCredential GetSspiCredential(SspiSecurityTokenProvider tokenProvider, TimeSpan timeout,
                                                   out bool extractGroupsForWindowsAccounts, out TokenImpersonationLevel impersonationLevel,
                                                   out bool allowNtlm)
        {
            NetworkCredential credential = null;

            extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
            impersonationLevel = TokenImpersonationLevel.Identification;
            allowNtlm          = ConnectionOrientedTransportDefaults.AllowNtlm;

            if (tokenProvider != null)
            {
                SspiSecurityToken token = TransportSecurityHelpers.GetToken <SspiSecurityToken>(tokenProvider, timeout);
                if (token != null)
                {
                    extractGroupsForWindowsAccounts = token.ExtractGroupsForWindowsAccounts;
                    impersonationLevel = token.ImpersonationLevel;
                    allowNtlm          = token.AllowNtlm;
                    if (token.NetworkCredential != null)
                    {
                        credential = token.NetworkCredential;
                        SecurityUtils.FixNetworkCredential(ref credential);
                    }
                }
            }

            // Initialize to the default value if no token provided. A partial trust app should not have access to the
            // default network credentials but should be able to provide credentials. The DefaultNetworkCredentials
            // getter will throw under partial trust.
            if (credential == null)
            {
                credential = CredentialCache.DefaultNetworkCredentials;
            }

            return(credential);
        }
 private bool HandleGetSspiCredentialComplete(IAsyncResult result)
 {
     this.parent.credential = TransportSecurityHelpers.EndGetSspiCredential(result, out this.parent.impersonationLevel, out this.parent.allowNtlm);
     return(true);
 }
 public WindowsStreamSecurityUpgradeInitiator(WindowsStreamSecurityUpgradeProvider parent, EndpointAddress remoteAddress, Uri via) : base("application/negotiate", remoteAddress, via)
 {
     this.parent = parent;
     this.clientTokenProvider = TransportSecurityHelpers.GetSspiTokenProvider(parent.securityTokenManager, remoteAddress, via, parent.Scheme, out this.identityVerifier);
 }