private SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver) { SamlSecurityTokenAuthenticator authenticator; if (recipientRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement"); } Collection<SecurityToken> collection = new Collection<SecurityToken>(); if (this.parent.ServiceCertificate.Certificate != null) { collection.Add(new X509SecurityToken(this.parent.ServiceCertificate.Certificate)); } List<SecurityTokenAuthenticator> supportingAuthenticators = new List<SecurityTokenAuthenticator>(); if ((this.parent.IssuedTokenAuthentication.KnownCertificates != null) && (this.parent.IssuedTokenAuthentication.KnownCertificates.Count > 0)) { for (int i = 0; i < this.parent.IssuedTokenAuthentication.KnownCertificates.Count; i++) { collection.Add(new X509SecurityToken(this.parent.IssuedTokenAuthentication.KnownCertificates[i])); } } X509CertificateValidator certificateValidator = this.parent.IssuedTokenAuthentication.GetCertificateValidator(); supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(certificateValidator)); if (this.parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers) { supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator()); } outOfBandTokenResolver = (collection.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(collection), false) : null; if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null)) { authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators); } else { authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew); } authenticator.AudienceUriMode = this.parent.IssuedTokenAuthentication.AudienceUriMode; IList<string> allowedAudienceUris = authenticator.AllowedAudienceUris; if (this.parent.IssuedTokenAuthentication.AllowedAudienceUris != null) { for (int j = 0; j < this.parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; j++) { allowedAudienceUris.Add(this.parent.IssuedTokenAuthentication.AllowedAudienceUris[j]); } } if (recipientRequirement.ListenUri != null) { allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri); } return authenticator; }
private SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { AuthenticationSchemes schemes; string tokenType = recipientRequirement.TokenType; SecurityTokenProvider provider = null; if (tokenType == SecurityTokenTypes.X509Certificate) { return this.CreateServerX509TokenProvider(); } if (!(tokenType == ServiceModelSecurityTokenTypes.SspiCredential)) { return provider; } if (recipientRequirement.TryGetProperty<AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out schemes) && (schemes == AuthenticationSchemes.Basic)) { return new SspiSecurityTokenProvider(null, this.parent.UserNameAuthentication.IncludeWindowsGroups, false); } return new SspiSecurityTokenProvider(null, this.parent.WindowsAuthentication.IncludeWindowsGroups, this.parent.WindowsAuthentication.AllowAnonymousLogons); }
public void CreateProviderRsaDefault () { // actually is Rsa usable here?? SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.Rsa; def_c.CreateSecurityTokenProvider (r); }
public void CreateProviderX509RecipientNoKeyUsage () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.ClientCredentials.ClientCertificate.Certificate = cert; def_c.CreateSecurityTokenProvider (r); }
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator { IsClientAnonymous = !requireClientCertificate }; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = flag; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement); authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return authenticator; }
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; IMessageFilterTable<EndpointAddress> endpointFilterTable = recipientRequirement.GetPropertyOrDefault<IMessageFilterTable<EndpointAddress>>(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null); if (!isCookieMode) { sctResolver = new SecurityContextSecurityTokenResolver(Int32.MaxValue, false); // remember this authenticator for future reference SecuritySessionSecurityTokenAuthenticator authenticator = new SecuritySessionSecurityTokenAuthenticator(); authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement); authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode; authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.SessionTokenLifetime = TimeSpan.MaxValue; authenticator.KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.EndpointFilterTable = endpointFilterTable; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.PreserveBootstrapTokens = preserveBootstrapTokens; return authenticator; } else { sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew); AcceleratedTokenAuthenticator authenticator = new AcceleratedTokenAuthenticator(); authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement); authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode; authenticator.EncryptStateInServiceToken = true; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.PreserveBootstrapTokens = preserveBootstrapTokens; // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // audit settings authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; authenticator.EndpointFilterTable = endpointFilterTable; return authenticator; } }
private SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); ExtendedProtectionPolicy result = null; recipientRequirement.TryGetProperty<ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out result); SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator { ExtendedProtectionPolicy = result, AllowUnauthenticatedCallers = this.parent.WindowsAuthentication.AllowAnonymousLogons, ExtractGroupsForWindowsAccounts = this.parent.WindowsAuthentication.IncludeWindowsGroups, IsClientAnonymous = false, EncryptStateInServiceToken = flag, IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver, IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder, KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes }; if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return authenticator; }
public void CreateProviderAnonSsl () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); new MySslSecurityTokenParameters ().InitRequirement (r); Assert.IsFalse (r.Properties.ContainsKey (ReqType.ChannelParametersCollectionProperty), "#1"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.EndpointFilterTableProperty), "#2"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.HttpAuthenticationSchemeProperty), "#3"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.IsOutOfBandTokenProperty), "#4"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.IssuerAddressProperty), "#5"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageDirectionProperty), "#6"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageSecurityVersionProperty), "#7"); //Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityAlgorithmSuiteProperty), "#9"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityBindingElementProperty), "#10"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.SupportingTokenAttachmentModeProperty), "#11"); Assert.AreEqual (null, r.TransportScheme, "#12"); r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego; r.ListenUri = new Uri ("http://localhost:8080"); r.SecurityBindingElement = new SymmetricSecurityBindingElement (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; r.Properties [ReqType.SecurityAlgorithmSuiteProperty] = SecurityAlgorithmSuite.Default; r.TransportScheme = "https"; r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection (); r.Properties [ReqType.EndpointFilterTableProperty] = null; r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous; r.Properties [ReqType.IsOutOfBandTokenProperty] = true; r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress ("http://localhost:9090"); // r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input; r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement (); r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed; SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r); Assert.IsNotNull (p, "#1"); }
RecipientServiceModelSecurityTokenRequirement CreateAnonSslRequirement () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); MySslSecurityTokenParameters p = new MySslSecurityTokenParameters (); p.InitRequirement (r); r.SecurityBindingElement = new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = p.Clone (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (new HttpTransportBindingElement ()), new BindingParameterCollection ()); r.Properties [ReqType.MessageSecurityVersionProperty] = MessageSecurityVersion.Default.SecurityTokenVersion; return r; }
public void CreateProviderX509 () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.ServiceCredentials.ServiceCertificate.Certificate = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r) as X509SecurityTokenProvider; Assert.IsNotNull (p, "#1"); }
public void CreateProviderAnonSslError () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego; r.ListenUri = new Uri ("http://localhost:8080"); r.SecurityBindingElement = new SymmetricSecurityBindingElement (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r); Assert.IsNotNull (p, "#1"); }
public void CreateProviderX509PublicOnlyKey () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.cer"); def_c.ServiceCredentials.ServiceCertificate.Certificate = cert; def_c.CreateSecurityTokenProvider (r); }
public void CreateProviderX509WithoutCert () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.CreateSecurityTokenProvider (r); }
public void CreateAuthenticatorRsaDefault () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); SecurityTokenResolver resolver; r.TokenType = SecurityTokenTypes.Rsa; SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver); Assert.AreEqual (typeof (RsaSecurityTokenAuthenticator), a.GetType (), "#1"); Assert.IsNull (resolver, "#2"); }
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (recipientRequirement == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement"); Collection<SecurityToken> outOfBandTokens = new Collection<SecurityToken>(); if (parent.ServiceCertificate.Certificate != null) { outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate)); } List<SecurityTokenAuthenticator> supportingAuthenticators = new List<SecurityTokenAuthenticator>(); if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0)) { for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i) { outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i])); } } X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator(); supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator)); if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers) { supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator()); } outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(outOfBandTokens), false) : null; SamlSecurityTokenAuthenticator ssta; if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null)) { ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators); } else { ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew); } // set audience uri restrictions ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode; IList<string> allowedAudienceUris = ssta.AllowedAudienceUris; if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null) { for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++) allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]); } if (recipientRequirement.ListenUri != null) { allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri); } return ssta; }
RecipientServiceModelSecurityTokenRequirement CreateRecipientRequirement (string tokenType) { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = tokenType; r.SecurityBindingElement = new SymmetricSecurityBindingElement (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new IssuedSecurityTokenParameters (); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; return r; }
SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { string tokenType = recipientRequirement.TokenType; SecurityTokenProvider result = null; if (tokenType == SecurityTokenTypes.X509Certificate) { result = CreateServerX509TokenProvider(); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { // if Transport Security, AuthenicationSchemes.Basic will look at parent.UserNameAuthentication settings. AuthenticationSchemes authenticationScheme; bool authenticationSchemeIdentified = recipientRequirement.TryGetProperty<AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out authenticationScheme); if (authenticationSchemeIdentified && authenticationScheme.IsSet(AuthenticationSchemes.Basic) && authenticationScheme.IsNotSet(AuthenticationSchemes.Digest | AuthenticationSchemes.Ntlm | AuthenticationSchemes.Negotiate)) { // create security token provider even when basic and Anonymous are enabled. result = new SspiSecurityTokenProvider(null, parent.UserNameAuthentication.IncludeWindowsGroups, false); } else { if (authenticationSchemeIdentified && authenticationScheme.IsSet(AuthenticationSchemes.Basic) && parent.WindowsAuthentication.IncludeWindowsGroups != parent.UserNameAuthentication.IncludeWindowsGroups) { // Ensure there are no inconsistencies when Basic and (Digest and/or Ntlm and/or Negotiate) are both enabled throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenProviderIncludeWindowsGroupsInconsistent, (AuthenticationSchemes)authenticationScheme - AuthenticationSchemes.Basic, parent.UserNameAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.IncludeWindowsGroups))); } result = new SspiSecurityTokenProvider(null, parent.WindowsAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.AllowAnonymousLogons); } } return result; }
public void CreateProviderSecureConv () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation; r.ListenUri = new Uri ("http://localhost:8080"); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; r.KeySize = 256; def_c.CreateSecurityTokenProvider (r); }
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; IMessageFilterTable<EndpointAddress> propertyOrDefault = recipientRequirement.GetPropertyOrDefault<IMessageFilterTable<EndpointAddress>>(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null); if (!flag) { sctResolver = new SecurityContextSecurityTokenResolver(0x7fffffff, false); return new SecuritySessionSecurityTokenAuthenticator { BootstrapSecurityBindingElement = System.ServiceModel.Security.SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement), IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver, IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), KeyEntropyMode = securityBindingElement.KeyEntropyMode, ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, SessionTokenLifetime = TimeSpan.MaxValue, KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval, StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), EndpointFilterTable = propertyOrDefault, MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations, NegotiationTimeout = localServiceSettings.NegotiationTimeout, PreserveBootstrapTokens = preserveBootstrapTokens }; } sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew); return new AcceleratedTokenAuthenticator { BootstrapSecurityBindingElement = System.ServiceModel.Security.SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement), KeyEntropyMode = securityBindingElement.KeyEntropyMode, EncryptStateInServiceToken = true, IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver, IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder, KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes, PreserveBootstrapTokens = preserveBootstrapTokens, MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations, NegotiationTimeout = localServiceSettings.NegotiationTimeout, ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime, MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations, AuditLogLocation = recipientRequirement.AuditLogLocation, SuppressAuditFailure = recipientRequirement.SuppressAuditFailure, MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel, EndpointFilterTable = propertyOrDefault }; }
public void IsIssuedSecurityTokenRequirement () { RecipientServiceModelSecurityTokenRequirement r; MyManager mgr = new MyManager (); r = new RecipientServiceModelSecurityTokenRequirement (); MySslSecurityTokenParameters ssl = new MySslSecurityTokenParameters (); ssl.InitRequirement (r); Assert.IsFalse (mgr.IsIssued (r), "ssl"); r = new RecipientServiceModelSecurityTokenRequirement (); MySspiSecurityTokenParameters sspi = new MySspiSecurityTokenParameters (); sspi.InitRequirement (r); Assert.IsFalse (mgr.IsIssued (r), "sspi"); r = new RecipientServiceModelSecurityTokenRequirement (); MyIssuedSecurityTokenParameters issued = new MyIssuedSecurityTokenParameters (); issued.InitRequirement (r); Assert.IsTrue (mgr.IsIssued (r), "issued"); /* r = new RecipientServiceModelSecurityTokenRequirement (); MySecureConversationSecurityTokenParameters sc = new MySecureConversationSecurityTokenParameters ( new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()), false, new ChannelProtectionRequirements ()); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.Properties [ReqType.MessageSecurityVersionProperty] = MessageSecurityVersion.Default; r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection (); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = sc.Clone (); r.Properties [ReqType.IssuerBindingProperty] = new CustomBinding (new HttpTransportBindingElement ()); r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input; r.SecureConversationSecurityBindingElement = new SymmetricSecurityBindingElement ( new X509SecurityTokenParameters ()); r.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Default; r.Properties [ReqType.SupportSecurityContextCancellationProperty] = true; r.ListenUri = new Uri ("http://localhost:8080"); r.KeySize = 256; sc.InitRequirement (r); Assert.IsFalse (mgr.IsIssued (r), "sc"); */ }
private SecurityTokenAuthenticator CreateTlsnegoClientX509TokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { SecurityTokenResolver resolver; RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement { TokenType = SecurityTokenTypes.X509Certificate, KeyUsage = SecurityKeyUsage.Signature, ListenUri = recipientRequirement.ListenUri, KeyType = SecurityKeyType.AsymmetricKey, SecurityBindingElement = recipientRequirement.SecurityBindingElement }; return this.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver); }
/// <summary> /// Helper method to setup the WrappedSecureConversttion /// </summary> SecurityTokenAuthenticator SetupSecureConversationWrapper( RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver ) { // This code requires Orcas SP1 to compile. // WCF expects this securityTokenAuthenticator to support: // 1. IIssuanceSecurityTokenAuthenticator // 2. ICommunicationObject is needed for this to work right. // WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the // the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens. // when sp1 is installed, use this one. //SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver ); // use this code if SP1 is not installed SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver ); SessionSecurityTokenHandler sessionTokenHandler = tokenHandler; // // If there is no SCT handler here, create one. // if ( tokenHandler == null ) { sessionTokenHandler = new SessionSecurityTokenHandler( _cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime ); sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection; sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration; } if ( ServiceCredentials != null ) { sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew; } SctClaimsHandler claimsHandler = new SctClaimsHandler( _securityTokenHandlerCollection, GetNormalizedEndpointId( tokenRequirement ) ); WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator( sessionTokenHandler, sta, claimsHandler, _exceptionMapper ); WrappedTokenCache wrappedTokenCache = new WrappedTokenCache( _tokenCache, claimsHandler); SetWrappedTokenCache( wrappedTokenCache, sta, wssta, claimsHandler ); outOfBandTokenResolver = wrappedTokenCache; return wssta; }
private SecurityTokenProvider CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement { TokenType = SecurityTokenTypes.X509Certificate, KeyUsage = SecurityKeyUsage.Exchange, ListenUri = recipientRequirement.ListenUri, KeyType = SecurityKeyType.AsymmetricKey, SecurityBindingElement = recipientRequirement.SecurityBindingElement }; return this.CreateSecurityTokenProvider(tokenRequirement); }
SecurityTokenAuthenticator CreateTlsnegoClientX509TokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { RecipientServiceModelSecurityTokenRequirement clientX509Requirement = new RecipientServiceModelSecurityTokenRequirement(); clientX509Requirement.TokenType = SecurityTokenTypes.X509Certificate; clientX509Requirement.KeyUsage = SecurityKeyUsage.Signature; clientX509Requirement.ListenUri = recipientRequirement.ListenUri; clientX509Requirement.KeyType = SecurityKeyType.AsymmetricKey; clientX509Requirement.SecurityBindingElement = recipientRequirement.SecurityBindingElement; SecurityTokenResolver dummy; return this.CreateSecurityTokenAuthenticator(clientX509Requirement, out dummy); }
public virtual EndpointIdentity GetIdentityOfSelf(SecurityTokenRequirement tokenRequirement) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement) { string tokenType = tokenRequirement.TokenType; if (((tokenType == SecurityTokenTypes.X509Certificate) || (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)) { if (this.parent.ServiceCertificate.Certificate != null) { return EndpointIdentity.CreateX509CertificateIdentity(this.parent.ServiceCertificate.Certificate); } } else { if ((tokenType == SecurityTokenTypes.Kerberos) || (tokenType == ServiceModelSecurityTokenTypes.Spnego)) { return System.ServiceModel.Security.SecurityUtils.CreateWindowsIdentity(); } if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { SecurityBindingElement secureConversationSecurityBindingElement = ((RecipientServiceModelSecurityTokenRequirement) tokenRequirement).SecureConversationSecurityBindingElement; if (secureConversationSecurityBindingElement != null) { if ((secureConversationSecurityBindingElement == null) || (secureConversationSecurityBindingElement is TransportSecurityBindingElement)) { return null; } SecurityTokenParameters parameters = (secureConversationSecurityBindingElement is SymmetricSecurityBindingElement) ? ((SymmetricSecurityBindingElement) secureConversationSecurityBindingElement).ProtectionTokenParameters : ((AsymmetricSecurityBindingElement) secureConversationSecurityBindingElement).RecipientTokenParameters; SecurityTokenRequirement requirement = new RecipientServiceModelSecurityTokenRequirement(); parameters.InitializeSecurityTokenRequirement(requirement); return this.GetIdentityOfSelf(requirement); } } } } return null; }
SecurityTokenProvider CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { RecipientServiceModelSecurityTokenRequirement serverX509Requirement = new RecipientServiceModelSecurityTokenRequirement(); serverX509Requirement.TokenType = SecurityTokenTypes.X509Certificate; serverX509Requirement.KeyUsage = SecurityKeyUsage.Exchange; serverX509Requirement.ListenUri = recipientRequirement.ListenUri; serverX509Requirement.KeyType = SecurityKeyType.AsymmetricKey; serverX509Requirement.SecurityBindingElement = recipientRequirement.SecurityBindingElement; return this.CreateSecurityTokenProvider(serverX509Requirement); }
public override SecurityTokenRequirement CreateRequirement () { SecurityTokenRequirement requirement = new RecipientServiceModelSecurityTokenRequirement (); requirement.Properties [ReqType.ListenUriProperty] = listen_uri; return requirement; }
SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator(); authenticator.IsClientAnonymous = !requireClientCertificate; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = isCookieMode; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement); // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } // audit settings authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return authenticator; }
public void CreateProviderX509Recipient () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; r.KeyUsage = SecurityKeyUsage.Exchange; def_c.ClientCredentials.ClientCertificate.Certificate = cert; X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r) as X509SecurityTokenProvider; Assert.IsNotNull (p, "#1"); }
public void CreateAuthenticatorUserNameCustomWithoutValidator () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.UserName; SecurityTokenResolver resolver; def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; def_c.CreateSecurityTokenAuthenticator (r, out resolver); }