private SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { AuthenticationSchemes schemes; string tokenType = recipientRequirement.TokenType; SecurityTokenProvider provider = null; if (tokenType == SecurityTokenTypes.X509Certificate) { return this.CreateServerX509TokenProvider(); } if (!(tokenType == ServiceModelSecurityTokenTypes.SspiCredential)) { return provider; } if (recipientRequirement.TryGetProperty<AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out schemes) && (schemes == AuthenticationSchemes.Basic)) { return new SspiSecurityTokenProvider(null, this.parent.UserNameAuthentication.IncludeWindowsGroups, false); } return new SspiSecurityTokenProvider(null, this.parent.WindowsAuthentication.IncludeWindowsGroups, this.parent.WindowsAuthentication.AllowAnonymousLogons); }
SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) { string tokenType = recipientRequirement.TokenType; SecurityTokenProvider result = null; if (tokenType == SecurityTokenTypes.X509Certificate) { result = CreateServerX509TokenProvider(); } else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential) { // if Transport Security, AuthenicationSchemes.Basic will look at parent.UserNameAuthentication settings. AuthenticationSchemes authenticationScheme; bool authenticationSchemeIdentified = recipientRequirement.TryGetProperty<AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out authenticationScheme); if (authenticationSchemeIdentified && authenticationScheme.IsSet(AuthenticationSchemes.Basic) && authenticationScheme.IsNotSet(AuthenticationSchemes.Digest | AuthenticationSchemes.Ntlm | AuthenticationSchemes.Negotiate)) { // create security token provider even when basic and Anonymous are enabled. result = new SspiSecurityTokenProvider(null, parent.UserNameAuthentication.IncludeWindowsGroups, false); } else { if (authenticationSchemeIdentified && authenticationScheme.IsSet(AuthenticationSchemes.Basic) && parent.WindowsAuthentication.IncludeWindowsGroups != parent.UserNameAuthentication.IncludeWindowsGroups) { // Ensure there are no inconsistencies when Basic and (Digest and/or Ntlm and/or Negotiate) are both enabled throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenProviderIncludeWindowsGroupsInconsistent, (AuthenticationSchemes)authenticationScheme - AuthenticationSchemes.Basic, parent.UserNameAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.IncludeWindowsGroups))); } result = new SspiSecurityTokenProvider(null, parent.WindowsAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.AllowAnonymousLogons); } } return result; }
private SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); ExtendedProtectionPolicy result = null; recipientRequirement.TryGetProperty<ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out result); SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator { ExtendedProtectionPolicy = result, AllowUnauthenticatedCallers = this.parent.WindowsAuthentication.AllowAnonymousLogons, ExtractGroupsForWindowsAccounts = this.parent.WindowsAuthentication.IncludeWindowsGroups, IsClientAnonymous = false, EncryptStateInServiceToken = flag, IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver, IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder, KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes }; if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return authenticator; }
SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); ExtendedProtectionPolicy extendedProtectionPolicy = null; recipientRequirement.TryGetProperty<ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out extendedProtectionPolicy); SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator(); authenticator.ExtendedProtectionPolicy = extendedProtectionPolicy; authenticator.AllowUnauthenticatedCallers = parent.WindowsAuthentication.AllowAnonymousLogons; authenticator.ExtractGroupsForWindowsAccounts = parent.WindowsAuthentication.IncludeWindowsGroups; authenticator.IsClientAnonymous = false; authenticator.EncryptStateInServiceToken = isCookieMode; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; // if the SPNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // audit settings authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return authenticator; }