protected virtual void OnVerifyIncomingMessageFailure(Message message, Exception exception) { SecurityTraceRecordHelper.TraceVerifyIncomingMessageFailure(this, message); if ((PerformanceCounters.PerformanceCountersEnabled && (null != this.factory.ListenUri)) && (((exception.GetType() == typeof(MessageSecurityException)) || exception.GetType().IsSubclassOf(typeof(MessageSecurityException))) || ((exception.GetType() == typeof(SecurityTokenException)) || exception.GetType().IsSubclassOf(typeof(SecurityTokenException))))) { PerformanceCounters.AuthenticationFailed(message, this.factory.ListenUri); } if (AuditLevel.Failure == (this.factory.MessageAuthenticationAuditLevel & AuditLevel.Failure)) { try { string identityNamesFromContext; SecurityMessageProperty security = message.Properties.Security; if ((security != null) && (security.ServiceSecurityContext != null)) { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(security.ServiceSecurityContext.AuthorizationContext); } else { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.factory.AuditLogLocation, this.factory.SuppressAuditFailure, message, message.Headers.To, message.Headers.Action, identityNamesFromContext, exception); } catch (Exception exception2) { if (Fx.IsFatal(exception2)) { throw; } DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } } }
protected virtual void OnVerifyIncomingMessageFailure(Message message, Exception exception) { SecurityTraceRecordHelper.TraceVerifyIncomingMessageFailure(this, message); if (PerformanceCounters.PerformanceCountersEnabled && null != this.factory.ListenUri) //service side { if ((exception.GetType() == typeof(MessageSecurityException) || exception.GetType().IsSubclassOf(typeof(MessageSecurityException))) || (exception.GetType() == typeof(SecurityTokenException) || exception.GetType().IsSubclassOf(typeof(SecurityTokenException)))) { PerformanceCounters.AuthenticationFailed(message, this.factory.ListenUri); } } if (AuditLevel.Failure == (this.factory.MessageAuthenticationAuditLevel & AuditLevel.Failure)) { try { SecurityMessageProperty security = message.Properties.Security; string primaryIdentity; if (security != null && security.ServiceSecurityContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(security.ServiceSecurityContext.AuthorizationContext); } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.factory.AuditLogLocation, this.factory.SuppressAuditFailure, message, message.Headers.To, message.Headers.Action, primaryIdentity, exception); } #pragma warning suppress 56500 catch (Exception auditException) { if (Fx.IsFatal(auditException)) { throw; } DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error); } } }
public void Authenticate(ref MessageRpc rpc) { SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(rpc.Request); ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = orCreate.ServiceSecurityContext.AuthorizationPolicies; try { authorizationPolicies = this.serviceAuthenticationManager.Authenticate(orCreate.ServiceSecurityContext.AuthorizationPolicies, rpc.Channel.ListenUri, ref rpc.Request); if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("AuthenticationManagerShouldNotReturnNull"))); } } catch (Exception exception) { if (Fx.IsFatal(exception)) { throw; } if (PerformanceCounters.PerformanceCountersEnabled) { PerformanceCounters.AuthenticationFailed(rpc.Request, rpc.Channel.ListenUri); } if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure)) { try { string identityNamesFromContext; AuthorizationContext authorizationContext = orCreate.ServiceSecurityContext.AuthorizationContext; if (authorizationContext != null) { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authorizationContext); } else { identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, identityNamesFromContext, exception); } catch (Exception exception2) { if (Fx.IsFatal(exception2)) { throw; } DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error); } } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateFailedAuthenticationFaultException()); } rpc.Request.Properties.Security.ServiceSecurityContext.AuthorizationPolicies = authorizationPolicies; if (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success)) { string name; AuthorizationContext authContext = orCreate.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { name = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authContext); } else { name = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, name); } }
Message ProcessRequestCore(Message request) { if (request == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request"); } Uri to = null; RequestSecurityToken rst = null; RequestSecurityTokenResponse rstr = null; string context = null; bool disposeRequest = false; bool isNegotiationFailure = true; T negotiationState = null; try { // validate the message size if needed if (this.maxMessageSize < int.MaxValue) { string action = request.Headers.Action; try { using (MessageBuffer buffer = request.CreateBufferedCopy(this.maxMessageSize)) { request = buffer.CreateMessage(); disposeRequest = true; } } catch (QuotaExceededException e) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(SR.SecurityNegotiationMessageTooLarge, action, this.maxMessageSize), e)); } } try { to = request.Headers.To; ParseMessageBody(request, out context, out rst, out rstr); // check if there is existing state if (context != null) { negotiationState = this.stateCache.GetState(context); } else { negotiationState = null; } bool disposeState = false; BodyWriter replyBody; try { if (rst != null) { if (negotiationState != null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.NegotiationStateAlreadyPresent, context))); } replyBody = this.ProcessRequestSecurityToken(request, rst, out negotiationState); lock (negotiationState.ThisLock) { if (negotiationState.IsNegotiationCompleted) { // if session-sct add it to cache and add a redirect header if (!negotiationState.ServiceToken.IsCookieMode) { this.IssuedTokenCache.AddContext(negotiationState.ServiceToken); } this.OnTokenIssued(negotiationState.ServiceToken); SecurityTraceRecordHelper.TraceServiceSecurityNegotiationCompleted(request, this, negotiationState.ServiceToken); disposeState = true; } else { this.stateCache.AddState(context, negotiationState); disposeState = false; } AddNegotiationChannelForIdleTracking(); } } else { if (negotiationState == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.CannotFindNegotiationState, context))); } lock (negotiationState.ThisLock) { replyBody = this.ProcessRequestSecurityTokenResponse(negotiationState, request, rstr); if (negotiationState.IsNegotiationCompleted) { // if session-sct add it to cache and add a redirect header if (!negotiationState.ServiceToken.IsCookieMode) { this.IssuedTokenCache.AddContext(negotiationState.ServiceToken); } this.OnTokenIssued(negotiationState.ServiceToken); SecurityTraceRecordHelper.TraceServiceSecurityNegotiationCompleted(request, this, negotiationState.ServiceToken); disposeState = true; } else { disposeState = false; } } } if (negotiationState.IsNegotiationCompleted && null != this.ListenUri) { if (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success)) { string primaryIdentity = negotiationState.GetRemoteIdentityName(); SecurityAuditHelper.WriteSecurityNegotiationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, request, request.Headers.To, request.Headers.Action, primaryIdentity, this.GetType().Name); } } isNegotiationFailure = false; } catch (Exception exception) { if (Fx.IsFatal(exception)) { throw; } if (PerformanceCounters.PerformanceCountersEnabled && null != this.ListenUri) { PerformanceCounters.AuthenticationFailed(request, this.ListenUri); } if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure)) { try { string primaryIdentity = (negotiationState != null) ? negotiationState.GetRemoteIdentityName() : String.Empty; SecurityAuditHelper.WriteSecurityNegotiationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, request, request.Headers.To, request.Headers.Action, primaryIdentity, this.GetType().Name, exception); } #pragma warning suppress 56500 catch (Exception auditException) { if (Fx.IsFatal(auditException)) { throw; } DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error); } } disposeState = true; throw; } finally { if (disposeState) { if (negotiationState != null) { if (context != null) { stateCache.RemoveState(context); } negotiationState.Dispose(); } } } return(CreateReply(request, (replyBody is RequestSecurityTokenResponseCollection) ? RequestSecurityTokenResponseFinalAction : RequestSecurityTokenResponseAction, replyBody)); } finally { if (disposeRequest) { request.Close(); } } } finally { if (isNegotiationFailure) { AddNegotiationChannelForIdleTracking(); } else if (negotiationState != null && negotiationState.IsNegotiationCompleted) { RemoveNegotiationChannelFromIdleTracking(); } } }
public void Authenticate(ref MessageRpc rpc) { SecurityMessageProperty security = SecurityMessageProperty.GetOrCreate(rpc.Request); ReadOnlyCollection <IAuthorizationPolicy> authPolicy = security.ServiceSecurityContext.AuthorizationPolicies; bool outputTiming = DS.AuthenticationIsEnabled(); Stopwatch sw = null; if (outputTiming) { sw = Stopwatch.StartNew(); } try { authPolicy = this.serviceAuthenticationManager.Authenticate(security.ServiceSecurityContext.AuthorizationPolicies, rpc.Channel.ListenUri, ref rpc.Request); if (authPolicy == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.AuthenticationManagerShouldNotReturnNull))); } if (outputTiming) { DS.Authentication(this.serviceAuthenticationManager.GetType(), true, sw.Elapsed); } } catch (Exception ex) { if (Fx.IsFatal(ex)) { throw; } if (outputTiming) { DS.Authentication(this.serviceAuthenticationManager.GetType(), false, sw.Elapsed); } if (PerformanceCounters.PerformanceCountersEnabled) { PerformanceCounters.AuthenticationFailed(rpc.Request, rpc.Channel.ListenUri); } if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure)) { try { string primaryIdentity; AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext); } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, primaryIdentity, ex); } #pragma warning suppress 56500 catch (Exception auditException) { if (Fx.IsFatal(auditException)) { throw; } DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error); } } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateFailedAuthenticationFaultException()); } rpc.Request.Properties.Security.ServiceSecurityContext.AuthorizationPolicies = authPolicy; if (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success)) { string primaryIdentity; AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext; if (authContext != null) { primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext); } else { primaryIdentity = SecurityUtils.AnonymousIdentity.Name; } SecurityAuditHelper.WriteMessageAuthenticationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, primaryIdentity); } }
private Message ProcessRequestCore(Message request) { Message message; if (request == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request"); } RequestSecurityToken requestSecurityToken = null; RequestSecurityTokenResponse requestSecurityTokenResponse = null; string context = null; bool flag = false; bool flag2 = true; T negotiationState = default(T); try { if (this.maxMessageSize < 0x7fffffff) { string action = request.Headers.Action; try { using (MessageBuffer buffer = request.CreateBufferedCopy(this.maxMessageSize)) { request = buffer.CreateMessage(); flag = true; } } catch (QuotaExceededException exception) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(System.ServiceModel.SR.GetString("SecurityNegotiationMessageTooLarge", new object[] { action, this.maxMessageSize }), exception)); } } try { BodyWriter writer; Uri to = request.Headers.To; this.ParseMessageBody(request, out context, out requestSecurityToken, out requestSecurityTokenResponse); if (context != null) { negotiationState = this.stateCache.GetState(context); } else { negotiationState = default(T); } bool flag3 = false; try { if (requestSecurityToken != null) { if (negotiationState != null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("NegotiationStateAlreadyPresent", new object[] { context }))); } writer = this.ProcessRequestSecurityToken(request, requestSecurityToken, out negotiationState); lock (negotiationState.ThisLock) { if (negotiationState.IsNegotiationCompleted) { if (!negotiationState.ServiceToken.IsCookieMode) { this.IssuedTokenCache.AddContext(negotiationState.ServiceToken); } this.OnTokenIssued(negotiationState.ServiceToken); SecurityTraceRecordHelper.TraceServiceSecurityNegotiationCompleted <T>((NegotiationTokenAuthenticator <T>) this, negotiationState.ServiceToken); flag3 = true; } else { this.stateCache.AddState(context, negotiationState); flag3 = false; } this.AddNegotiationChannelForIdleTracking(); goto Label_0299; } } if (negotiationState == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("CannotFindNegotiationState", new object[] { context }))); } lock (negotiationState.ThisLock) { writer = this.ProcessRequestSecurityTokenResponse(negotiationState, request, requestSecurityTokenResponse); if (negotiationState.IsNegotiationCompleted) { if (!negotiationState.ServiceToken.IsCookieMode) { this.IssuedTokenCache.AddContext(negotiationState.ServiceToken); } this.OnTokenIssued(negotiationState.ServiceToken); SecurityTraceRecordHelper.TraceServiceSecurityNegotiationCompleted <T>((NegotiationTokenAuthenticator <T>) this, negotiationState.ServiceToken); flag3 = true; } else { flag3 = false; } } Label_0299: if ((negotiationState.IsNegotiationCompleted && (null != this.ListenUri)) && (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success))) { string remoteIdentityName = negotiationState.GetRemoteIdentityName(); SecurityAuditHelper.WriteSecurityNegotiationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, request, request.Headers.To, request.Headers.Action, remoteIdentityName, base.GetType().Name); } flag2 = false; } catch (Exception exception2) { if (Fx.IsFatal(exception2)) { throw; } if (PerformanceCounters.PerformanceCountersEnabled && (null != this.ListenUri)) { PerformanceCounters.AuthenticationFailed(request, this.ListenUri); } if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure)) { try { string clientIdentity = (negotiationState != null) ? negotiationState.GetRemoteIdentityName() : string.Empty; SecurityAuditHelper.WriteSecurityNegotiationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, request, request.Headers.To, request.Headers.Action, clientIdentity, base.GetType().Name, exception2); } catch (Exception exception3) { if (Fx.IsFatal(exception3)) { throw; } DiagnosticUtility.ExceptionUtility.TraceHandledException(exception3, TraceEventType.Error); } } flag3 = true; throw; } finally { if (flag3 && (negotiationState != null)) { if (context != null) { this.stateCache.RemoveState(context); } negotiationState.Dispose(); } } return(NegotiationTokenAuthenticator <T> .CreateReply(request, (writer is RequestSecurityTokenResponseCollection)?this.RequestSecurityTokenResponseFinalAction : this.RequestSecurityTokenResponseAction, writer)); } finally { if (flag) { request.Close(); } } } finally { if (flag2) { this.AddNegotiationChannelForIdleTracking(); } else if ((negotiationState != null) && negotiationState.IsNegotiationCompleted) { this.RemoveNegotiationChannelFromIdleTracking(); } } return(message); }