public void UpdateContextCachingTime(SecurityContextSecurityToken token, DateTime expirationTime) { if (token.ValidTo > expirationTime.ToUniversalTime()) { base.TryReplaceItem(this.GetHashKey(token.ContextId, token.KeyGeneration), token, expirationTime); } }
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token) { SecurityContextSecurityToken sct = token as SecurityContextSecurityToken; writer.WriteStartElement(this.parent.SerializerDictionary.Prefix.Value, this.parent.SerializerDictionary.SecurityContextToken, this.parent.SerializerDictionary.Namespace); if (sct.Id != null) { writer.WriteAttributeString(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, sct.Id); } writer.WriteStartElement(this.parent.SerializerDictionary.Prefix.Value, this.parent.SerializerDictionary.Identifier, this.parent.SerializerDictionary.Namespace); XmlHelper.WriteStringAsUniqueId(writer, sct.ContextId); writer.WriteEndElement(); this.WriteGeneration(writer, sct); if (sct.IsCookieMode) { if (sct.CookieBlob == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("NoCookieInSct"))); } #if FEATURE_CORECLR throw new NotImplementedException("XD.DotNetSecurityDictionary is not supported in .NET Core"); #else writer.WriteStartElement(XD.DotNetSecurityDictionary.Prefix.Value, this.parent.SerializerDictionary.Cookie, XD.DotNetSecurityDictionary.Namespace); writer.WriteBase64(sct.CookieBlob, 0, sct.CookieBlob.Length); writer.WriteEndElement(); #endif } writer.WriteEndElement(); }
protected override async ValueTask <Message> VerifyIncomingMessageCoreAsync(Message message, TimeSpan timeout) { string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor; ReceiveSecurityHeader securityHeader = Factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor, Factory.IncomingAlgorithmSuite, MessageDirection.Input); securityHeader.RequireMessageProtection = false; securityHeader.ReaderQuotas = Factory.SecurityBindingElement.ReaderQuotas; IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(Factory, message, securityHeader); ReadOnlyCollection <SecurityTokenResolver> mergedTokenResolvers = MergeOutOfBandResolvers(supportingAuthenticators, _sessionTokenResolverList); if (supportingAuthenticators != null && supportingAuthenticators.Count > 0) { supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators); supportingAuthenticators.Insert(0, _sessionTokenAuthenticatorSpecificationList[0]); } else { supportingAuthenticators = _sessionTokenAuthenticatorSpecificationList; } securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators); securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers); securityHeader.ExpectEndorsingTokens = true; TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); securityHeader.ReplayDetectionEnabled = Factory.DetectReplays; securityHeader.SetTimeParameters(Factory.NonceCache, Factory.ReplayWindow, Factory.MaxClockSkew); // do not enforce key derivation requirement for Cancel messages due to WSE interop securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != Factory.StandardsManager.SecureConversationDriver.CloseAction.Value); await securityHeader.ProcessAsync(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), Factory.ExtendedProtectionPolicy); if (securityHeader.Timestamp == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.RequiredTimestampMissingInSecurityHeader))); } bool didSessionSctEndorse = false; if (securityHeader.EndorsingSupportingTokens != null) { for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i) { SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken); if (signingSct != null && signingSct.ContextId == _sessionId) { didSessionSctEndorse = true; break; } } } if (!didSessionSctEndorse) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.NoSessionTokenPresentInMessage))); } Message processedMessage = securityHeader.ProcessedMessage; AttachRecipientSecurityProperty(processedMessage, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); OnIncomingMessageVerified(processedMessage); return(processedMessage); }
internal ReadOnlyCollection <IAuthorizationPolicy> GetInitiatorTokenAuthorizationPolicies(bool includeTransportToken, SecurityContextSecurityToken supportingSessionTokenToExclude) { // fast path if (!this.HasIncomingSupportingTokens) { if (_transportToken != null && _initiatorToken == null && _protectionToken == null) { if (includeTransportToken && _transportToken.SecurityTokenPolicies != null) { return(_transportToken.SecurityTokenPolicies); } else { return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } } else if (_transportToken == null && _initiatorToken != null && _protectionToken == null) { return(_initiatorToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } else if (_transportToken == null && _initiatorToken == null && _protectionToken != null) { return(_protectionToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } } Collection <IAuthorizationPolicy> policies = new Collection <IAuthorizationPolicy>(); if (includeTransportToken) { AddAuthorizationPolicies(_transportToken, policies); } AddAuthorizationPolicies(_initiatorToken, policies); AddAuthorizationPolicies(_protectionToken, policies); if (this.HasIncomingSupportingTokens) { for (int i = 0; i < _incomingSupportingTokens.Count; ++i) { if (supportingSessionTokenToExclude != null) { SecurityContextSecurityToken sct = _incomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken; if (sct != null && sct.ContextId == supportingSessionTokenToExclude.ContextId) { continue; } } SecurityTokenAttachmentMode attachmentMode = _incomingSupportingTokens[i].SecurityTokenAttachmentMode; // a safety net in case more attachment modes get added to the product without // reviewing this code. if (attachmentMode == SecurityTokenAttachmentMode.Endorsing || attachmentMode == SecurityTokenAttachmentMode.Signed || attachmentMode == SecurityTokenAttachmentMode.SignedEncrypted || attachmentMode == SecurityTokenAttachmentMode.SignedEndorsing) { AddAuthorizationPolicies(_incomingSupportingTokens[i], policies); } } } return(new ReadOnlyCollection <IAuthorizationPolicy>(policies)); }
protected override ArrayList OnQuotaReached(Hashtable cacheTable) { if (!this.replaceOldestEntries) { SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(base.Capacity, 0); return(base.OnQuotaReached(cacheTable)); } List <SecurityContextSecurityToken> list = new List <SecurityContextSecurityToken>(cacheTable.Count); foreach (TimeBoundedCache.IExpirableItem item in cacheTable.Values) { SecurityContextSecurityToken token = (SecurityContextSecurityToken)base.ExtractItem(item); list.Add(token); } list.Sort(sctEffectiveTimeComparer); int capacity = (int)(base.Capacity * pruningFactor); capacity = (capacity <= 0) ? base.Capacity : capacity; ArrayList list2 = new ArrayList(capacity); for (int i = 0; i < capacity; i++) { list2.Add(this.GetHashKey(list[i].ContextId, list[i].KeyGeneration)); this.OnRemove(list[i]); } SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(base.Capacity, capacity); return(list2); }
private bool TryAddContext(SecurityContextSecurityToken token, bool throwOnFailure) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } if (!System.ServiceModel.Security.SecurityUtils.IsCurrentlyTimeEffective(token.ValidFrom, token.ValidTo, this.clockSkew)) { if (token.KeyGeneration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextExpiredNoKeyGeneration", new object[] { token.ContextId })); } throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextExpired", new object[] { token.ContextId, token.KeyGeneration.ToString() })); } if (!System.ServiceModel.Security.SecurityUtils.IsCurrentlyTimeEffective(token.KeyEffectiveTime, token.KeyExpirationTime, this.clockSkew)) { if (token.KeyGeneration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextKeyExpiredNoKeyGeneration", new object[] { token.ContextId })); } throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextKeyExpired", new object[] { token.ContextId, token.KeyGeneration.ToString() })); } object hashKey = this.GetHashKey(token.ContextId, token.KeyGeneration); bool flag = base.TryAddItem(hashKey, token.Clone(), false); if (flag || !throwOnFailure) { return(flag); } if (token.KeyGeneration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ContextAlreadyRegisteredNoKeyGeneration", new object[] { token.ContextId }))); } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ContextAlreadyRegistered", new object[] { token.ContextId, token.KeyGeneration.ToString() }))); }
public bool FaultInSupportingToken(Message message) { DebugTrace.TraceEnter(this, "FaultInSupportingToken"); bool flag = false; WsatRegistrationHeader header = this.ReadRegistrationHeader(message); if (((header == null) || (header.TransactionId == Guid.Empty)) || string.IsNullOrEmpty(header.TokenId)) { if (DebugTrace.Warning) { DebugTrace.Trace(TraceLevel.Warning, "Invalid or absent RegisterInfo in register message"); } } else { currentSct = this.DeriveToken(header.TransactionId, header.TokenId); flag = true; if (DebugTrace.Verbose) { DebugTrace.Trace(TraceLevel.Verbose, "Created SCT with id {0} for transaction {1}", header.TokenId, header.TransactionId); } } DebugTrace.TraceLeave(this, "FaultInSupportingToken"); return(flag); }
protected override ArrayList OnQuotaReached(Hashtable cacheTable) { if (!this.replaceOldestEntries) { SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(this.Capacity, 0); return(base.OnQuotaReached(cacheTable)); } else { List <SecurityContextSecurityToken> tokens = new List <SecurityContextSecurityToken>(cacheTable.Count); foreach (IExpirableItem value in cacheTable.Values) { SecurityContextSecurityToken token = (SecurityContextSecurityToken)ExtractItem(value); tokens.Add(token); } tokens.Sort(sctEffectiveTimeComparer); int pruningAmount = (int)(((double)this.Capacity) * pruningFactor); pruningAmount = pruningAmount <= 0 ? this.Capacity : pruningAmount; ArrayList keys = new ArrayList(pruningAmount); for (int i = 0; i < pruningAmount; ++i) { keys.Add(GetHashKey(tokens[i].ContextId, tokens[i].KeyGeneration)); OnRemove(tokens[i]); } SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(this.Capacity, pruningAmount); return(keys); } }
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver) { UniqueId generation = null; bool isCookieMode = false; Fx.Assert(reader.NodeType == XmlNodeType.Element, ""); // check if there is an id string id = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace); SecurityContextSecurityToken sct = null; // There needs to be at least a contextId in here. reader.ReadFullStartElement(); reader.MoveToStartElement(Parent.SerializerDictionary.Identifier, Parent.SerializerDictionary.Namespace); UniqueId contextId = reader.ReadElementContentAsUniqueId(); if (CanReadGeneration(reader)) { generation = ReadGeneration(reader); } if (reader.IsStartElement(Parent.SerializerDictionary.Cookie, XD.DotNetSecurityDictionary.Namespace)) { isCookieMode = true; sct = TryResolveSecurityContextToken(contextId, generation, id, tokenResolver, out ISecurityContextSecurityTokenCache sctCache); if (sct == null) { byte[] encodedCookie = reader.ReadElementContentAsBase64(); if (encodedCookie != null) { sct = _cookieSerializer.CreateSecurityContextFromCookie(encodedCookie, contextId, generation, id, reader.Quotas); if (sctCache != null) { sctCache.AddContext(sct); } } } else { reader.Skip(); } } reader.ReadEndElement(); if (contextId == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.NoSecurityContextIdentifier))); } if (sct == null && !isCookieMode) { sct = TryResolveSecurityContextToken(contextId, generation, id, tokenResolver, out ISecurityContextSecurityTokenCache sctCache); } if (sct == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new Exception(SR.Format(SR.SecurityContextNotRegistered, contextId, generation))); } return(sct); }
protected override void WriteGeneration(XmlDictionaryWriter writer, SecurityContextSecurityToken sct) { if (sct.KeyGeneration != null) { writer.WriteStartElement(DXD.SecureConversationDec2005Dictionary.Prefix.Value, DXD.SecureConversationDec2005Dictionary.Instance, DXD.SecureConversationDec2005Dictionary.Namespace); XmlHelper.WriteStringAsUniqueId(writer, sct.KeyGeneration); writer.WriteEndElement(); } }
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver) { UniqueId generation = (UniqueId)null; string attribute = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace); reader.ReadFullStartElement(); reader.MoveToStartElement(this.parent.SerializerDictionary.Identifier, this.parent.SerializerDictionary.Namespace); UniqueId contextId = reader.ReadElementContentAsUniqueId(); if (this.CanReadGeneration(reader)) { generation = this.ReadGeneration(reader); } #if FEATURE_CORECLR throw new NotImplementedException("DotNetSecurityDictionary not implemented in .NET Core"); #else bool flag = false; SecurityContextSecurityToken token = (SecurityContextSecurityToken)null; if (reader.IsStartElement(this.parent.SerializerDictionary.Cookie, DotNetSecurityDictionary.Namespace)) { flag = true; ISecurityContextSecurityTokenCache sctCache; token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out sctCache); if (token == null) { byte[] encodedCookie = reader.ReadElementContentAsBase64(); if (encodedCookie != null) { token = this.cookieSerializer.CreateSecurityContextFromCookie(encodedCookie, contextId, generation, attribute, reader.Quotas); if (sctCache != null) { sctCache.AddContext(token); } } } else { reader.Skip(); } } reader.ReadEndElement(); if (contextId == (UniqueId)null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("NoSecurityContextIdentifier"))); } if (token == null && !flag) { ISecurityContextSecurityTokenCache sctCache; token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out sctCache); } if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new SecurityContextTokenValidationException(SR.GetString("SecurityContextNotRegistered", (object)contextId, (object)generation))); } return((SecurityToken)token); #endif }
public void SetServiceToken(SecurityContextSecurityToken token) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } this.serviceToken = token; this.isNegotiationCompleted = true; }
public SecurityContextSecurityToken GetContext(UniqueId contextId, UniqueId generation) { if (contextId == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(contextId)); } object hashKey = GetHashKey(contextId, generation); SecurityContextSecurityToken sct = (SecurityContextSecurityToken)GetItem(hashKey); return sct != null ? (SecurityContextSecurityToken)sct.Clone() : null; }
/// <summary> /// The the purposes of this method are: /// 1. To enable layers above to get to the bootstrap tokens /// 2. To ensure an ClaimsPrincipal is inside the SCT authorization policies. This is needed so that /// a CustomPrincipal will be created and can be set. This is required as we set the principal permission mode to custom /// 3. To set the IAuthorizationPolicy collection on the SCT to be one of IDFx's Authpolicy. /// This allows SCT cookie and SCT cached to be treated the same, futher up the stack. /// /// This method is call AFTER the final SCT has been created and the bootstrap tokens are around. Itis not called during the SP/TLS nego bootstrap. /// </summary> /// <param name="sct"></param> internal void SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(SecurityContextSecurityToken sct) { if (sct == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sct"); } List <IAuthorizationPolicy> iaps = new List <IAuthorizationPolicy>(); // // The SecurityContextToken is cached first before the OnTokenIssued is called. So in the Session SCT // case the AuthorizationPolicies will have already been updated. So check the sct.AuthorizationPolicies // policy to see if the first is a AuthorizationPolicy. // if ((sct.AuthorizationPolicies != null) && (sct.AuthorizationPolicies.Count > 0) && (ContainsEndpointAuthPolicy(sct.AuthorizationPolicies))) { // We have already seen this sct and have fixed up the AuthorizationPolicy // collection. Just return. return; } // // Nego SCT just has a cookie, there are no IAuthorizationPolicy. In this case, // we want to add the EndpointAuthorizationPolicy alone to the SCT. // if ((sct.AuthorizationPolicies != null) && (sct.AuthorizationPolicies.Count > 0)) { // // Create a principal with known policies. // AuthorizationPolicy sctAp = IdentityModelServiceAuthorizationManager.TransformAuthorizationPolicies(sct.AuthorizationPolicies, _securityTokenHandlerCollection, false); // Replace the WCF authorization policies with our IDFx policies. // The principal is needed later on to set the custom principal by WCF runtime. iaps.Add(sctAp); // // Convert the claim from WCF unconditional policy to an SctAuthorizationPolicy. The SctAuthorizationPolicy simply // captures the primary identity claim from the WCF unconditional policy which IdFX will eventually throw away. // If we don't capture that claim, then in a token renewal scenario WCF will fail due to identities being different // for the issuedToken and the renewedToken. // SysClaim claim = GetPrimaryIdentityClaim(SystemAuthorizationContext.CreateDefaultAuthorizationContext(sct.AuthorizationPolicies)); SctAuthorizationPolicy sctAuthPolicy = new SctAuthorizationPolicy(claim); iaps.Add(sctAuthPolicy); } iaps.Add(new EndpointAuthorizationPolicy(_endpointId)); sct.AuthorizationPolicies = iaps.AsReadOnly(); }
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver) { UniqueId contextId = null; byte[] encodedCookie = null; UniqueId generation = null; bool flag = false; string attribute = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace); SecurityContextSecurityToken token = null; reader.ReadFullStartElement(); reader.MoveToStartElement(this.parent.SerializerDictionary.Identifier, this.parent.SerializerDictionary.Namespace); contextId = reader.ReadElementContentAsUniqueId(); if (this.CanReadGeneration(reader)) { generation = this.ReadGeneration(reader); } if (reader.IsStartElement(this.parent.SerializerDictionary.Cookie, XD.DotNetSecurityDictionary.Namespace)) { ISecurityContextSecurityTokenCache cache; flag = true; token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out cache); if (token == null) { encodedCookie = reader.ReadElementContentAsBase64(); if (encodedCookie != null) { token = this.cookieSerializer.CreateSecurityContextFromCookie(encodedCookie, contextId, generation, attribute, reader.Quotas); if (cache != null) { cache.AddContext(token); } } } else { reader.Skip(); } } reader.ReadEndElement(); if (contextId == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSecurityContextIdentifier"))); } if ((token == null) && !flag) { ISecurityContextSecurityTokenCache cache2; token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out cache2); } if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityContextTokenValidationException(System.ServiceModel.SR.GetString("SecurityContextNotRegistered", new object[] { contextId, generation }))); } return(token); }
internal ReadOnlyCollection <IAuthorizationPolicy> GetInitiatorTokenAuthorizationPolicies(bool includeTransportToken, SecurityContextSecurityToken supportingSessionTokenToExclude) { if (!this.HasIncomingSupportingTokens) { if (((this.transportToken != null) && (this.initiatorToken == null)) && (this.protectionToken == null)) { if (includeTransportToken && (this.transportToken.SecurityTokenPolicies != null)) { return(this.transportToken.SecurityTokenPolicies); } return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } if (((this.transportToken == null) && (this.initiatorToken != null)) && (this.protectionToken == null)) { return(this.initiatorToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } if (((this.transportToken == null) && (this.initiatorToken == null)) && (this.protectionToken != null)) { return(this.protectionToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance); } } Collection <IAuthorizationPolicy> policies = new Collection <IAuthorizationPolicy>(); if (includeTransportToken) { this.AddAuthorizationPolicies(this.transportToken, policies); } this.AddAuthorizationPolicies(this.initiatorToken, policies); this.AddAuthorizationPolicies(this.protectionToken, policies); if (this.HasIncomingSupportingTokens) { for (int i = 0; i < this.incomingSupportingTokens.Count; i++) { if (supportingSessionTokenToExclude != null) { SecurityContextSecurityToken securityToken = this.incomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken; if ((securityToken != null) && (securityToken.ContextId == supportingSessionTokenToExclude.ContextId)) { continue; } } switch (this.incomingSupportingTokens[i].SecurityTokenAttachmentMode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.Signed: case SecurityTokenAttachmentMode.SignedEncrypted: case SecurityTokenAttachmentMode.SignedEndorsing: this.AddAuthorizationPolicies(this.incomingSupportingTokens[i], policies); break; } } } return(new ReadOnlyCollection <IAuthorizationPolicy>(policies)); }
bool TryAddContext(SecurityContextSecurityToken token, bool throwOnFailure) { if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } if (!SecurityUtils.IsCurrentlyTimeEffective(token.ValidFrom, token.ValidTo, this.clockSkew)) { if (token.KeyGeneration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextExpiredNoKeyGeneration, token.ContextId)); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextExpired, token.ContextId, token.KeyGeneration.ToString())); } } if (!SecurityUtils.IsCurrentlyTimeEffective(token.KeyEffectiveTime, token.KeyExpirationTime, this.clockSkew)) { if (token.KeyGeneration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextKeyExpiredNoKeyGeneration, token.ContextId)); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextKeyExpired, token.ContextId, token.KeyGeneration.ToString())); } } object hashKey = GetHashKey(token.ContextId, token.KeyGeneration); bool wasTokenAdded = base.TryAddItem(hashKey, (SecurityContextSecurityToken)token.Clone(), false); if (!wasTokenAdded) { if (throwOnFailure) { if (token.KeyGeneration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ContextAlreadyRegisteredNoKeyGeneration, token.ContextId))); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ContextAlreadyRegistered, token.ContextId, token.KeyGeneration.ToString()))); } } } return(wasTokenAdded); }
/// <summary> /// Serializes the SecurityToken to the XmlWriter. /// </summary> /// <param name="writer">XmlWriter to write to.</param> /// <param name="token">The SecurityToken to serializer.</param> /// <exception cref="ArgumentNullException">The input parameter 'writer' or 'token' is null.</exception> protected override void WriteTokenCore(XmlWriter writer, SecurityToken token) { if (writer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer"); } if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } try { // // Wire the session handler for SCT // SecurityContextSecurityToken sct = token as SecurityContextSecurityToken; if (sct != null) { // // Bare SCT tokens are wrapped with a SessionSecurityToken. // The property SessionSecurityToken.IsSecurityContextSecurityTokenWrapper will be true. // token = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(sct, _scVersion); } SecurityTokenHandler securityTokenHandler = _securityTokenHandlers[token]; if ((securityTokenHandler != null) && (securityTokenHandler.CanWriteToken)) { securityTokenHandler.WriteToken(writer, token); return; } base.WriteTokenCore(writer, token); } catch (Exception ex) { if (!(MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException(ex))) { throw; } Fx.Assert(false, "ExceptionMapper did not handle an exception correctly."); // This should never happen. ExceptionMapper will handle the exception, in which case, // a fault exception is thrown or the original exception gets thrown. } }
public Collection <SecurityContextSecurityToken> GetAllContexts(UniqueId contextId) { ArrayList matchingKeys = this.GetMatchingKeys(contextId); Collection <SecurityContextSecurityToken> collection = new Collection <SecurityContextSecurityToken>(); for (int i = 0; i < matchingKeys.Count; i++) { SecurityContextSecurityToken item = base.GetItem(matchingKeys[i]) as SecurityContextSecurityToken; if (item != null) { collection.Add(item); } } return(collection); }
public SecurityContextSecurityToken GetContext(UniqueId contextId, UniqueId generation) { if (contextId == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("contextId"); } object hashKey = this.GetHashKey(contextId, generation); SecurityContextSecurityToken item = (SecurityContextSecurityToken)base.GetItem(hashKey); if (item == null) { return(null); } return(item.Clone()); }
public void CreateKeyIdentifierClauseSCT() { MyParameters tp = new MyParameters(); SecurityContextSecurityToken sct = new SecurityContextSecurityToken(new UniqueId(), new byte [32], DateTime.MinValue, DateTime.MaxValue); SecurityKeyIdentifierClause kic = tp.CallCreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.Internal); Assert.IsTrue(kic is LocalIdKeyIdentifierClause, "#1"); SecurityContextKeyIdentifierClause scic = tp.CallCreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.External) as SecurityContextKeyIdentifierClause; Assert.IsNotNull(scic, "#2"); Assert.IsNull(scic.Generation, "#3"); }
public void AddContext(SecurityContextSecurityToken token) { // // WCF will cache the token first before calling the WrappedSessionSecurityTokenHandler.OnTokenIssued. // We need to map the claims here so we will be caching the correct token with Geneva Claims substitued // in place of the WCF claims. // _claimsHandler.SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(token); SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, token.ContextId, token.KeyGeneration); SessionSecurityToken sessionToken = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(token, SecureConversationVersion.Default); DateTime expiryTime = DateTimeUtil.Add(sessionToken.ValidTo, _claimsHandler.SecurityTokenHandlerCollection.Configuration.MaxClockSkew); _tokenCache.AddOrUpdate(key, sessionToken, expiryTime); }
private SecurityContextSecurityToken TryResolveSecurityContextToken(UniqueId contextId, UniqueId generation, string id, SecurityTokenResolver tokenResolver, out ISecurityContextSecurityTokenCache sctCache) { SecurityContextSecurityToken sourceToken = (SecurityContextSecurityToken)null; sctCache = (ISecurityContextSecurityTokenCache)null; if (tokenResolver is ISecurityContextSecurityTokenCache) { sctCache = (ISecurityContextSecurityTokenCache)tokenResolver; sourceToken = sctCache.GetContext(contextId, generation); } else { #if FEATURE_CORECLR throw new NotImplementedException("AggregateSecurityHeaderTokenResolver not supported in .NET Core"); #else if (tokenResolver is AggregateSecurityHeaderTokenResolver) { AggregateSecurityHeaderTokenResolver headerTokenResolver = tokenResolver as AggregateSecurityHeaderTokenResolver; for (int index = 0; index < headerTokenResolver.TokenResolvers.Count; ++index) { ISecurityContextSecurityTokenCache tokenResolver1 = headerTokenResolver.TokenResolvers[index] as ISecurityContextSecurityTokenCache; if (tokenResolver1 != null) { if (sctCache == null) { sctCache = tokenResolver1; } sourceToken = tokenResolver1.GetContext(contextId, generation); if (sourceToken != null) { break; } } } } #endif } if (sourceToken == null) { return((SecurityContextSecurityToken)null); } if (sourceToken.Id == id) { return(sourceToken); } return(new SecurityContextSecurityToken(sourceToken, id)); }
public Collection <SecurityContextSecurityToken> GetAllContexts(UniqueId contextId) { ArrayList matchingKeys = GetMatchingKeys(contextId); Collection <SecurityContextSecurityToken> matchingContexts = new Collection <SecurityContextSecurityToken>(); for (int i = 0; i < matchingKeys.Count; ++i) { SecurityContextSecurityToken token = base.GetItem(matchingKeys[i]) as SecurityContextSecurityToken; if (token != null) { matchingContexts.Add(token); } } return(matchingContexts); }
public SecurityContextSecurityToken GetContext(System.Xml.UniqueId contextId, System.Xml.UniqueId generation) { SessionSecurityToken token = null; SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, contextId, generation); token = _tokenCache.Get(key); SecurityContextSecurityToken sctToken = null; if (token != null && token.IsSecurityContextSecurityTokenWrapper) { sctToken = SecurityContextSecurityTokenHelper.ConvertSessionTokenToSecurityContextSecurityToken(token); } return(sctToken); }