/// <summary>
/// Sends a command request to the service.
/// </summary>
/// <param name="clientID">Client ID of sender.</param>
/// <param name="principal">The principal used for role-based security.</param>
/// <param name="userInput">Request string.</param>
public void SendRequest(Guid clientID, IPrincipal principal, string userInput)
{
ClientRequest request = ClientRequest.Parse(userInput);
if (request is null)
{
return;
}
if (SecurityProviderUtility.IsResourceSecurable(request.Command) && !SecurityProviderUtility.IsResourceAccessible(request.Command, principal))
{
ServiceHelper.UpdateStatus(clientID, UpdateType.Alarm, $"Access to \"{request.Command}\" is denied.\r\n\r\n");
return;
}
ClientRequestHandler requestHandler = ServiceHelper.FindClientRequestHandler(request.Command);
if (requestHandler is null)
{
ServiceHelper.UpdateStatus(clientID, UpdateType.Alarm, $"Command \"{request.Command}\" is not supported.\r\n\r\n");
return;
}
ClientInfo clientInfo = new ClientInfo {
ClientID = clientID
};
clientInfo.SetClientUser(principal);
ClientRequestInfo requestInfo = new ClientRequestInfo(clientInfo, request);
requestHandler.HandlerMethod(requestInfo);
}
/// <summary>
/// Sends a command request to the service.
/// </summary>
/// <param name="clientID">Client ID of sender.</param>
/// <param name="userInput">Request string.</param>
public void SendRequest(Guid clientID, string userInput)
{
ClientRequest request = ClientRequest.Parse(userInput);
if ((object)request != null)
{
ClientRequestHandler requestHandler = ServiceHelper.FindClientRequestHandler(request.Command);
if (SecurityProviderUtility.IsResourceSecurable(request.Command) && !SecurityProviderUtility.IsResourceAccessible(request.Command, Thread.CurrentPrincipal))
{
ServiceHelper.UpdateStatus(clientID, UpdateType.Alarm, $"Access to \"{request.Command}\" is denied.\r\n\r\n");
return;
}
if ((object)requestHandler != null)
{
requestHandler.HandlerMethod(new ClientRequestInfo(new ClientInfo {
ClientID = clientID
}, request));
}
else
{
ServiceHelper.UpdateStatus(clientID, UpdateType.Alarm, $"Command \"{request.Command}\" is not supported.\r\n\r\n");
}
}
}
private void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
// Check if access to resource is to be secured.
string resource = GetResourceName();
if (!IsAccessSecured(resource))
{
return;
}
SecurityProviderCache.ValidateCurrentProvider();
if (!m_application.User.Identity.IsAuthenticated)
{
// Failed to authenticate user.
Redirect(HttpStatusCode.Unauthorized);
}
if (IsAccessRestricted() ||
!SecurityProviderUtility.IsResourceAccessible(resource))
{
// User does not have access to the resource.
Redirect(HttpStatusCode.Forbidden);
}
}
/// <summary>
/// Evaluates the <paramref name="evaluationContext"/> and initializes security.
/// </summary>
/// <param name="evaluationContext">An <see cref="EvaluationContext"/> object.</param>
/// <param name="state">Custom state of the <see cref="SecurityPolicy"/>.</param>
/// <returns></returns>
public virtual bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// In order for this to work properly security on the binding must be configured to use windows security.
// When this is done the caller's windows identity is available to us here and can be used to derive from
// it the security principal that can be used by WCF service code downstream for implementing security.
object property;
if (evaluationContext.Properties.TryGetValue("Identities", out property))
{
// Extract and assign the caller's windows identity to current thread if available.
IList <IIdentity> identities = property as List <IIdentity>;
if ((object)identities == null)
{
throw new SecurityException(string.Format("Null Identities in Evaluation Context for '{0}'", Thread.CurrentPrincipal.Identity));
}
foreach (IIdentity identity in identities)
{
if (identity is WindowsIdentity)
{
Thread.CurrentPrincipal = new WindowsPrincipal((WindowsIdentity)identity);
break;
}
}
}
string resource = GetResourceName();
if (SecurityProviderUtility.IsResourceSecurable(resource))
{
// Initialize the security principal from caller's windows identity if uninitialized.
if (SecurityProviderCache.CurrentProvider == null)
{
SecurityProviderCache.CurrentProvider = SecurityProviderUtility.CreateProvider(string.Empty);
}
// Setup the principal to be attached to the thread on which WCF service will execute.
evaluationContext.Properties["Principal"] = Thread.CurrentPrincipal;
// Verify that the current thread principal has been authenticated.
if (!Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
throw new SecurityException(string.Format("Authentication failed for user '{0}'", Thread.CurrentPrincipal.Identity.Name));
}
// Perform a top-level permission check on the resource being accessed.
if (!SecurityProviderUtility.IsResourceAccessible(resource))
{
throw new SecurityException(string.Format("Access to '{0}' is denied", resource));
}
return(true);
}
// Setup the principal to be attached to the thread on which WCF service will execute.
evaluationContext.Properties["Principal"] = Thread.CurrentPrincipal;
return(true);
}
private bool IsResourceAccessible(string resource)
{
if (ResourceAccessiblity == ResourceAccessiblityMode.AlwaysIncluded)
{
return(SecurityPrincipal.IsInRole(IncludedRoles));
}
return(SecurityProviderUtility.IsResourceAccessible(resource, SecurityPrincipal));
}
private void SecureForm_Load(object sender, EventArgs e)
{
try
{
// Don't proceed if the form is opened in design mode
if (DesignMode)
{
return;
}
// Check if the resource is excluded from being secured
string resource = GetResourceName();
if (!SecurityProviderUtility.IsResourceSecurable(resource))
{
return;
}
// Set up security provider for passthrough authentication
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(WindowsIdentity.GetCurrent().Name);
securityProvider.PassthroughPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
securityProvider.Authenticate();
// Setup the security principal for role-based security
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
SecurityPrincipal = new SecurityPrincipal(securityIdentity);
// Verify that the current thread principal has been authenticated
if (!SecurityPrincipal.Identity.IsAuthenticated)
{
throw new SecurityException($"Authentication failed for user '{SecurityPrincipal.Identity.Name}'");
}
// Perform a top-level permission check on the resource being accessed
if (!SecurityProviderUtility.IsResourceAccessible(resource, SecurityPrincipal))
{
throw new SecurityException($"Access to '{resource}' is denied");
}
// Set up the current thread principal
// NOTE: Provided for backwards compatibility;
// recommended to use the SecurityPrincipal instead
Thread.CurrentPrincipal = SecurityPrincipal;
}
catch (Exception ex)
{
if (ExceptionHandler is null)
{
throw;
}
ExceptionHandler(ex);
}
}
private void SecureForm_Load(object sender, EventArgs e)
{
// Don't proceed if the form is opened in design mode.
if (DesignMode)
{
return;
}
// Check if the resource is excluded from being secured.
string resource = GetResourceName();
if (!SecurityProviderUtility.IsResourceSecurable(resource))
{
return;
}
// Setup thread principal to current windows principal.
if (!(Thread.CurrentPrincipal is WindowsPrincipal))
{
Thread.CurrentPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
}
// Setup the security provider for role-based security.
if ((object)SecurityProviderCache.CurrentProvider == null)
{
SecurityProviderCache.CurrentProvider = SecurityProviderUtility.CreateProvider(string.Empty);
}
// Verify that the current thread principal has been authenticated.
if (!Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
throw new SecurityException(string.Format("Authentication failed for user '{0}'", Thread.CurrentPrincipal.Identity.Name));
}
// Perform a top-level permission check on the resource being accessed.
if (!SecurityProviderUtility.IsResourceAccessible(resource))
{
throw new SecurityException(string.Format("Access to '{0}' is denied", resource));
}
}
private void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
// Check if access to resource is to be secured.
string resource = GetResourceName();
if (!IsAccessSecured(resource))
{
return;
}
SecurityPrincipal securityPrincipal = Thread.CurrentPrincipal as SecurityPrincipal;
if ((object)securityPrincipal == null)
{
ISecurityProvider securityProvider = SecurityProviderCache.CreateProvider(Thread.CurrentPrincipal.Identity.Name);
securityProvider.PassthroughPrincipal = Thread.CurrentPrincipal;
securityProvider.Authenticate();
SecurityIdentity securityIdentity = new SecurityIdentity(securityProvider);
securityPrincipal = new SecurityPrincipal(securityIdentity);
Thread.CurrentPrincipal = securityPrincipal;
}
if (!m_application.User.Identity.IsAuthenticated)
{
// Failed to authenticate user.
Redirect(HttpStatusCode.Unauthorized);
}
if (IsAccessRestricted() ||
!SecurityProviderUtility.IsResourceAccessible(resource, securityPrincipal))
{
// User does not have access to the resource.
Redirect(HttpStatusCode.Forbidden);
}
}