public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
: base(token, tokenPolicies)
{
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
_tokenAttachmentMode = attachmentMode;
_tokenParameters = tokenParameters;
}
internal static bool IsDefined(SecurityTokenAttachmentMode value)
{
return value == SecurityTokenAttachmentMode.Endorsing
|| value == SecurityTokenAttachmentMode.Signed
|| value == SecurityTokenAttachmentMode.SignedEncrypted
|| value == SecurityTokenAttachmentMode.SignedEndorsing;
}
internal static void Validate(SecurityTokenAttachmentMode value)
{
if (!IsDefined(value))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("value", (int)value, typeof(SecurityTokenAttachmentMode)));
}
}
public SupportingTokenProviderSpecification(SecurityTokenProvider tokenProvider, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
{
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
TokenProvider = tokenProvider ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenProvider));
SecurityTokenAttachmentMode = attachmentMode;
TokenParameters = tokenParameters ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenParameters));
}
internal static void Categorize(SecurityTokenAttachmentMode value, out bool isBasic, out bool isSignedButNotBasic, out ReceiveSecurityHeaderBindingModes mode)
{
Validate(value);
switch (value)
{
case SecurityTokenAttachmentMode.Signed:
isBasic = false;
isSignedButNotBasic = true;
mode = ReceiveSecurityHeaderBindingModes.Signed;
return;
case SecurityTokenAttachmentMode.Endorsing:
isBasic = false;
isSignedButNotBasic = false;
mode = ReceiveSecurityHeaderBindingModes.Endorsing;
return;
case SecurityTokenAttachmentMode.SignedEndorsing:
isBasic = false;
isSignedButNotBasic = true;
mode = ReceiveSecurityHeaderBindingModes.SignedEndorsing;
return;
case SecurityTokenAttachmentMode.SignedEncrypted:
isBasic = true;
isSignedButNotBasic = false;
mode = ReceiveSecurityHeaderBindingModes.Basic;
return;
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));
}
private void AddSignatureReference(SecurityToken token, int position, SecurityTokenAttachmentMode mode)
{
SecurityKeyIdentifierClause keyIdentifierClause = null;
bool strTransformEnabled = ShouldUseStrTransformForToken(token, position, mode, out keyIdentifierClause);
AddTokenSignatureReference(token, keyIdentifierClause, strTransformEnabled);
}
internal static void Categorize(SecurityTokenAttachmentMode value,
out bool isBasic, out bool isSignedButNotBasic, out ReceiveSecurityHeaderBindingModes mode)
{
SecurityTokenAttachmentModeHelper.Validate(value);
switch (value)
{
case SecurityTokenAttachmentMode.Endorsing:
isBasic = false;
isSignedButNotBasic = false;
mode = ReceiveSecurityHeaderBindingModes.Endorsing;
break;
case SecurityTokenAttachmentMode.Signed:
isBasic = false;
isSignedButNotBasic = true;
mode = ReceiveSecurityHeaderBindingModes.Signed;
break;
case SecurityTokenAttachmentMode.SignedEncrypted:
isBasic = true;
isSignedButNotBasic = false;
mode = ReceiveSecurityHeaderBindingModes.Basic;
break;
case SecurityTokenAttachmentMode.SignedEndorsing:
isBasic = false;
isSignedButNotBasic = true;
mode = ReceiveSecurityHeaderBindingModes.SignedEndorsing;
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));
}
}
internal static bool IsDefined(SecurityTokenAttachmentMode value)
{
return(value == SecurityTokenAttachmentMode.Endorsing ||
value == SecurityTokenAttachmentMode.Signed ||
value == SecurityTokenAttachmentMode.SignedEncrypted ||
value == SecurityTokenAttachmentMode.SignedEndorsing);
}
internal ReadOnlyCollection <IAuthorizationPolicy> GetInitiatorTokenAuthorizationPolicies(bool includeTransportToken, SecurityContextSecurityToken supportingSessionTokenToExclude)
{
// fast path
if (!this.HasIncomingSupportingTokens)
{
if (_transportToken != null && _initiatorToken == null && _protectionToken == null)
{
if (includeTransportToken && _transportToken.SecurityTokenPolicies != null)
{
return(_transportToken.SecurityTokenPolicies);
}
else
{
return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
}
else if (_transportToken == null && _initiatorToken != null && _protectionToken == null)
{
return(_initiatorToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
else if (_transportToken == null && _initiatorToken == null && _protectionToken != null)
{
return(_protectionToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
}
Collection <IAuthorizationPolicy> policies = new Collection <IAuthorizationPolicy>();
if (includeTransportToken)
{
AddAuthorizationPolicies(_transportToken, policies);
}
AddAuthorizationPolicies(_initiatorToken, policies);
AddAuthorizationPolicies(_protectionToken, policies);
if (this.HasIncomingSupportingTokens)
{
for (int i = 0; i < _incomingSupportingTokens.Count; ++i)
{
if (supportingSessionTokenToExclude != null)
{
SecurityContextSecurityToken sct = _incomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken;
if (sct != null && sct.ContextId == supportingSessionTokenToExclude.ContextId)
{
continue;
}
}
SecurityTokenAttachmentMode attachmentMode = _incomingSupportingTokens[i].SecurityTokenAttachmentMode;
// a safety net in case more attachment modes get added to the product without
// reviewing this code.
if (attachmentMode == SecurityTokenAttachmentMode.Endorsing ||
attachmentMode == SecurityTokenAttachmentMode.Signed ||
attachmentMode == SecurityTokenAttachmentMode.SignedEncrypted ||
attachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
AddAuthorizationPolicies(_incomingSupportingTokens[i], policies);
}
}
}
return(new ReadOnlyCollection <IAuthorizationPolicy>(policies));
}
public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
: base(token, tokenPolicies)
{
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
this.tokenAttachmentMode = attachmentMode;
this.tokenParameters = tokenParameters;
}
public SupportingTokenInfo(SecurityToken token,
SecurityTokenAttachmentMode mode,
bool isOptional)
{
Token = token;
Mode = mode;
IsOptional = isOptional;
}
internal static bool IsDefined(SecurityTokenAttachmentMode value)
{
if (((value != SecurityTokenAttachmentMode.Endorsing) && (value != SecurityTokenAttachmentMode.Signed)) && (value != SecurityTokenAttachmentMode.SignedEncrypted))
{
return(value == SecurityTokenAttachmentMode.SignedEndorsing);
}
return(true);
}
public SupportingTokenSpecification (
SecurityToken token,
ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies,
SecurityTokenAttachmentMode attachmentMode)
: base (token, tokenPolicies)
{
mode = attachmentMode;
}
public SupportingTokenSpecification(
SecurityToken token,
ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies,
SecurityTokenAttachmentMode attachmentMode)
: base(token, tokenPolicies)
{
mode = attachmentMode;
}
internal static void Validate(SecurityTokenAttachmentMode value)
{
if (!IsDefined(value))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("value", (int)value,
typeof(SecurityTokenAttachmentMode)));
}
}
internal SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters, bool isTokenOptional)
{
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
TokenAuthenticator = tokenAuthenticator ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenAuthenticator));
TokenResolver = securityTokenResolver;
SecurityTokenAttachmentMode = attachmentMode;
TokenParameters = tokenParameters ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenParameters));
IsTokenOptional = isTokenOptional;
}
private void AddSignatureReference(SecurityToken[] tokens, SecurityTokenAttachmentMode mode)
{
if (tokens != null)
{
for (int i = 0; i < tokens.Length; ++i)
{
AddSignatureReference(tokens[i], i, mode);
}
}
}
public SupportingTokenProviderSpecification(SecurityTokenProvider tokenProvider, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
{
if (tokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenProvider");
}
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
if (tokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters");
}
_tokenProvider = tokenProvider;
_tokenAttachmentMode = attachmentMode;
_tokenParameters = tokenParameters;
}
public SupportingTokenProviderSpecification(SecurityTokenProvider tokenProvider, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
{
if (tokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenProvider");
}
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
if (tokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters");
}
_tokenProvider = tokenProvider;
_tokenAttachmentMode = attachmentMode;
_tokenParameters = tokenParameters;
}
internal SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters, bool isTokenOptional)
{
if (tokenAuthenticator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenAuthenticator");
}
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
if (tokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters");
}
this.tokenAuthenticator = tokenAuthenticator;
this.tokenResolver = securityTokenResolver;
this.tokenAttachmentMode = attachmentMode;
this.tokenParameters = tokenParameters;
this.isTokenOptional = isTokenOptional;
}
internal SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters, bool isTokenOptional)
{
if (tokenAuthenticator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenAuthenticator");
}
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
if (tokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters");
}
_tokenAuthenticator = tokenAuthenticator;
_tokenResolver = securityTokenResolver;
_tokenAttachmentMode = attachmentMode;
_tokenParameters = tokenParameters;
_isTokenOptional = isTokenOptional;
}
public SupportingTokenSpecification(System.IdentityModel.Tokens.SecurityToken token, System.Collections.ObjectModel.ReadOnlyCollection<System.IdentityModel.Policy.IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, System.ServiceModel.Security.Tokens.SecurityTokenParameters tokenParameters) : base (default(System.IdentityModel.Tokens.SecurityToken), default(System.Collections.ObjectModel.ReadOnlyCollection<System.IdentityModel.Policy.IAuthorizationPolicy>))
{
}
private void AddSupportingTokenSpecification(SecurityMessageProperty security, IList<SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary<SecurityToken, ReadOnlyCollection<IAuthorizationPolicy>> tokenPoliciesMapping)
{
if ((tokens != null) && (tokens.Count != 0))
{
for (int i = 0; i < tokens.Count; i++)
{
security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode));
}
}
}
void AddSupportingTokenSpecification(SecurityMessageProperty security, IList<SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary<SecurityToken, ReadOnlyCollection<IAuthorizationPolicy>> tokenPoliciesMapping)
{
if (tokens == null || tokens.Count == 0)
{
return;
}
for (int i = 0; i < tokens.Count; ++i)
{
security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode));
}
}
void ValidateTokensByParameters (IEnumerable<SecurityTokenParameters> plist, List<SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode)
{
foreach (SecurityTokenParameters p in plist) {
SecurityTokenResolver r;
SecurityTokenAuthenticator a =
security.CreateTokenAuthenticator (p, out r);
SupportingTokenSpecification spec = ValidateTokensByParameters (a, r, tokens);
if (spec == null) {
if (optional)
continue;
else
throw new MessageSecurityException (String.Format ("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode));
} else {
// For endorsing tokens, verify corresponding signatures.
switch (attachMode) {
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.SignedEndorsing:
WSSignedXml esxml = GetSignatureForToken (spec.SecurityToken);
if (esxml == null)
throw new MessageSecurityException (String.Format ("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode));
bool confirmed;
SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;
foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo) {
SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause (kic.Clause);
SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey;
if (symkey != null) {
confirmed = esxml.CheckSignature (symkey.GetKeyedHashAlgorithm (suite.DefaultSymmetricSignatureAlgorithm));
} else {
AsymmetricAlgorithm alg = ((AsymmetricSecurityKey) signKey).GetAsymmetricAlgorithm (suite.DefaultAsymmetricSignatureAlgorithm, false);
confirmed = esxml.CheckSignature (alg);
}
if (!confirmed)
throw new MessageSecurityException (String.Format ("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode));
break;
}
sec_prop.ConfirmedSignatures.Insert (0, Convert.ToBase64String (esxml.SignatureValue));
break;
}
}
sec_prop.IncomingSupportingTokens.Add (spec);
}
}
public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode)
: this(token, tokenPolicies, attachmentMode, null)
{
}
protected bool ShouldUseStrTransformForToken(SecurityToken securityToken, int position, SecurityTokenAttachmentMode mode, out SecurityKeyIdentifierClause keyIdentifierClause)
{
IssuedSecurityTokenParameters tokenParams = null;
keyIdentifierClause = null;
switch (mode)
{
case SecurityTokenAttachmentMode.SignedEndorsing:
tokenParams = this.signedEndorsingTokenParameters[position] as IssuedSecurityTokenParameters;
break;
case SecurityTokenAttachmentMode.Signed:
tokenParams = this.signedTokenParameters[position] as IssuedSecurityTokenParameters;
break;
case SecurityTokenAttachmentMode.SignedEncrypted:
tokenParams = this.basicSupportingTokenParameters[position] as IssuedSecurityTokenParameters;
break;
default:
return false;
}
if (tokenParams != null && tokenParams.UseStrTransform)
{
keyIdentifierClause = tokenParams.CreateKeyIdentifierClause(securityToken, GetTokenReferenceStyle(tokenParams));
if (keyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.TokenManagerCannotCreateTokenReference)), this.Message);
}
return true;
}
return false;
}
void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode)
{
foreach (SecurityTokenParameters p in plist)
{
SecurityTokenResolver r;
SecurityTokenAuthenticator a =
security.CreateTokenAuthenticator(p, out r);
SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens);
if (spec == null)
{
if (optional)
{
continue;
}
else
{
throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode));
}
}
else
{
// For endorsing tokens, verify corresponding signatures.
switch (attachMode)
{
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.SignedEndorsing:
WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken);
if (esxml == null)
{
throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode));
}
bool confirmed;
SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;
foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo)
{
SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause);
SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey;
if (symkey != null)
{
confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm));
}
else
{
AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false);
confirmed = esxml.CheckSignature(alg);
}
if (!confirmed)
{
throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode));
}
break;
}
sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue));
break;
}
}
sec_prop.IncomingSupportingTokens.Add(spec);
}
}
void AddSignatureReference(SecurityToken token, int position, SecurityTokenAttachmentMode mode)
{
SecurityKeyIdentifierClause keyIdentifierClause = null;
bool strTransformEnabled = this.ShouldUseStrTransformForToken(token, position, mode, out keyIdentifierClause);
AddTokenSignatureReference(token, keyIdentifierClause, strTransformEnabled);
}
public SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
: this(tokenAuthenticator, securityTokenResolver, attachmentMode, tokenParameters, false)
{
}
protected bool ShouldUseStrTransformForToken(SecurityToken securityToken, int position, SecurityTokenAttachmentMode mode, out SecurityKeyIdentifierClause keyIdentifierClause)
{
keyIdentifierClause = null;
return(false);
}
public SupportingTokenSpecification(System.IdentityModel.Tokens.SecurityToken token, System.Collections.ObjectModel.ReadOnlyCollection <System.IdentityModel.Policy.IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode, System.ServiceModel.Security.Tokens.SecurityTokenParameters tokenParameters) : base(default(System.IdentityModel.Tokens.SecurityToken), default(System.Collections.ObjectModel.ReadOnlyCollection <System.IdentityModel.Policy.IAuthorizationPolicy>))
{
}
protected bool ShouldUseStrTransformForToken(SecurityToken securityToken, int position, SecurityTokenAttachmentMode mode, out SecurityKeyIdentifierClause keyIdentifierClause)
{
keyIdentifierClause = null;
IssuedSecurityTokenParameters tokenParams;
switch (mode)
{
case SecurityTokenAttachmentMode.SignedEndorsing:
tokenParams = _signedEndorsingTokenParameters[position] as IssuedSecurityTokenParameters;
break;
case SecurityTokenAttachmentMode.Signed:
tokenParams = _signedTokenParameters[position] as IssuedSecurityTokenParameters;
break;
case SecurityTokenAttachmentMode.SignedEncrypted:
tokenParams = _basicSupportingTokenParameters[position] as IssuedSecurityTokenParameters;
break;
default:
return(false);
}
if (tokenParams != null && tokenParams.UseStrTransform)
{
keyIdentifierClause = tokenParams.CreateKeyIdentifierClause(securityToken, GetTokenReferenceStyle(tokenParams));
if (keyIdentifierClause == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCannotCreateTokenReference)), Message);
}
return(true);
}
return(false);
}
private InitiatorServiceModelSecurityTokenRequirement CreateInitiatorSecurityTokenRequirement(SecurityTokenParameters parameters, SecurityTokenAttachmentMode attachmentMode)
{
InitiatorServiceModelSecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement();
parameters.InitializeSecurityTokenRequirement(requirement);
requirement.KeyUsage = SecurityKeyUsage.Signature;
requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Output;
requirement.Properties[ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty] = attachmentMode;
return(requirement);
}
public SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
: this(tokenAuthenticator, securityTokenResolver, attachmentMode, tokenParameters, false)
{
}
InitiatorServiceModelSecurityTokenRequirement CreateInitiatorSecurityTokenRequirement(SecurityTokenParameters parameters, SecurityTokenAttachmentMode attachmentMode)
{
InitiatorServiceModelSecurityTokenRequirement requirement = CreateInitiatorSecurityTokenRequirement();
parameters.InitializeSecurityTokenRequirement(requirement);
requirement.KeyUsage = SecurityKeyUsage.Signature;
requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Output;
requirement.Properties[ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty] = attachmentMode;
return requirement;
}
public SupportingTokenSpecification(SecurityToken token, ReadOnlyCollection<IAuthorizationPolicy> tokenPolicies, SecurityTokenAttachmentMode attachmentMode)
: this(token, tokenPolicies, attachmentMode, null)
{ }
private void AddSupportingTokenSpecification(SecurityMessageProperty security, IList <SecurityToken> tokens, SecurityTokenAttachmentMode attachmentMode, IDictionary <SecurityToken, ReadOnlyCollection <IAuthorizationPolicy> > tokenPoliciesMapping)
{
if (tokens == null || tokens.Count == 0)
{
return;
}
for (int i = 0; i < tokens.Count; ++i)
{
security.IncomingSupportingTokens.Add(new SupportingTokenSpecification(tokens[i], tokenPoliciesMapping[tokens[i]], attachmentMode));
}
}
void AddSignatureReference(SecurityToken[] tokens, SecurityTokenAttachmentMode mode)
{
if (tokens != null)
{
for (int i = 0; i < tokens.Length; ++i)
{
AddSignatureReference(tokens[i], i, mode);
}
}
}
private RecipientServiceModelSecurityTokenRequirement CreateRecipientSecurityTokenRequirement(SecurityTokenParameters parameters, SecurityTokenAttachmentMode attachmentMode)
{
RecipientServiceModelSecurityTokenRequirement requirement = CreateRecipientSecurityTokenRequirement();
requirement.KeyUsage = SecurityKeyUsage.Signature;
requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Input;
requirement.Properties[ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty] = attachmentMode;
requirement.Properties[ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy] = _extendedProtectionPolicy;
return(requirement);
}
// authenticate and map supporting tokens to proper SupportingTokenSpecification list.
void ProcessSupportingTokens(SignedXml sxml)
{
List <SupportingTokenInfo> tokens = new List <SupportingTokenInfo> ();
// First, categorize those tokens in the Security
// header:
// - Endorsing signing
// - Signed signed
// - SignedEncrypted signed encrypted
// - SignedEndorsing signing signed
foreach (object obj in wss_header.Contents)
{
SecurityToken token = obj as SecurityToken;
if (token == null)
{
continue;
}
bool signed = false, endorsing = false, encrypted = false;
// signed
foreach (Reference r in sxml.SignedInfo.References)
{
if (r.Uri.Substring(1) == token.Id)
{
signed = true;
break;
}
}
// FIXME: how to get 'encrypted' state?
// FIXME: endorsing
SecurityTokenAttachmentMode mode =
signed ? encrypted ? SecurityTokenAttachmentMode.SignedEncrypted :
endorsing ? SecurityTokenAttachmentMode.SignedEndorsing :
SecurityTokenAttachmentMode.Signed :
SecurityTokenAttachmentMode.Endorsing;
tokens.Add(new SupportingTokenInfo(token, mode, false));
}
// then,
// 1. validate every mandatory supporting token
// parameters (Endpoint-, Operation-). To do that,
// iterate all tokens in the header against every
// parameter in the mandatory list.
// 2. validate every token that is not validated.
// To do that, iterate all supporting token parameters
// and check if any of them can validate it.
SupportingTokenParameters supp;
string action = GetAction();
ValidateTokensByParameters(security.Element.EndpointSupportingTokenParameters, tokens, false);
if (security.Element.OperationSupportingTokenParameters.TryGetValue(action, out supp))
{
ValidateTokensByParameters(supp, tokens, false);
}
ValidateTokensByParameters(security.Element.OptionalEndpointSupportingTokenParameters, tokens, true);
if (security.Element.OptionalOperationSupportingTokenParameters.TryGetValue(action, out supp))
{
ValidateTokensByParameters(supp, tokens, true);
}
}
private void MergeSupportingTokenAuthenticators(TimeSpan timeout)
{
if (this.scopedSupportingTokenAuthenticatorSpecification.Count == 0)
{
this.mergedSupportingTokenAuthenticatorsMap = null;
}
else
{
TimeoutHelper helper = new TimeoutHelper(timeout);
this.expectSupportingTokens = true;
this.mergedSupportingTokenAuthenticatorsMap = new Dictionary <string, MergedSupportingTokenAuthenticatorSpecification>();
foreach (string str in this.scopedSupportingTokenAuthenticatorSpecification.Keys)
{
ICollection <SupportingTokenAuthenticatorSpecification> is2 = this.scopedSupportingTokenAuthenticatorSpecification[str];
if ((is2 != null) && (is2.Count != 0))
{
Collection <SupportingTokenAuthenticatorSpecification> supportingTokenAuthenticators = new Collection <SupportingTokenAuthenticatorSpecification>();
bool expectChannelSignedTokens = this.expectChannelSignedTokens;
bool expectChannelBasicTokens = this.expectChannelBasicTokens;
bool expectChannelEndorsingTokens = this.expectChannelEndorsingTokens;
foreach (SupportingTokenAuthenticatorSpecification specification in this.channelSupportingTokenAuthenticatorSpecification)
{
supportingTokenAuthenticators.Add(specification);
}
foreach (SupportingTokenAuthenticatorSpecification specification2 in is2)
{
System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(specification2.TokenAuthenticator, helper.RemainingTime());
supportingTokenAuthenticators.Add(specification2);
if (((specification2.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (specification2.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) && (specification2.TokenParameters.RequireDerivedKeys && !specification2.TokenParameters.HasAsymmetricKey))
{
this.expectKeyDerivation = true;
}
SecurityTokenAttachmentMode securityTokenAttachmentMode = specification2.SecurityTokenAttachmentMode;
switch (securityTokenAttachmentMode)
{
case SecurityTokenAttachmentMode.SignedEncrypted:
case SecurityTokenAttachmentMode.Signed:
case SecurityTokenAttachmentMode.SignedEndorsing:
expectChannelSignedTokens = true;
if (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEncrypted)
{
expectChannelBasicTokens = true;
}
break;
}
if ((securityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing))
{
expectChannelEndorsingTokens = true;
}
}
this.VerifyTypeUniqueness(supportingTokenAuthenticators);
MergedSupportingTokenAuthenticatorSpecification specification3 = new MergedSupportingTokenAuthenticatorSpecification {
SupportingTokenAuthenticators = supportingTokenAuthenticators,
ExpectBasicTokens = expectChannelBasicTokens,
ExpectEndorsingTokens = expectChannelEndorsingTokens,
ExpectSignedTokens = expectChannelSignedTokens
};
this.mergedSupportingTokenAuthenticatorsMap.Add(str, specification3);
}
}
}
}
private void MergeSupportingTokenAuthenticators(TimeSpan timeout)
{
if (_scopedSupportingTokenAuthenticatorSpecification.Count == 0)
{
_mergedSupportingTokenAuthenticatorsMap = null;
}
else
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
_expectSupportingTokens = true;
_mergedSupportingTokenAuthenticatorsMap = new Dictionary <string, MergedSupportingTokenAuthenticatorSpecification>();
foreach (string action in _scopedSupportingTokenAuthenticatorSpecification.Keys)
{
ICollection <SupportingTokenAuthenticatorSpecification> scopedAuthenticators = _scopedSupportingTokenAuthenticatorSpecification[action];
if (scopedAuthenticators == null || scopedAuthenticators.Count == 0)
{
continue;
}
Collection <SupportingTokenAuthenticatorSpecification> mergedAuthenticators = new Collection <SupportingTokenAuthenticatorSpecification>();
bool expectSignedTokens = _expectChannelSignedTokens;
bool expectBasicTokens = _expectChannelBasicTokens;
bool expectEndorsingTokens = _expectChannelEndorsingTokens;
foreach (SupportingTokenAuthenticatorSpecification spec in _channelSupportingTokenAuthenticatorSpecification)
{
mergedAuthenticators.Add(spec);
}
foreach (SupportingTokenAuthenticatorSpecification spec in scopedAuthenticators)
{
SecurityUtils.OpenTokenAuthenticatorIfRequired(spec.TokenAuthenticator, timeoutHelper.RemainingTime());
mergedAuthenticators.Add(spec);
if (spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing ||
spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey)
{
_expectKeyDerivation = true;
}
}
SecurityTokenAttachmentMode mode = spec.SecurityTokenAttachmentMode;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted ||
mode == SecurityTokenAttachmentMode.Signed ||
mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
expectSignedTokens = true;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
expectBasicTokens = true;
}
}
if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
expectEndorsingTokens = true;
}
}
VerifyTypeUniqueness(mergedAuthenticators);
MergedSupportingTokenAuthenticatorSpecification mergedSpec = new MergedSupportingTokenAuthenticatorSpecification();
mergedSpec.SupportingTokenAuthenticators = mergedAuthenticators;
mergedSpec.ExpectBasicTokens = expectBasicTokens;
mergedSpec.ExpectEndorsingTokens = expectEndorsingTokens;
mergedSpec.ExpectSignedTokens = expectSignedTokens;
_mergedSupportingTokenAuthenticatorsMap.Add(action, mergedSpec);
}
}
}
public virtual void OnOpen(TimeSpan timeout)
{
if (this.SecurityBindingElement == null)
{
this.OnPropertySettingsError("SecurityBindingElement", true);
}
if (this.SecurityTokenManager == null)
{
this.OnPropertySettingsError("SecurityTokenManager", true);
}
this.messageSecurityVersion = this.standardsManager.MessageSecurityVersion;
TimeoutHelper helper = new TimeoutHelper(timeout);
this.expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply;
this.expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply;
if (!this.actAsInitiator)
{
this.AddSupportingTokenAuthenticators(this.securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalEndpointSupportingTokenParameters, true, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
foreach (string str in this.securityBindingElement.OperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>();
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OperationSupportingTokenParameters[str], false, authenticatorSpecList);
this.scopedSupportingTokenAuthenticatorSpecification.Add(str, authenticatorSpecList);
}
foreach (string str2 in this.securityBindingElement.OptionalOperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> collection2;
ICollection <SupportingTokenAuthenticatorSpecification> is2;
if (this.scopedSupportingTokenAuthenticatorSpecification.TryGetValue(str2, out is2))
{
collection2 = (Collection <SupportingTokenAuthenticatorSpecification>)is2;
}
else
{
collection2 = new Collection <SupportingTokenAuthenticatorSpecification>();
this.scopedSupportingTokenAuthenticatorSpecification.Add(str2, collection2);
}
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalOperationSupportingTokenParameters[str2], true, collection2);
}
if (!this.channelSupportingTokenAuthenticatorSpecification.IsReadOnly)
{
if (this.channelSupportingTokenAuthenticatorSpecification.Count == 0)
{
this.channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators;
}
else
{
this.expectSupportingTokens = true;
foreach (SupportingTokenAuthenticatorSpecification specification in this.channelSupportingTokenAuthenticatorSpecification)
{
System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(specification.TokenAuthenticator, helper.RemainingTime());
if (((specification.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (specification.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) && (specification.TokenParameters.RequireDerivedKeys && !specification.TokenParameters.HasAsymmetricKey))
{
this.expectKeyDerivation = true;
}
SecurityTokenAttachmentMode securityTokenAttachmentMode = specification.SecurityTokenAttachmentMode;
switch (securityTokenAttachmentMode)
{
case SecurityTokenAttachmentMode.SignedEncrypted:
case SecurityTokenAttachmentMode.Signed:
case SecurityTokenAttachmentMode.SignedEndorsing:
this.expectChannelSignedTokens = true;
if (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEncrypted)
{
this.expectChannelBasicTokens = true;
}
break;
}
if ((securityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing) || (securityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing))
{
this.expectChannelEndorsingTokens = true;
}
}
this.channelSupportingTokenAuthenticatorSpecification = new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
}
}
this.VerifyTypeUniqueness(this.channelSupportingTokenAuthenticatorSpecification);
this.MergeSupportingTokenAuthenticators(helper.RemainingTime());
}
if (this.DetectReplays)
{
if (!this.SupportsReplayDetection)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", System.ServiceModel.SR.GetString("SecurityProtocolCannotDoReplayDetection", new object[] { this }));
}
if ((this.MaxClockSkew == TimeSpan.MaxValue) || (this.ReplayWindow == TimeSpan.MaxValue))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("NoncesCachedInfinitely")));
}
this.nonceCache = new System.ServiceModel.Security.NonceCache((this.ReplayWindow + this.MaxClockSkew) + this.MaxClockSkew, this.MaxCachedNonces);
}
this.derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator <DerivedKeySecurityToken>();
}
public virtual void OnOpen(TimeSpan timeout)
{
if (this.SecurityBindingElement == null)
{
this.OnPropertySettingsError("SecurityBindingElement", true);
}
if (this.SecurityTokenManager == null)
{
this.OnPropertySettingsError("SecurityTokenManager", true);
}
_messageSecurityVersion = _standardsManager.MessageSecurityVersion;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
_expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply;
_expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply;
if (!_actAsInitiator)
{
AddSupportingTokenAuthenticators(_securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification);
// validate the token authenticator types and create a merged map if needed.
if (!_channelSupportingTokenAuthenticatorSpecification.IsReadOnly)
{
if (_channelSupportingTokenAuthenticatorSpecification.Count == 0)
{
_channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators;
}
else
{
_expectSupportingTokens = true;
foreach (SupportingTokenAuthenticatorSpecification tokenAuthenticatorSpec in _channelSupportingTokenAuthenticatorSpecification)
{
SecurityUtils.OpenTokenAuthenticatorIfRequired(tokenAuthenticatorSpec.TokenAuthenticator, timeoutHelper.RemainingTime());
if (tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing ||
tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
if (tokenAuthenticatorSpec.TokenParameters.RequireDerivedKeys && !tokenAuthenticatorSpec.TokenParameters.HasAsymmetricKey)
{
_expectKeyDerivation = true;
}
}
SecurityTokenAttachmentMode mode = tokenAuthenticatorSpec.SecurityTokenAttachmentMode;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted ||
mode == SecurityTokenAttachmentMode.Signed ||
mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
_expectChannelSignedTokens = true;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
_expectChannelBasicTokens = true;
}
}
if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
_expectChannelEndorsingTokens = true;
}
}
_channelSupportingTokenAuthenticatorSpecification =
new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>)_channelSupportingTokenAuthenticatorSpecification);
}
}
VerifyTypeUniqueness(_channelSupportingTokenAuthenticatorSpecification);
MergeSupportingTokenAuthenticators(timeoutHelper.RemainingTime());
}
if (this.DetectReplays)
{
if (!this.SupportsReplayDetection)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this));
}
if (this.MaxClockSkew == TimeSpan.MaxValue || this.ReplayWindow == TimeSpan.MaxValue)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely));
}
// If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache.
if (_nonceCache == null)
{
// The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays
_nonceCache = new InMemoryNonceCache(this.ReplayWindow + this.MaxClockSkew + this.MaxClockSkew, this.MaxCachedNonces);
}
}
_derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator <DerivedKeySecurityToken>();
}
public virtual Task OnOpenAsync(TimeSpan timeout)
{
if (this.SecurityBindingElement == null)
{
this.OnPropertySettingsError("SecurityBindingElement", true);
}
if (this.SecurityTokenManager == null)
{
this.OnPropertySettingsError("SecurityTokenManager", true);
}
this.messageSecurityVersion = this.standardsManager.MessageSecurityVersion;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
this.expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply;
this.expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply;
if (!this.actAsInitiator)
{
AddSupportingTokenAuthenticators(this.securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalEndpointSupportingTokenParameters, true, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
foreach (string action in this.securityBindingElement.OperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>();
AddSupportingTokenAuthenticators(this.securityBindingElement.OperationSupportingTokenParameters[action], false, authenticatorSpecList);
this.scopedSupportingTokenAuthenticatorSpecification.Add(action, authenticatorSpecList);
}
foreach (string action in this.securityBindingElement.OptionalOperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList;
ICollection <SupportingTokenAuthenticatorSpecification> existingList;
if (this.scopedSupportingTokenAuthenticatorSpecification.TryGetValue(action, out existingList))
{
authenticatorSpecList = ((Collection <SupportingTokenAuthenticatorSpecification>)existingList);
}
else
{
authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>();
this.scopedSupportingTokenAuthenticatorSpecification.Add(action, authenticatorSpecList);
}
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalOperationSupportingTokenParameters[action], true, authenticatorSpecList);
}
// validate the token authenticator types and create a merged map if needed.
if (!this.channelSupportingTokenAuthenticatorSpecification.IsReadOnly)
{
if (this.channelSupportingTokenAuthenticatorSpecification.Count == 0)
{
this.channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators;
}
else
{
this.expectSupportingTokens = true;
foreach (SupportingTokenAuthenticatorSpecification tokenAuthenticatorSpec in this.channelSupportingTokenAuthenticatorSpecification)
{
SecurityUtils.OpenTokenAuthenticatorIfRequiredAsync(tokenAuthenticatorSpec.TokenAuthenticator, timeoutHelper.GetCancellationToken());
if (tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing ||
tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
if (tokenAuthenticatorSpec.TokenParameters.RequireDerivedKeys && !tokenAuthenticatorSpec.TokenParameters.HasAsymmetricKey)
{
expectKeyDerivation = true;
}
}
SecurityTokenAttachmentMode mode = tokenAuthenticatorSpec.SecurityTokenAttachmentMode;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted ||
mode == SecurityTokenAttachmentMode.Signed ||
mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
this.expectChannelSignedTokens = true;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
this.expectChannelBasicTokens = true;
}
}
if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
this.expectChannelEndorsingTokens = true;
}
}
this.channelSupportingTokenAuthenticatorSpecification =
new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
}
}
VerifyTypeUniqueness(this.channelSupportingTokenAuthenticatorSpecification);
MergeSupportingTokenAuthenticators(timeoutHelper.RemainingTime());
}
if (this.DetectReplays)
{
if (!this.SupportsReplayDetection)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this));
}
if (this.MaxClockSkew == TimeSpan.MaxValue || this.ReplayWindow == TimeSpan.MaxValue)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely));
}
// If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache.
if (this.nonceCache == null)
{
//TODO below (InMemoryNonceCache) is coming along with WindowsAuth, so uncomment
// The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays
// this.nonceCache = new InMemoryNonceCache(this.ReplayWindow + this.MaxClockSkew + this.MaxClockSkew, this.MaxCachedNonces);
}
}
//this.derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator<DerivedKeySecurityToken>();
return(Task.CompletedTask);
}
