public void Validation () { RSA rsa = (RSA) new X509Certificate2 ("Test/Resources/test.cer").PublicKey.Key; Authenticator a = new Authenticator (); PolicyCollection pl = a.ValidateToken (new RsaSecurityToken (rsa)); Assert.AreEqual (1, pl.Count, "#1"); IAuthorizationPolicy p = pl [0]; Assert.AreEqual (ClaimSet.System, p.Issuer, "#2"); TestEvaluationContext ec = new TestEvaluationContext (); object o = null; Assert.IsTrue (p.Evaluate (ec, ref o), "#3"); // mhm, should this really be converted to UTC? Assert.AreEqual (DateTime.MaxValue.AddDays (-1), ec.ExpirationTime, "#4"); Assert.AreEqual (0, ec.Properties.Count, "#5"); Assert.AreEqual (1, ec.ClaimSets.Count, "#6"); Assert.IsTrue (p.Evaluate (ec, ref o), "#7"); Assert.AreEqual (2, ec.ClaimSets.Count, "#8"); }
public void Validation() { RSA rsa = (RSA) new X509Certificate2("Test/Resources/test.cer").PublicKey.Key; Authenticator a = new Authenticator(); PolicyCollection pl = a.ValidateToken(new RsaSecurityToken(rsa)); Assert.AreEqual(1, pl.Count, "#1"); IAuthorizationPolicy p = pl [0]; Assert.AreEqual(ClaimSet.System, p.Issuer, "#2"); TestEvaluationContext ec = new TestEvaluationContext(); object o = null; Assert.IsTrue(p.Evaluate(ec, ref o), "#3"); // mhm, should this really be converted to UTC? Assert.AreEqual(DateTime.MaxValue.AddDays(-1), ec.ExpirationTime, "#4"); Assert.AreEqual(0, ec.Properties.Count, "#5"); Assert.AreEqual(1, ec.ClaimSets.Count, "#6"); Assert.IsTrue(p.Evaluate(ec, ref o), "#7"); Assert.AreEqual(2, ec.ClaimSets.Count, "#8"); }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } string tokenType = tokenRequirement.TokenType; outOfBandTokenResolver = null; SecurityTokenAuthenticator authenticator = null; if (((tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) && (tokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)) { return new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false); } RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (recipientRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } if (tokenType == SecurityTokenTypes.X509Certificate) { authenticator = this.CreateClientX509TokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { authenticator = new KerberosSecurityTokenAuthenticatorWrapper(new KerberosSecurityTokenAuthenticator(this.parent.WindowsAuthentication.IncludeWindowsGroups)); } else if (tokenType == SecurityTokenTypes.UserName) { if (this.parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows) { if (this.parent.UserNameAuthentication.CacheLogonTokens) { authenticator = new WindowsUserNameCachingSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups, this.parent.UserNameAuthentication.MaxCachedLogonTokens, this.parent.UserNameAuthentication.CachedLogonTokenLifetime); } else { authenticator = new WindowsUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups); } } else { authenticator = new CustomUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.GetUserNamePasswordValidator()); } } else if (tokenType == SecurityTokenTypes.Rsa) { authenticator = new RsaSecurityTokenAuthenticator(); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { authenticator = this.CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { authenticator = this.CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (((tokenType == SecurityTokenTypes.Saml) || (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) || ((tokenType == "urn:oasis:names:tc:SAML:1.0:assertion") || ((tokenType == null) && this.IsIssuedSecurityTokenRequirement(recipientRequirement)))) { authenticator = this.CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } if (authenticator == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } return authenticator; }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } string tokenType = tokenRequirement.TokenType; outOfBandTokenResolver = null; SecurityTokenAuthenticator result = null; if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { // this is the uncorrelated duplex case in which the server is asking for // an authenticator to validate its provisioned client certificate if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { return new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false); } } RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (recipientRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } if (tokenType == SecurityTokenTypes.X509Certificate) { result = CreateClientX509TokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { result = new KerberosSecurityTokenAuthenticatorWrapper( new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups)); } else if (tokenType == SecurityTokenTypes.UserName) { if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows) { if (parent.UserNameAuthentication.CacheLogonTokens) { result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups, parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime); } else { result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups); } } else { result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator()); } } else if (tokenType == SecurityTokenTypes.Rsa) { result = new RsaSecurityTokenAuthenticator(); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if ((tokenType == SecurityTokenTypes.Saml) || (tokenType == SecurityXXX2005Strings.SamlTokenType) || (tokenType == SecurityJan2004Strings.SamlUri) || (tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement))) { result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } if (result == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); return result; }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } outOfBandTokenResolver = null; SecurityTokenAuthenticator result = null; InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; if (initiatorRequirement != null) { string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { return new GenericXmlSecurityTokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.IsOutOfBandToken) { // when the client side soap security asks for a token authenticator, its for doing // identity checks on the out of band server certificate result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None); } else if (initiatorRequirement.PreferSslCertificateAuthenticator) { result = CreateServerSslX509TokenAuthenticator(); } else { result = CreateServerX509TokenAuthenticator(); } } else if (tokenType == SecurityTokenTypes.Rsa) { result = new RsaSecurityTokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { result = new KerberosRequestorSecurityTokenAuthenticator(); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation || tokenType == ServiceModelSecurityTokenTypes.MutualSslnego || tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego || tokenType == ServiceModelSecurityTokenTypes.Spnego) { result = new GenericXmlSecurityTokenAuthenticator(); } } else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate) { // uncorrelated duplex case result = CreateServerX509TokenAuthenticator(); } if (result == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } return result; }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } outOfBandTokenResolver = null; SecurityTokenAuthenticator authenticator = null; InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; if (requirement != null) { string tokenType = requirement.TokenType; if (this.IsIssuedSecurityTokenRequirement(requirement)) { return new GenericXmlSecurityTokenAuthenticator(); } if (tokenType == SecurityTokenTypes.X509Certificate) { if (requirement.IsOutOfBandToken) { authenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None); } else { authenticator = this.CreateServerX509TokenAuthenticator(); } } else if (tokenType == SecurityTokenTypes.Rsa) { authenticator = new RsaSecurityTokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { authenticator = new KerberosRequestorSecurityTokenAuthenticator(); } else if (((tokenType == ServiceModelSecurityTokenTypes.SecureConversation) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)) || ((tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) || (tokenType == ServiceModelSecurityTokenTypes.Spnego))) { authenticator = new GenericXmlSecurityTokenAuthenticator(); } } else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)) { authenticator = this.CreateServerX509TokenAuthenticator(); } if (authenticator == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } return authenticator; }