SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator(); authenticator.IsClientAnonymous = !requireClientCertificate; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = isCookieMode; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement); // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } // audit settings authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return(authenticator); }
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator { IsClientAnonymous = !requireClientCertificate }; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = flag; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement); authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return(authenticator); }
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement })); } bool flag = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator { IsClientAnonymous = !requireClientCertificate }; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = flag; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement); authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return authenticator; }
SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) { SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement)); } bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings; sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator(); authenticator.IsClientAnonymous = !requireClientCertificate; if (requireClientCertificate) { authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; } authenticator.EncryptStateInServiceToken = isCookieMode; authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); authenticator.ListenUri = recipientRequirement.ListenUri; authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite; authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement); // local security quotas authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations; authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout; authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. if (securityBindingElement is TransportSecurityBindingElement) { authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); } // audit settings authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; return authenticator; }