public HttpsChannelListener(HttpsTransportBindingElement httpsBindingElement, BindingContext context) : base(httpsBindingElement, context)
        {
            this.requireClientCertificate = httpsBindingElement.RequireClientCertificate;
            SecurityCredentialsManager manager = context.BindingParameters.Find <SecurityCredentialsManager>();

            if (manager == null)
            {
                manager = ServiceCredentials.CreateDefaultCredentials();
            }
            SecurityTokenManager tokenManager = manager.CreateSecurityTokenManager();

            this.certificateAuthenticator = TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress));
            ServiceCredentials credentials = manager as ServiceCredentials;

            if ((credentials != null) && (credentials.ClientCertificate.Authentication.CertificateValidationMode == X509CertificateValidationMode.Custom))
            {
                this.useCustomClientCertificateVerification = true;
            }
            else
            {
                this.useCustomClientCertificateVerification = false;
                X509SecurityTokenAuthenticator certificateAuthenticator = this.certificateAuthenticator as X509SecurityTokenAuthenticator;
                if (certificateAuthenticator != null)
                {
                    this.certificateAuthenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None, certificateAuthenticator.MapCertificateToWindowsAccount, base.ExtractGroupsForWindowsAccounts, false);
                }
            }
            if (this.RequireClientCertificate && (base.AuthenticationScheme != AuthenticationSchemes.Anonymous))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new InvalidOperationException(System.ServiceModel.SR.GetString("HttpAuthSchemeAndClientCert", new object[] { base.AuthenticationScheme })), TraceEventType.Error);
            }
            this.channelBindingProvider = new ChannelBindingProviderHelper();
        }
        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (tokenRequirement == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }
            outOfBandTokenResolver = null;
            SecurityTokenAuthenticator authenticator = null;
            InitiatorServiceModelSecurityTokenRequirement requirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;

            if (requirement != null)
            {
                string tokenType = requirement.TokenType;
                if (this.IsIssuedSecurityTokenRequirement(requirement))
                {
                    return(new GenericXmlSecurityTokenAuthenticator());
                }
                if (tokenType == SecurityTokenTypes.X509Certificate)
                {
                    if (requirement.IsOutOfBandToken)
                    {
                        authenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
                    }
                    else
                    {
                        authenticator = this.CreateServerX509TokenAuthenticator();
                    }
                }
                else if (tokenType == SecurityTokenTypes.Rsa)
                {
                    authenticator = new RsaSecurityTokenAuthenticator();
                }
                else if (tokenType == SecurityTokenTypes.Kerberos)
                {
                    authenticator = new KerberosRequestorSecurityTokenAuthenticator();
                }
                else if (((tokenType == ServiceModelSecurityTokenTypes.SecureConversation) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)) || ((tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) || (tokenType == ServiceModelSecurityTokenTypes.Spnego)))
                {
                    authenticator = new GenericXmlSecurityTokenAuthenticator();
                }
            }
            else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && (tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate))
            {
                authenticator = this.CreateServerX509TokenAuthenticator();
            }
            if (authenticator == null)
            {
                throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
            }
            return(authenticator);
        }
        public HttpsChannelListener(HttpsTransportBindingElement httpsBindingElement, BindingContext context)
            : base(httpsBindingElement, context)
        {
            this.requireClientCertificate        = httpsBindingElement.RequireClientCertificate;
            this.shouldValidateClientCertificate = ShouldValidateClientCertificate(this.requireClientCertificate, context);

            // Pick up the MapCertificateToWindowsAccount setting from the configured token authenticator.
            SecurityCredentialsManager credentialProvider =
                context.BindingParameters.Find <SecurityCredentialsManager>();

            if (credentialProvider == null)
            {
                credentialProvider = ServiceCredentials.CreateDefaultCredentials();
            }
            SecurityTokenManager tokenManager = credentialProvider.CreateSecurityTokenManager();

            this.certificateAuthenticator =
                TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme,
                                                                          TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress));


            ServiceCredentials serviceCredentials = credentialProvider as ServiceCredentials;

            if (serviceCredentials != null &&
                serviceCredentials.ClientCertificate.Authentication.CertificateValidationMode == X509CertificateValidationMode.Custom)
            {
                useCustomClientCertificateVerification = true;
            }
            else
            {
                useCustomClientCertificateVerification = false;

                X509SecurityTokenAuthenticator authenticator = this.certificateAuthenticator as X509SecurityTokenAuthenticator;

                if (authenticator != null)
                {
                    this.certificateAuthenticator = new X509SecurityTokenAuthenticator(X509CertificateValidator.None,
                                                                                       authenticator.MapCertificateToWindowsAccount, this.ExtractGroupsForWindowsAccounts, false);
                }
            }

            if (this.RequireClientCertificate &&
                this.AuthenticationScheme.IsNotSet(AuthenticationSchemes.Anonymous))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new InvalidOperationException(SR.GetString(
                                                                                                       SR.HttpAuthSchemeAndClientCert, this.AuthenticationScheme)), TraceEventType.Error);
            }

            this.channelBindingProvider = new ChannelBindingProviderHelper();
        }
Exemplo n.º 4
0
        void CreateSecurityProtocolFactory()
        {
            SecurityProtocolFactory       incomingProtocolFactory;
            SecurityProtocolFactory       outgoingProtocolFactory;
            ChannelProtectionRequirements protectionRequirements;

            lock (ThisLock)
            {
                if (null != securityProtocolFactory)
                {
                    return;
                }

                TimeoutHelper timeoutHelper = new TimeoutHelper(ServiceDefaults.SendTimeout);
                if (!enableSigning)
                {
                    outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
                    incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
                }
                else
                {
                    X509Certificate2 cert = credManager.Certificate;
                    if (cert != null)
                    {
                        SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement();
                        securityBindingElement.ReaderQuotas = this.readerQuotas;
                        BindingParameterCollection bpc = new BindingParameterCollection();
                        if (protection == null)
                        {
                            protectionRequirements = new ChannelProtectionRequirements();
                        }
                        else
                        {
                            protectionRequirements = new ChannelProtectionRequirements(protection);
                        }
                        ApplySigningRequirements(protectionRequirements.IncomingSignatureParts);
                        ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts);

                        bpc.Add(protectionRequirements);
                        bpc.Add(this.auditBehavior);
                        bpc.Add(credManager);
                        BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc);
                        outgoingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, false, null);
                    }
                    else
                    {
                        outgoingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
                    }
                    SecurityTokenResolver          resolver;
                    X509SecurityTokenAuthenticator auth = tokenManager.CreateSecurityTokenAuthenticator(PeerSecurityCredentialsManager.PeerClientSecurityTokenManager.CreateRequirement(SecurityTokenTypes.X509Certificate, true), out resolver) as X509SecurityTokenAuthenticator;
                    if (auth != null)
                    {
                        SecurityBindingElement securityBindingElement = SecurityBindingElement.CreateCertificateSignatureBindingElement();
                        securityBindingElement.ReaderQuotas = this.readerQuotas;
                        BindingParameterCollection bpc = new BindingParameterCollection();
                        if (protection == null)
                        {
                            protectionRequirements = new ChannelProtectionRequirements();
                        }
                        else
                        {
                            protectionRequirements = new ChannelProtectionRequirements(protection);
                        }
                        ApplySigningRequirements(protectionRequirements.IncomingSignatureParts);
                        ApplySigningRequirements(protectionRequirements.OutgoingSignatureParts);

                        bpc.Add(protectionRequirements);
                        bpc.Add(this.auditBehavior);
                        bpc.Add(credManager);
                        BindingContext context = new BindingContext(new CustomBinding(securityBindingElement), bpc);
                        incomingProtocolFactory = securityBindingElement.CreateSecurityProtocolFactory <IOutputChannel>(context, credManager, true, null);
                    }
                    else
                    {
                        incomingProtocolFactory = new PeerDoNothingSecurityProtocolFactory();
                    }
                }
                DuplexSecurityProtocolFactory tempFactory = new DuplexSecurityProtocolFactory(outgoingProtocolFactory, incomingProtocolFactory);
                tempFactory.Open(true, timeoutHelper.RemainingTime());
                securityProtocolFactory = tempFactory;
            }
        }
Exemplo n.º 5
0
        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (tokenRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
            }

            outOfBandTokenResolver = null;
            SecurityTokenAuthenticator result = null;

            InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;

            if (initiatorRequirement != null)
            {
                string tokenType = initiatorRequirement.TokenType;
                if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
                }
                else if (tokenType == SecurityTokenTypes.X509Certificate)
                {
                    if (initiatorRequirement.IsOutOfBandToken)
                    {
                        // when the client side soap security asks for a token authenticator, its for doing
                        // identity checks on the out of band server certificate
                        result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
                    }
                    else if (initiatorRequirement.PreferSslCertificateAuthenticator)
                    {
                        result = CreateServerSslX509TokenAuthenticator();
                    }
                    else
                    {
                        result = CreateServerX509TokenAuthenticator();
                    }
                }
                else if (tokenType == SecurityTokenTypes.Rsa)
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Rsa");
                }
                else if (tokenType == SecurityTokenTypes.Kerberos)
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Kerberos");
                }
                else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
                         tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
                         tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
                         tokenType == ServiceModelSecurityTokenTypes.Spnego)
                {
                    throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
                }
            }
            else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
            {
                // uncorrelated duplex case
                result = CreateServerX509TokenAuthenticator();
            }

            if (result == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
            }

            return(result);
        }
Exemplo n.º 6
0
 internal static WindowsIdentity KerberosCertificateLogon(X509Certificate2 certificate)
 {
     return(X509SecurityTokenAuthenticator.KerberosCertificateLogon(certificate));
 }