private SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
SamlSecurityTokenAuthenticator authenticator;
if (recipientRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
}
Collection<SecurityToken> collection = new Collection<SecurityToken>();
if (this.parent.ServiceCertificate.Certificate != null)
{
collection.Add(new X509SecurityToken(this.parent.ServiceCertificate.Certificate));
}
List<SecurityTokenAuthenticator> supportingAuthenticators = new List<SecurityTokenAuthenticator>();
if ((this.parent.IssuedTokenAuthentication.KnownCertificates != null) && (this.parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < this.parent.IssuedTokenAuthentication.KnownCertificates.Count; i++)
{
collection.Add(new X509SecurityToken(this.parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator certificateValidator = this.parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(certificateValidator));
if (this.parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (collection.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(collection), false) : null;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
authenticator.AudienceUriMode = this.parent.IssuedTokenAuthentication.AudienceUriMode;
IList<string> allowedAudienceUris = authenticator.AllowedAudienceUris;
if (this.parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int j = 0; j < this.parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; j++)
{
allowedAudienceUris.Add(this.parent.IssuedTokenAuthentication.AllowedAudienceUris[j]);
}
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return authenticator;
}
private SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
AuthenticationSchemes schemes;
string tokenType = recipientRequirement.TokenType;
SecurityTokenProvider provider = null;
if (tokenType == SecurityTokenTypes.X509Certificate)
{
return this.CreateServerX509TokenProvider();
}
if (!(tokenType == ServiceModelSecurityTokenTypes.SspiCredential))
{
return provider;
}
if (recipientRequirement.TryGetProperty<AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out schemes) && (schemes == AuthenticationSchemes.Basic))
{
return new SspiSecurityTokenProvider(null, this.parent.UserNameAuthentication.IncludeWindowsGroups, false);
}
return new SspiSecurityTokenProvider(null, this.parent.WindowsAuthentication.IncludeWindowsGroups, this.parent.WindowsAuthentication.AllowAnonymousLogons);
}
public void CreateProviderRsaDefault ()
{
// actually is Rsa usable here??
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.Rsa;
def_c.CreateSecurityTokenProvider (r);
}
public void CreateProviderX509RecipientNoKeyUsage ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
def_c.CreateSecurityTokenProvider (r);
}
private SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement }));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator {
IsClientAnonymous = !requireClientCertificate
};
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = flag;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = this.CreateTlsnegoServerX509TokenProvider(recipientRequirement);
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return authenticator;
}
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
IMessageFilterTable<EndpointAddress> endpointFilterTable = recipientRequirement.GetPropertyOrDefault<IMessageFilterTable<EndpointAddress>>(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null);
if (!isCookieMode)
{
sctResolver = new SecurityContextSecurityTokenResolver(Int32.MaxValue, false);
// remember this authenticator for future reference
SecuritySessionSecurityTokenAuthenticator authenticator = new SecuritySessionSecurityTokenAuthenticator();
authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.SessionTokenLifetime = TimeSpan.MaxValue;
authenticator.KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.EndpointFilterTable = endpointFilterTable;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
return authenticator;
}
else
{
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew);
AcceleratedTokenAuthenticator authenticator = new AcceleratedTokenAuthenticator();
authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
authenticator.EncryptStateInServiceToken = true;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// audit settings
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
authenticator.EndpointFilterTable = endpointFilterTable;
return authenticator;
}
}
private SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement }));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
ExtendedProtectionPolicy result = null;
recipientRequirement.TryGetProperty<ExtendedProtectionPolicy>(ServiceModelSecurityTokenRequirement.ExtendedProtectionPolicy, out result);
SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator {
ExtendedProtectionPolicy = result,
AllowUnauthenticatedCallers = this.parent.WindowsAuthentication.AllowAnonymousLogons,
ExtractGroupsForWindowsAccounts = this.parent.WindowsAuthentication.IncludeWindowsGroups,
IsClientAnonymous = false,
EncryptStateInServiceToken = flag,
IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty),
IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver,
IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty),
ListenUri = recipientRequirement.ListenUri,
SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite,
StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this),
SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder,
KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes
};
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = System.ServiceModel.Security.SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return authenticator;
}
public void CreateProviderAnonSsl ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
new MySslSecurityTokenParameters ().InitRequirement (r);
Assert.IsFalse (r.Properties.ContainsKey (ReqType.ChannelParametersCollectionProperty), "#1");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.EndpointFilterTableProperty), "#2");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.HttpAuthenticationSchemeProperty), "#3");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.IsOutOfBandTokenProperty), "#4");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.IssuerAddressProperty), "#5");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageDirectionProperty), "#6");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageSecurityVersionProperty), "#7");
//Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityAlgorithmSuiteProperty), "#9");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityBindingElementProperty), "#10");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.SupportingTokenAttachmentModeProperty), "#11");
Assert.AreEqual (null, r.TransportScheme, "#12");
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri ("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
r.Properties [ReqType.SecurityAlgorithmSuiteProperty] =
SecurityAlgorithmSuite.Default;
r.TransportScheme = "https";
r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection ();
r.Properties [ReqType.EndpointFilterTableProperty] = null;
r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous;
r.Properties [ReqType.IsOutOfBandTokenProperty] = true;
r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress ("http://localhost:9090");
// r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input;
r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r);
Assert.IsNotNull (p, "#1");
}
RecipientServiceModelSecurityTokenRequirement CreateAnonSslRequirement ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
MySslSecurityTokenParameters p = new MySslSecurityTokenParameters ();
p.InitRequirement (r);
r.SecurityBindingElement = new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ());
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = p.Clone ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (new HttpTransportBindingElement ()), new BindingParameterCollection ());
r.Properties [ReqType.MessageSecurityVersionProperty] =
MessageSecurityVersion.Default.SecurityTokenVersion;
return r;
}
public void CreateProviderX509 ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ServiceCredentials.ServiceCertificate.Certificate =
new X509Certificate2 ("Test/Resources/test.pfx", "mono");
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r)
as X509SecurityTokenProvider;
Assert.IsNotNull (p, "#1");
}
public void CreateProviderAnonSslError ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri ("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r);
Assert.IsNotNull (p, "#1");
}
public void CreateProviderX509PublicOnlyKey ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.cer");
def_c.ServiceCredentials.ServiceCertificate.Certificate = cert;
def_c.CreateSecurityTokenProvider (r);
}
public void CreateProviderX509WithoutCert ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.CreateSecurityTokenProvider (r);
}
public void CreateAuthenticatorRsaDefault ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
SecurityTokenResolver resolver;
r.TokenType = SecurityTokenTypes.Rsa;
SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
Assert.AreEqual (typeof (RsaSecurityTokenAuthenticator), a.GetType (), "#1");
Assert.IsNull (resolver, "#2");
}
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (recipientRequirement == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
Collection<SecurityToken> outOfBandTokens = new Collection<SecurityToken>();
if (parent.ServiceCertificate.Certificate != null)
{
outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
}
List<SecurityTokenAuthenticator> supportingAuthenticators = new List<SecurityTokenAuthenticator>();
if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
{
outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));
if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(outOfBandTokens), false) : null;
SamlSecurityTokenAuthenticator ssta;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
// set audience uri restrictions
ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
IList<string> allowedAudienceUris = ssta.AllowedAudienceUris;
if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++)
allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]);
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return ssta;
}
RecipientServiceModelSecurityTokenRequirement CreateRecipientRequirement (string tokenType)
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = tokenType;
r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new IssuedSecurityTokenParameters ();
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
return r;
}
SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
string tokenType = recipientRequirement.TokenType;
SecurityTokenProvider result = null;
if (tokenType == SecurityTokenTypes.X509Certificate)
{
result = CreateServerX509TokenProvider();
}
else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
{
// if Transport Security, AuthenicationSchemes.Basic will look at parent.UserNameAuthentication settings.
AuthenticationSchemes authenticationScheme;
bool authenticationSchemeIdentified = recipientRequirement.TryGetProperty<AuthenticationSchemes>(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out authenticationScheme);
if (authenticationSchemeIdentified &&
authenticationScheme.IsSet(AuthenticationSchemes.Basic) &&
authenticationScheme.IsNotSet(AuthenticationSchemes.Digest | AuthenticationSchemes.Ntlm | AuthenticationSchemes.Negotiate))
{
// create security token provider even when basic and Anonymous are enabled.
result = new SspiSecurityTokenProvider(null, parent.UserNameAuthentication.IncludeWindowsGroups, false);
}
else
{
if (authenticationSchemeIdentified &&
authenticationScheme.IsSet(AuthenticationSchemes.Basic) &&
parent.WindowsAuthentication.IncludeWindowsGroups != parent.UserNameAuthentication.IncludeWindowsGroups)
{
// Ensure there are no inconsistencies when Basic and (Digest and/or Ntlm and/or Negotiate) are both enabled
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenProviderIncludeWindowsGroupsInconsistent,
(AuthenticationSchemes)authenticationScheme - AuthenticationSchemes.Basic,
parent.UserNameAuthentication.IncludeWindowsGroups,
parent.WindowsAuthentication.IncludeWindowsGroups)));
}
result = new SspiSecurityTokenProvider(null, parent.WindowsAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.AllowAnonymousLogons);
}
}
return result;
}
public void CreateProviderSecureConv ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
r.ListenUri = new Uri ("http://localhost:8080");
r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion;
r.KeySize = 256;
def_c.CreateSecurityTokenProvider (r);
}
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenAuthenticatorRequiresSecurityBindingElement", new object[] { recipientRequirement }));
}
bool flag = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
IMessageFilterTable<EndpointAddress> propertyOrDefault = recipientRequirement.GetPropertyOrDefault<IMessageFilterTable<EndpointAddress>>(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null);
if (!flag)
{
sctResolver = new SecurityContextSecurityTokenResolver(0x7fffffff, false);
return new SecuritySessionSecurityTokenAuthenticator { BootstrapSecurityBindingElement = System.ServiceModel.Security.SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement), IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver, IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), KeyEntropyMode = securityBindingElement.KeyEntropyMode, ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, SessionTokenLifetime = TimeSpan.MaxValue, KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval, StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), EndpointFilterTable = propertyOrDefault, MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations, NegotiationTimeout = localServiceSettings.NegotiationTimeout, PreserveBootstrapTokens = preserveBootstrapTokens };
}
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew);
return new AcceleratedTokenAuthenticator {
BootstrapSecurityBindingElement = System.ServiceModel.Security.SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement), KeyEntropyMode = securityBindingElement.KeyEntropyMode, EncryptStateInServiceToken = true, IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty), IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver, IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty), ListenUri = recipientRequirement.ListenUri, SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite, StandardsManager = System.ServiceModel.Security.SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this), SecurityStateEncoder = this.parent.SecureConversationAuthentication.SecurityStateEncoder, KnownTypes = this.parent.SecureConversationAuthentication.SecurityContextClaimTypes, PreserveBootstrapTokens = preserveBootstrapTokens, MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations, NegotiationTimeout = localServiceSettings.NegotiationTimeout, ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime, MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations,
AuditLogLocation = recipientRequirement.AuditLogLocation, SuppressAuditFailure = recipientRequirement.SuppressAuditFailure, MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel, EndpointFilterTable = propertyOrDefault
};
}
public void IsIssuedSecurityTokenRequirement ()
{
RecipientServiceModelSecurityTokenRequirement r;
MyManager mgr = new MyManager ();
r = new RecipientServiceModelSecurityTokenRequirement ();
MySslSecurityTokenParameters ssl =
new MySslSecurityTokenParameters ();
ssl.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "ssl");
r = new RecipientServiceModelSecurityTokenRequirement ();
MySspiSecurityTokenParameters sspi =
new MySspiSecurityTokenParameters ();
sspi.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "sspi");
r = new RecipientServiceModelSecurityTokenRequirement ();
MyIssuedSecurityTokenParameters issued =
new MyIssuedSecurityTokenParameters ();
issued.InitRequirement (r);
Assert.IsTrue (mgr.IsIssued (r), "issued");
/*
r = new RecipientServiceModelSecurityTokenRequirement ();
MySecureConversationSecurityTokenParameters sc =
new MySecureConversationSecurityTokenParameters (
new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()),
false,
new ChannelProtectionRequirements ());
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.Properties [ReqType.MessageSecurityVersionProperty] =
MessageSecurityVersion.Default;
r.Properties [ReqType.ChannelParametersCollectionProperty] =
new ChannelParameterCollection ();
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = sc.Clone ();
r.Properties [ReqType.IssuerBindingProperty] =
new CustomBinding (new HttpTransportBindingElement ());
r.Properties [ReqType.MessageDirectionProperty] =
MessageDirection.Input;
r.SecureConversationSecurityBindingElement =
new SymmetricSecurityBindingElement (
new X509SecurityTokenParameters ());
r.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Default;
r.Properties [ReqType.SupportSecurityContextCancellationProperty] = true;
r.ListenUri = new Uri ("http://localhost:8080");
r.KeySize = 256;
sc.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "sc");
*/
}
private SecurityTokenAuthenticator CreateTlsnegoClientX509TokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
SecurityTokenResolver resolver;
RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
KeyUsage = SecurityKeyUsage.Signature,
ListenUri = recipientRequirement.ListenUri,
KeyType = SecurityKeyType.AsymmetricKey,
SecurityBindingElement = recipientRequirement.SecurityBindingElement
};
return this.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver);
}
/// <summary>
/// Helper method to setup the WrappedSecureConversttion
/// </summary>
SecurityTokenAuthenticator SetupSecureConversationWrapper( RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver )
{
// This code requires Orcas SP1 to compile.
// WCF expects this securityTokenAuthenticator to support:
// 1. IIssuanceSecurityTokenAuthenticator
// 2. ICommunicationObject is needed for this to work right.
// WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the
// the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens.
// when sp1 is installed, use this one.
//SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver );
// use this code if SP1 is not installed
SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
SessionSecurityTokenHandler sessionTokenHandler = tokenHandler;
//
// If there is no SCT handler here, create one.
//
if ( tokenHandler == null )
{
sessionTokenHandler = new SessionSecurityTokenHandler( _cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime );
sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection;
sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration;
}
if ( ServiceCredentials != null )
{
sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew;
}
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId( tokenRequirement ) );
WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator( sessionTokenHandler, sta,
claimsHandler, _exceptionMapper );
WrappedTokenCache wrappedTokenCache = new WrappedTokenCache( _tokenCache, claimsHandler);
SetWrappedTokenCache( wrappedTokenCache, sta, wssta, claimsHandler );
outOfBandTokenResolver = wrappedTokenCache;
return wssta;
}
private SecurityTokenProvider CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
KeyUsage = SecurityKeyUsage.Exchange,
ListenUri = recipientRequirement.ListenUri,
KeyType = SecurityKeyType.AsymmetricKey,
SecurityBindingElement = recipientRequirement.SecurityBindingElement
};
return this.CreateSecurityTokenProvider(tokenRequirement);
}
SecurityTokenAuthenticator CreateTlsnegoClientX509TokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
RecipientServiceModelSecurityTokenRequirement clientX509Requirement = new RecipientServiceModelSecurityTokenRequirement();
clientX509Requirement.TokenType = SecurityTokenTypes.X509Certificate;
clientX509Requirement.KeyUsage = SecurityKeyUsage.Signature;
clientX509Requirement.ListenUri = recipientRequirement.ListenUri;
clientX509Requirement.KeyType = SecurityKeyType.AsymmetricKey;
clientX509Requirement.SecurityBindingElement = recipientRequirement.SecurityBindingElement;
SecurityTokenResolver dummy;
return this.CreateSecurityTokenAuthenticator(clientX509Requirement, out dummy);
}
public virtual EndpointIdentity GetIdentityOfSelf(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement)
{
string tokenType = tokenRequirement.TokenType;
if (((tokenType == SecurityTokenTypes.X509Certificate) || (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)) || (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego))
{
if (this.parent.ServiceCertificate.Certificate != null)
{
return EndpointIdentity.CreateX509CertificateIdentity(this.parent.ServiceCertificate.Certificate);
}
}
else
{
if ((tokenType == SecurityTokenTypes.Kerberos) || (tokenType == ServiceModelSecurityTokenTypes.Spnego))
{
return System.ServiceModel.Security.SecurityUtils.CreateWindowsIdentity();
}
if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
SecurityBindingElement secureConversationSecurityBindingElement = ((RecipientServiceModelSecurityTokenRequirement) tokenRequirement).SecureConversationSecurityBindingElement;
if (secureConversationSecurityBindingElement != null)
{
if ((secureConversationSecurityBindingElement == null) || (secureConversationSecurityBindingElement is TransportSecurityBindingElement))
{
return null;
}
SecurityTokenParameters parameters = (secureConversationSecurityBindingElement is SymmetricSecurityBindingElement) ? ((SymmetricSecurityBindingElement) secureConversationSecurityBindingElement).ProtectionTokenParameters : ((AsymmetricSecurityBindingElement) secureConversationSecurityBindingElement).RecipientTokenParameters;
SecurityTokenRequirement requirement = new RecipientServiceModelSecurityTokenRequirement();
parameters.InitializeSecurityTokenRequirement(requirement);
return this.GetIdentityOfSelf(requirement);
}
}
}
}
return null;
}
SecurityTokenProvider CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
{
RecipientServiceModelSecurityTokenRequirement serverX509Requirement = new RecipientServiceModelSecurityTokenRequirement();
serverX509Requirement.TokenType = SecurityTokenTypes.X509Certificate;
serverX509Requirement.KeyUsage = SecurityKeyUsage.Exchange;
serverX509Requirement.ListenUri = recipientRequirement.ListenUri;
serverX509Requirement.KeyType = SecurityKeyType.AsymmetricKey;
serverX509Requirement.SecurityBindingElement = recipientRequirement.SecurityBindingElement;
return this.CreateSecurityTokenProvider(serverX509Requirement);
}
public override SecurityTokenRequirement CreateRequirement ()
{
SecurityTokenRequirement requirement =
new RecipientServiceModelSecurityTokenRequirement ();
requirement.Properties [ReqType.ListenUriProperty] = listen_uri;
return requirement;
}
SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator();
authenticator.IsClientAnonymous = !requireClientCertificate;
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = isCookieMode;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty<SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement);
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
// audit settings
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return authenticator;
}
public void CreateProviderX509Recipient ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
r.KeyUsage = SecurityKeyUsage.Exchange;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r)
as X509SecurityTokenProvider;
Assert.IsNotNull (p, "#1");
}
public void CreateAuthenticatorUserNameCustomWithoutValidator ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
SecurityTokenResolver resolver;
def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
