public Decision Decide(EsriWebIdentity esriIdentity) { Evidence evidence = new Evidence(); Dictionary <string, string[]> dict = new Dictionary <string, string[]>(); foreach (string key in esriIdentity.Keys) { dict.Add(key, esriIdentity[key]); } // TODO implement chain of evidence reporting for decision // NOTE this implementation still correctly evaluates the decision bool isAuthorized = this.AccessControl != null && this.AccessControl.Evaluate(new ReadOnlyDictionary <string, string[]>(dict)); return(new Decision(isAuthorized, evidence)); }
protected override EsriWebIdentity GetIdentityImpl(HttpApplication context) { EsriWebIdentity identity = null; try { string dn = context.Request.ClientCertificate.Subject; if (string.IsNullOrEmpty(dn)) { throw new Exception("client certificate subject was null or empty"); } log.DebugFormat("distinguished name: '{0}'", dn); string[] tokens = dn.Split(new char[] { ',', '/' }); string cn = (from token in tokens where token.TrimStart().ToUpper().StartsWith("CN") select token.Split('=').LastOrDefault()).FirstOrDefault(); log.DebugFormat("common name parsed: '{0}'", cn); if (string.IsNullOrEmpty(cn)) { throw new Exception("could not parse common name from distinguished name"); } cn = cn.Replace(' ', '_'); Dictionary <string, string[]> attributes = new Dictionary <string, string[]>(); //attributes.Add("AWESOME", new string[] { "VERY" }); identity = new EsriWebIdentity(cn, attributes, this.GetType().FullName); } catch (Exception ex) { log.Error(ex); } return(identity); }
void Module_AuthenticateRequest(object sender, EventArgs e) { HttpApplication context = (HttpApplication)sender; HttpRequest req = context.Request; if (config == null) { throw new HttpException(500, "configuration not available"); } if (identityProvider == null) { throw new HttpException(500, "identity provider not available"); } // refuse to service insecure requests if specified if (config.RequireHTTPS && !req.IsSecureConnection) { LogEvent(req, "?", 403); throw new HttpException(403, "must use HTTPS"); } // check the whitelist before checking the identity provider if (whitelist.IndexOf(req.UserHostAddress) > -1) { LogEvent(req, "WHITELIST", 200); log.InfoFormat("Whitelisted IP {0} allowed", req.UserHostAddress); return; } // get the identity from the provider IIdentity identity; try { identity = identityProvider.GetIdentity(context); if (identity == null) { LogEvent(req, "?", 403); throw new HttpException(403, "no identity found"); } } catch (Exception ex) { log.Error("error while obtaining identity", ex); LogEvent(req, "?", 403); throw new HttpException(403, "unable to authorize with service provider"); } // set a header with the client certificate's DN, if specified try { if (!string.IsNullOrEmpty(config.ClientDNHeader)) { req.Headers.Set(config.ClientDNHeader, req.ClientCertificate.Subject); } } catch (Exception) { log.Warn("could not set client DN header"); } // perform the authorization check EsriWebIdentity esriIdentity = (EsriWebIdentity)identity; Decision authorizationDecision = decisionPoint.Decide(esriIdentity); if (authorizationDecision == null || !authorizationDecision.IsAuthorized) { LogEvent(req, identity.Name, 403); throw new HttpException(403, "unauthorized"); } req.Headers.Set("X-Auth-Evidence", authorizationDecision.Evidence.ToString()); // set the identity for the user if specified if (config.SetPrincipal) { HttpContext.Current.User = new GenericPrincipal(identity, null); } }