public void CreateIssuedTokenForSslBindingElement1() { IssuedSecurityTokenParameters tp = new IssuedSecurityTokenParameters(); SymmetricSecurityBindingElement be = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(tp); SecurityAssert.AssertSymmetricSecurityBindingElement( SecurityAlgorithmSuite.Default, true, // IncludeTimestamp SecurityKeyEntropyMode.CombinedEntropy, MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature, MessageSecurityVersion.Default, true, // RequireSignatureConfirmation SecurityHeaderLayout.Strict, // EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count) 1, 0, 0, 0, // ProtectionTokenParameters true, SecurityTokenInclusionMode.AlwaysToRecipient, SecurityTokenReferenceStyle.Internal, true, // LocalClientSettings true, 60, true, be, ""); Assert.AreEqual(tp, be.EndpointSupportingTokenParameters.Endorsing [0], "EndpointParams.Endorsing[0]"); // FIXME: test ProtectionTokenParameters }
public static Binding CreateIssuedTokenForSslNegotiatedBinding() { BindingElementCollection bec = new BindingElementCollection(); bec.Add(SecurityBindingElement. CreateIssuedTokenForSslBindingElement( new IssuedSecurityTokenParameters())); bec.Add(new TextMessageEncodingBindingElement()); bec.Add(new HttpTransportBindingElement()); return(new CustomBinding(bec)); }
private void CreateBinding() { //<snippet8> CustomBinding binding = new CustomBinding(); // The following binding exposes a DNS identity. binding.Elements.Add(SecurityBindingElement. CreateSecureConversationBindingElement( SecurityBindingElement. CreateIssuedTokenForSslBindingElement( new IssuedSecurityTokenParameters()))); // The following element requires a UPN or SPN identity. binding.Elements.Add(new WindowsStreamSecurityBindingElement()); binding.Elements.Add(new TcpTransportBindingElement()); //</snippet8> }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { if (isReliableSession && !this.IsSecureConversationEnabled()) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession))); } SecurityBindingElement result; SecurityBindingElement oneShotSecurity; bool isKerberosSelected = false; bool emitBspAttributes = true; if (isSecureTransportMode) { switch (this.clientCredentialType) { case MessageCredentialType.None: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode))); case MessageCredentialType.UserName: oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; case MessageCredentialType.Certificate: oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; case MessageCredentialType.Windows: oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; case MessageCredentialType.IssuedToken: oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite)); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } if (this.IsSecureConversationEnabled()) { result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true); } else { result = oneShotSecurity; } } else { if (negotiateServiceCredential) { switch (this.clientCredentialType) { case MessageCredentialType.None: oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); break; case MessageCredentialType.UserName: oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true); break; case MessageCredentialType.Certificate: oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); break; case MessageCredentialType.Windows: oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); break; case MessageCredentialType.IssuedToken: oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite), true); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } } else { switch (this.clientCredentialType) { case MessageCredentialType.None: oneShotSecurity = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case MessageCredentialType.UserName: oneShotSecurity = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case MessageCredentialType.Certificate: oneShotSecurity = SecurityBindingElement.CreateMutualCertificateBindingElement(); break; case MessageCredentialType.Windows: oneShotSecurity = SecurityBindingElement.CreateKerberosBindingElement(); isKerberosSelected = true; break; case MessageCredentialType.IssuedToken: oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspAttributes)), this.algorithmSuite)); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } } if (this.IsSecureConversationEnabled()) { result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true); } else { result = oneShotSecurity; } } // set the algorithm suite and issued token params if required if (wasAlgorithmSuiteSet || (!isKerberosSelected)) { result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite; } else if (isKerberosSelected) { result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault; } result.IncludeTimestamp = true; oneShotSecurity.MessageSecurityVersion = version; result.MessageSecurityVersion = version; if (!isReliableSession) { result.LocalServiceSettings.ReconnectTransportOnFailure = false; result.LocalClientSettings.ReconnectTransportOnFailure = false; } else { result.LocalServiceSettings.ReconnectTransportOnFailure = true; result.LocalClientSettings.ReconnectTransportOnFailure = true; } if (this.IsSecureConversationEnabled()) { // issue the transition SCT for a short duration only oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime; } return(result); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { SecurityBindingElement element; SecurityBindingElement element3; if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("BearerKeyIncompatibleWithWSFederationHttpBinding"))); } if (isReliableSession && !this.EstablishSecurityContext) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession"))); } bool emitBspRequiredAttributes = true; IssuedSecurityTokenParameters issuedTokenParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding) { IssuerMetadataAddress = this.issuerMetadataAddress, KeyType = this.IssuedKeyType }; if (this.IssuedKeyType == SecurityKeyType.SymmetricKey) { issuedTokenParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength; } else { issuedTokenParameters.KeySize = 0; } foreach (ClaimTypeRequirement requirement in this.claimTypeRequirements) { issuedTokenParameters.ClaimTypeRequirements.Add(requirement); } foreach (XmlElement element2 in this.TokenRequestParameters) { issuedTokenParameters.AdditionalRequestParameters.Add(element2); } WSSecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspRequiredAttributes, null, null, null); SecurityStandardsManager standardsManager = new SecurityStandardsManager(version, tokenSerializer); issuedTokenParameters.AddAlgorithmParameters(this.AlgorithmSuite, standardsManager, this.issuedKeyType); if (isSecureTransportMode) { element3 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameters); } else if (this.negotiateServiceCredential) { element3 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11); } else { element3 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameters); } element3.MessageSecurityVersion = version; element3.DefaultAlgorithmSuite = this.AlgorithmSuite; if (this.EstablishSecurityContext) { element = SecurityBindingElement.CreateSecureConversationBindingElement(element3, true); } else { element = element3; } element.MessageSecurityVersion = version; element.DefaultAlgorithmSuite = this.AlgorithmSuite; element.IncludeTimestamp = true; if (!isReliableSession) { element.LocalServiceSettings.ReconnectTransportOnFailure = false; element.LocalClientSettings.ReconnectTransportOnFailure = false; } else { element.LocalServiceSettings.ReconnectTransportOnFailure = true; element.LocalClientSettings.ReconnectTransportOnFailure = true; } if (this.establishSecurityContext) { element3.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime; } return(element); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { SecurityBindingElement element; SecurityBindingElement element2; if (isReliableSession && !this.IsSecureConversationEnabled()) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecureConversationRequiredByReliableSession"))); } bool flag = false; bool emitBspRequiredAttributes = true; if (!isSecureTransportMode) { if (this.negotiateServiceCredential) { switch (this.clientCredentialType) { case MessageCredentialType.None: element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); goto Label_01DA; case MessageCredentialType.Windows: element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); goto Label_01DA; case MessageCredentialType.UserName: element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true); goto Label_01DA; case MessageCredentialType.Certificate: element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); goto Label_01DA; case MessageCredentialType.IssuedToken: element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite), true); goto Label_01DA; } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } switch (this.clientCredentialType) { case MessageCredentialType.None: element2 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); goto Label_01DA; case MessageCredentialType.Windows: element2 = SecurityBindingElement.CreateKerberosBindingElement(); flag = true; goto Label_01DA; case MessageCredentialType.UserName: element2 = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); goto Label_01DA; case MessageCredentialType.Certificate: element2 = SecurityBindingElement.CreateMutualCertificateBindingElement(); goto Label_01DA; case MessageCredentialType.IssuedToken: element2 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite)); goto Label_01DA; } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } switch (this.clientCredentialType) { case MessageCredentialType.None: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode"))); case MessageCredentialType.Windows: element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; case MessageCredentialType.UserName: element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; case MessageCredentialType.Certificate: element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; case MessageCredentialType.IssuedToken: element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(new WSSecurityTokenSerializer(emitBspRequiredAttributes)), this.algorithmSuite)); break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } if (this.IsSecureConversationEnabled()) { element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true); } else { element = element2; } goto Label_01EE; Label_01DA: if (this.IsSecureConversationEnabled()) { element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true); } else { element = element2; } Label_01EE: if (this.wasAlgorithmSuiteSet || !flag) { element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite; } else if (flag) { element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault; } element.IncludeTimestamp = true; element2.MessageSecurityVersion = version; element.MessageSecurityVersion = version; if (!isReliableSession) { element.LocalServiceSettings.ReconnectTransportOnFailure = false; element.LocalClientSettings.ReconnectTransportOnFailure = false; } else { element.LocalServiceSettings.ReconnectTransportOnFailure = true; element.LocalClientSettings.ReconnectTransportOnFailure = true; } if (this.IsSecureConversationEnabled()) { element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime; } return(element); }
protected internal virtual BindingElement CreateBindingElement(bool createTemplateOnly) { SecurityBindingElement result; switch (this.AuthenticationMode) { case AuthenticationMode.AnonymousForCertificate: result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case AuthenticationMode.AnonymousForSslNegotiated: result = SecurityBindingElement.CreateSslNegotiationBindingElement(false, this.RequireSecurityContextCancellation); break; case AuthenticationMode.CertificateOverTransport: result = SecurityBindingElement.CreateCertificateOverTransportBindingElement(this.MessageSecurityVersion); break; case AuthenticationMode.IssuedToken: result = SecurityBindingElement.CreateIssuedTokenBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType)); break; case AuthenticationMode.IssuedTokenForCertificate: result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType)); break; case AuthenticationMode.IssuedTokenForSslNegotiated: result = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType), this.RequireSecurityContextCancellation); break; case AuthenticationMode.IssuedTokenOverTransport: result = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.IssuedTokenParameters.Create(createTemplateOnly, this.templateKeyType)); break; case AuthenticationMode.Kerberos: result = SecurityBindingElement.CreateKerberosBindingElement(); break; case AuthenticationMode.KerberosOverTransport: result = SecurityBindingElement.CreateKerberosOverTransportBindingElement(); break; case AuthenticationMode.MutualCertificateDuplex: result = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(this.MessageSecurityVersion); break; case AuthenticationMode.MutualCertificate: result = SecurityBindingElement.CreateMutualCertificateBindingElement(this.MessageSecurityVersion); break; case AuthenticationMode.MutualSslNegotiated: result = SecurityBindingElement.CreateSslNegotiationBindingElement(true, this.RequireSecurityContextCancellation); break; case AuthenticationMode.SspiNegotiated: result = SecurityBindingElement.CreateSspiNegotiationBindingElement(this.RequireSecurityContextCancellation); break; case AuthenticationMode.UserNameForCertificate: result = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case AuthenticationMode.UserNameForSslNegotiated: result = SecurityBindingElement.CreateUserNameForSslBindingElement(this.RequireSecurityContextCancellation); break; case AuthenticationMode.UserNameOverTransport: result = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; case AuthenticationMode.SspiNegotiatedOverTransport: result = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(this.RequireSecurityContextCancellation); break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidEnumArgumentException("AuthenticationMode", (int)this.AuthenticationMode, typeof(AuthenticationMode))); } this.ApplyConfiguration(result); return(result); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { SecurityBindingElement securityBindingElement; SecurityBindingElement securityBindingElement1; if (isReliableSession && !this.IsSecureConversationEnabled()) { throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.SecureConversationRequiredByReliableSession, new object[0]))); } bool flag = false; bool flag1 = true; if (!isSecureTransportMode) { if (!this.negotiateServiceCredential) { switch (this.clientCredentialType) { case MessageCredentialType.None: { securityBindingElement1 = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); goto Label0; } case MessageCredentialType.Windows: { securityBindingElement1 = SecurityBindingElement.CreateKerberosBindingElement(); flag = true; goto Label0; } case MessageCredentialType.UserName: { securityBindingElement1 = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); goto Label0; } case MessageCredentialType.Certificate: { securityBindingElement1 = SecurityBindingElement.CreateMutualCertificateBindingElement(); goto Label0; } case MessageCredentialType.IssuedToken: { securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(this.CreateInfoCardParameters(flag1)); goto Label0; } } Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType"); throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } else { switch (this.clientCredentialType) { case MessageCredentialType.None: { securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); goto Label0; } case MessageCredentialType.Windows: { securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); goto Label0; } case MessageCredentialType.UserName: { securityBindingElement1 = SecurityBindingElement.CreateUserNameForSslBindingElement(true); goto Label0; } case MessageCredentialType.Certificate: { securityBindingElement1 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); goto Label0; } case MessageCredentialType.IssuedToken: { securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(this.CreateInfoCardParameters(flag1), true); goto Label0; } } Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType"); throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } Label0: securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true)); } else { switch (this.clientCredentialType) { case MessageCredentialType.None: { throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.ClientCredentialTypeMustBeSpecifiedForMixedMode, new object[0]))); } case MessageCredentialType.Windows: { securityBindingElement1 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; } case MessageCredentialType.UserName: { securityBindingElement1 = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; } case MessageCredentialType.Certificate: { securityBindingElement1 = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; } case MessageCredentialType.IssuedToken: { securityBindingElement1 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(this.CreateInfoCardParameters(flag1)); break; } default: { Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType"); throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } } securityBindingElement = (!this.IsSecureConversationEnabled() ? securityBindingElement1 : SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement1, true)); } if (this.wasAlgorithmSuiteSet || !flag) { SecurityAlgorithmSuite algorithmSuite = this.AlgorithmSuite; SecurityAlgorithmSuite securityAlgorithmSuite = algorithmSuite; securityBindingElement1.DefaultAlgorithmSuite = algorithmSuite; securityBindingElement.DefaultAlgorithmSuite = securityAlgorithmSuite; } else if (flag) { SecurityAlgorithmSuite basic128 = SecurityAlgorithmSuite.Basic128; SecurityAlgorithmSuite securityAlgorithmSuite1 = basic128; securityBindingElement1.DefaultAlgorithmSuite = basic128; securityBindingElement.DefaultAlgorithmSuite = securityAlgorithmSuite1; } securityBindingElement.IncludeTimestamp = true; securityBindingElement1.MessageSecurityVersion = version; securityBindingElement.MessageSecurityVersion = version; if (isReliableSession) { securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = true; securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure = true; } else { securityBindingElement.LocalServiceSettings.ReconnectTransportOnFailure = false; securityBindingElement.LocalClientSettings.ReconnectTransportOnFailure = false; } if (this.IsSecureConversationEnabled()) { securityBindingElement1.LocalServiceSettings.IssuedCookieLifetime = TimeSpan.FromMinutes(15); } return(securityBindingElement); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement) { SecurityBindingElement result; SecurityBindingElement oneShotSecurity; if (isSecureTransportMode) { switch (this.clientCredentialType) { case MessageCredentialType.None: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode))); case MessageCredentialType.UserName: oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; case MessageCredentialType.Certificate: oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; case MessageCredentialType.Windows: oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; case MessageCredentialType.IssuedToken: oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity); } else { switch (this.clientCredentialType) { case MessageCredentialType.None: oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); break; case MessageCredentialType.UserName: // require cancellation so that impersonation is possible oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true); break; case MessageCredentialType.Certificate: oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); break; case MessageCredentialType.Windows: // require cancellation so that impersonation is possible oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); break; case MessageCredentialType.IssuedToken: oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true); } // set the algorithm suite and issued token params if required result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite; result.IncludeTimestamp = true; if (!isReliableSession) { result.LocalServiceSettings.ReconnectTransportOnFailure = false; result.LocalClientSettings.ReconnectTransportOnFailure = false; } else { result.LocalServiceSettings.ReconnectTransportOnFailure = true; result.LocalClientSettings.ReconnectTransportOnFailure = true; } // since a session is always bootstrapped, configure the transition sct to live for a short time only oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime; result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; oneShotSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; return(result); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding))); } if (isReliableSession && !this.EstablishSecurityContext) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession))); } SecurityBindingElement result; bool emitBspAttributes = true; IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding); issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress; issuedParameters.KeyType = this.IssuedKeyType; if (this.IssuedKeyType == SecurityKeyType.SymmetricKey) { issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength; } else { issuedParameters.KeySize = 0; } foreach (ClaimTypeRequirement c in this.claimTypeRequirements) { issuedParameters.ClaimTypeRequirements.Add(c); } foreach (XmlElement p in this.TokenRequestParameters) { issuedParameters.AdditionalRequestParameters.Add(p); } WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspAttributes, null, null, null); SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer); issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType); SecurityBindingElement issuedTokenSecurity; if (isSecureTransportMode) { issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters); } else { if (negotiateServiceCredential) { // We should have passed 'true' as RequireCancelation to be consistent with other standard bindings. // However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy. issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11); } else { issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters); } } issuedTokenSecurity.MessageSecurityVersion = version; issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite; if (this.EstablishSecurityContext) { result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true); } else { result = issuedTokenSecurity; } result.MessageSecurityVersion = version; result.DefaultAlgorithmSuite = this.AlgorithmSuite; result.IncludeTimestamp = true; if (!isReliableSession) { result.LocalServiceSettings.ReconnectTransportOnFailure = false; result.LocalClientSettings.ReconnectTransportOnFailure = false; } else { result.LocalServiceSettings.ReconnectTransportOnFailure = true; result.LocalClientSettings.ReconnectTransportOnFailure = true; } if (this.establishSecurityContext) { // issue the transition SCT for a short duration only issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime; } return(result); }
/// <summary> /// Creates a custom binding based on an example generated from svcutil.exe /// </summary> /// <param name="exeConfigPath"></param> /// <returns></returns> /// <remarks> /// https://msdn.microsoft.com/en-us/library/ms731690(v=vs.110).aspx /// </remarks> public static List <CustomBinding> GetCustomBindings(string exeConfigPath) { if (string.IsNullOrWhiteSpace(exeConfigPath)) { return(null); } var svcSection = Read.Config.ExeConfig.GetServiceModelSection(exeConfigPath); var configs = new List <CustomBinding>(); foreach (var section in svcSection.Bindings.CustomBinding.ConfiguredBindings.Cast <CustomBindingElement>()) { var binding = new CustomBinding { Name = section.Name, }; var cfgSecurity = section[0] as SecurityElement; if (cfgSecurity == null) { configs.Add(binding); continue; } var mode = cfgSecurity.AuthenticationMode; var msgSecurityVersion = cfgSecurity.MessageSecurityVersion; var issuedTokenParameter = new IssuedSecurityTokenParameters(); if (cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters != null) { foreach (var arp in cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters.Cast <XmlElementElement>()) { issuedTokenParameter.AdditionalRequestParameters.Add(arp.XmlElement); } } if (cfgSecurity.IssuedTokenParameters.Issuer?.Address != null) { var address = cfgSecurity.IssuedTokenParameters.Issuer.Address; var idElem = cfgSecurity.IssuedTokenParameters.Issuer.Identity; issuedTokenParameter.IssuerAddress = GetEnpointAddressWithIdentity(address, idElem); } if (cfgSecurity.IssuedTokenParameters.Issuer?.Binding != null) { issuedTokenParameter.IssuerBinding = GetBindingByName(cfgSecurity.IssuedTokenParameters.Issuer.Binding); } if (cfgSecurity.IssuedTokenParameters.IssuerMetadata?.Address != null) { var address = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Address; var idElem = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Identity; issuedTokenParameter.IssuerMetadataAddress = GetEnpointAddressWithIdentity(address, idElem); } SecurityBindingElement securityElemnt; switch (mode) { case AuthenticationMode.IssuedTokenOverTransport: securityElemnt = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameter); break; case AuthenticationMode.AnonymousForCertificate: securityElemnt = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case AuthenticationMode.AnonymousForSslNegotiated: securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false); break; case AuthenticationMode.CertificateOverTransport: securityElemnt = SecurityBindingElement.CreateCertificateOverTransportBindingElement(msgSecurityVersion); break; case AuthenticationMode.IssuedToken: securityElemnt = SecurityBindingElement.CreateIssuedTokenBindingElement(issuedTokenParameter); break; case AuthenticationMode.IssuedTokenForCertificate: securityElemnt = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameter); break; case AuthenticationMode.IssuedTokenForSslNegotiated: securityElemnt = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameter); break; case AuthenticationMode.Kerberos: securityElemnt = SecurityBindingElement.CreateKerberosBindingElement(); break; case AuthenticationMode.KerberosOverTransport: securityElemnt = SecurityBindingElement.CreateKerberosOverTransportBindingElement(); break; case AuthenticationMode.MutualCertificate: securityElemnt = SecurityBindingElement.CreateMutualCertificateBindingElement(msgSecurityVersion); break; case AuthenticationMode.MutualCertificateDuplex: securityElemnt = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(msgSecurityVersion); break; case AuthenticationMode.MutualSslNegotiated: securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false); break; case AuthenticationMode.SspiNegotiated: securityElemnt = SecurityBindingElement.CreateSspiNegotiationBindingElement(); break; case AuthenticationMode.SspiNegotiatedOverTransport: securityElemnt = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(); break; case AuthenticationMode.UserNameForCertificate: securityElemnt = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case AuthenticationMode.UserNameForSslNegotiated: securityElemnt = SecurityBindingElement.CreateUserNameForSslBindingElement(); break; case AuthenticationMode.UserNameOverTransport: securityElemnt = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; default: throw new NotImplementedException(); } securityElemnt.AllowInsecureTransport = cfgSecurity.AllowInsecureTransport; securityElemnt.DefaultAlgorithmSuite = cfgSecurity.DefaultAlgorithmSuite; securityElemnt.EnableUnsecuredResponse = cfgSecurity.EnableUnsecuredResponse; securityElemnt.IncludeTimestamp = cfgSecurity.IncludeTimestamp; securityElemnt.MessageSecurityVersion = cfgSecurity.MessageSecurityVersion; securityElemnt.KeyEntropyMode = cfgSecurity.KeyEntropyMode; securityElemnt.ProtectTokens = cfgSecurity.ProtectTokens; securityElemnt.SecurityHeaderLayout = cfgSecurity.SecurityHeaderLayout; securityElemnt.SetKeyDerivation(cfgSecurity.RequireDerivedKeys); binding.Elements.Add(securityElemnt); configs.Add(binding); } return(configs); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement) { SecurityBindingElement element2; if (!isSecureTransportMode) { switch (this.clientCredentialType) { case MessageCredentialType.None: element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); goto Label_00FF; case MessageCredentialType.Windows: element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); goto Label_00FF; case MessageCredentialType.UserName: element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true); goto Label_00FF; case MessageCredentialType.Certificate: element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); goto Label_00FF; case MessageCredentialType.IssuedToken: element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true); goto Label_00FF; } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } switch (this.clientCredentialType) { case MessageCredentialType.None: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode"))); case MessageCredentialType.Windows: element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; case MessageCredentialType.UserName: element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; case MessageCredentialType.Certificate: element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; case MessageCredentialType.IssuedToken: element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } SecurityBindingElement element = SecurityBindingElement.CreateSecureConversationBindingElement(element2); goto Label_0107; Label_00FF: element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true); Label_0107: element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite; element.IncludeTimestamp = true; if (!isReliableSession) { element.LocalServiceSettings.ReconnectTransportOnFailure = false; element.LocalClientSettings.ReconnectTransportOnFailure = false; } else { element.LocalServiceSettings.ReconnectTransportOnFailure = true; element.LocalClientSettings.ReconnectTransportOnFailure = true; } element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime; element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; element2.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; return(element); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession) { SecurityBindingElement wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; SecurityBindingElement securityBindingElement; if (!isSecureTransportMode) { switch (this.clientCredentialType) { case MessageCredentialType.None: { securityBindingElement = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); break; } case MessageCredentialType.Windows: { securityBindingElement = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); break; } case MessageCredentialType.UserName: { securityBindingElement = SecurityBindingElement.CreateUserNameForSslBindingElement(true); break; } case MessageCredentialType.Certificate: { securityBindingElement = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); break; } case MessageCredentialType.IssuedToken: { object[] objArray = new object[] { SecurityUtil.CreateSecurityStandardsManager(new object[0]), this.algorithmSuite }; securityBindingElement = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(SecurityUtil.IssuedSecurityTokenParameters.CreateInfoCardParameters(objArray), true); break; } default: { Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType"); throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } } wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement, true); } else { switch (this.clientCredentialType) { case MessageCredentialType.None: { throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(Microsoft.ServiceBus.SR.GetString(Resources.ClientCredentialTypeMustBeSpecifiedForMixedMode, new object[0]))); } case MessageCredentialType.Windows: { securityBindingElement = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; } case MessageCredentialType.UserName: { securityBindingElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; } case MessageCredentialType.Certificate: { securityBindingElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; } case MessageCredentialType.IssuedToken: { object[] objArray1 = new object[] { SecurityUtil.CreateSecurityStandardsManager(new object[0]), this.algorithmSuite }; securityBindingElement = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(SecurityUtil.IssuedSecurityTokenParameters.CreateInfoCardParameters(objArray1)); break; } default: { Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.DebugAssert("unknown ClientCredentialType"); throw Microsoft.ServiceBus.Diagnostics.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } } wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 = SecurityBindingElement.CreateSecureConversationBindingElement(securityBindingElement); } SecurityAlgorithmSuite algorithmSuite = this.AlgorithmSuite; SecurityAlgorithmSuite securityAlgorithmSuite = algorithmSuite; securityBindingElement.DefaultAlgorithmSuite = algorithmSuite; wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.DefaultAlgorithmSuite = securityAlgorithmSuite; wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.IncludeTimestamp = true; if (isReliableSession) { wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalServiceSettings.ReconnectTransportOnFailure = true; wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalClientSettings.ReconnectTransportOnFailure = true; } else { wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalServiceSettings.ReconnectTransportOnFailure = false; wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.LocalClientSettings.ReconnectTransportOnFailure = false; } securityBindingElement.LocalServiceSettings.IssuedCookieLifetime = TimeSpan.FromMinutes(15); wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; return(wSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11); }