private SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList <SecurityTokenAuthenticator> allowedTokenAuthenticators, out SecurityTokenAuthenticator usedTokenAuthenticator)
{
SecurityToken token = StandardsManager.SecurityTokenSerializer.ReadToken(reader, tokenResolver);
if (token is DerivedKeySecurityTokenStub)
{
if (DerivedTokenAuthenticator == null)
{
// No Authenticator registered for DerivedKeySecurityToken
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToFindTokenAuthenticator, typeof(DerivedKeySecurityToken))));
}
// This is just the stub. Nothing to Validate. Set the usedTokenAuthenticator to
// DerivedKeySecurityTokenAuthenticator.
usedTokenAuthenticator = DerivedTokenAuthenticator;
return(token);
}
for (int i = 0; i < allowedTokenAuthenticators.Count; ++i)
{
SecurityTokenAuthenticator tokenAuthenticator = allowedTokenAuthenticators[i];
if (tokenAuthenticator.CanValidateToken(token))
{
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
authorizationPolicies = tokenAuthenticator.ValidateToken(token);
SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
usedTokenAuthenticator = tokenAuthenticator;
return(token);
}
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToFindTokenAuthenticator, token.GetType())));
}
public override void OnOpen(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
base.OnOpen(helper.RemainingTime());
if (base.ActAsInitiator)
{
if (base.ApplyIntegrity)
{
if (this.CryptoTokenParameters == null)
{
base.OnPropertySettingsError("CryptoTokenParameters", true);
}
if (this.CryptoTokenParameters.RequireDerivedKeys)
{
base.ExpectKeyDerivation = true;
}
}
}
else
{
if (this.CryptoTokenParameters == null)
{
base.OnPropertySettingsError("CryptoTokenParameters", true);
}
if (this.CryptoTokenParameters.RequireDerivedKeys)
{
base.ExpectKeyDerivation = true;
}
SecurityTokenResolver outOfBandTokenResolver = null;
if (base.RequireIntegrity)
{
RecipientServiceModelSecurityTokenRequirement requirement = base.CreateRecipientSecurityTokenRequirement();
this.CryptoTokenParameters.InitializeSecurityTokenRequirement(requirement);
requirement.KeyUsage = SecurityKeyUsage.Signature;
requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Input;
this.recipientCryptoTokenAuthenticator = base.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out outOfBandTokenResolver);
base.Open("RecipientCryptoTokenAuthenticator", true, this.recipientCryptoTokenAuthenticator, helper.RemainingTime());
}
if (outOfBandTokenResolver != null)
{
Collection <SecurityTokenResolver> list = new Collection <SecurityTokenResolver> {
outOfBandTokenResolver
};
this.recipientOutOfBandTokenResolverList = new ReadOnlyCollection <SecurityTokenResolver>(list);
}
else
{
this.recipientOutOfBandTokenResolverList = EmptyReadOnlyCollection <SecurityTokenResolver> .Instance;
}
}
if (this.RequiresAsymmetricTokenProviderForForwardDirection || this.RequiresAsymmetricTokenProviderForReturnDirection)
{
if (this.AsymmetricTokenParameters == null)
{
base.OnPropertySettingsError("AsymmetricTokenParameters", this.RequiresAsymmetricTokenProviderForForwardDirection);
}
else if (this.AsymmetricTokenParameters.RequireDerivedKeys)
{
base.ExpectKeyDerivation = true;
}
if (!base.ActAsInitiator)
{
RecipientServiceModelSecurityTokenRequirement requirement2 = base.CreateRecipientSecurityTokenRequirement();
this.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(requirement2);
requirement2.KeyUsage = this.RequiresAsymmetricTokenProviderForForwardDirection ? SecurityKeyUsage.Exchange : SecurityKeyUsage.Signature;
requirement2.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = this.RequiresAsymmetricTokenProviderForForwardDirection ? MessageDirection.Input : MessageDirection.Output;
this.recipientAsymmetricTokenProvider = base.SecurityTokenManager.CreateSecurityTokenProvider(requirement2);
base.Open("RecipientAsymmetricTokenProvider", this.RequiresAsymmetricTokenProviderForForwardDirection, this.recipientAsymmetricTokenProvider, helper.RemainingTime());
}
}
if ((base.ActAsInitiator && this.AllowSerializedSigningTokenOnReply) && (base.IdentityVerifier == null))
{
base.OnPropertySettingsError("IdentityVerifier", false);
}
}
private void ReadToken(XmlDictionaryReader reader, int position, byte[] decryptedBuffer,
SecurityToken encryptionToken, string idInEncryptedForm, TimeSpan timeout)
{
Fx.Assert((position == AppendPosition) == (decryptedBuffer == null), "inconsistent position, decryptedBuffer parameters");
Fx.Assert((position == AppendPosition) == (encryptionToken == null), "inconsistent position, encryptionToken parameters");
string localName = reader.LocalName;
string namespaceUri = reader.NamespaceURI;
string valueType = reader.GetAttribute(XD.SecurityJan2004Dictionary.ValueType, null);
SecurityTokenAuthenticator usedTokenAuthenticator;
SecurityToken token = ReadToken(reader, CombinedUniversalTokenResolver, _allowedAuthenticators, out usedTokenAuthenticator);
if (token == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCouldNotReadToken, localName, namespaceUri, valueType)), Message);
}
DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken;
if (derivedKeyToken != null)
{
EnsureDerivedKeyLimitNotReached();
derivedKeyToken.InitializeDerivedKey(MaxDerivedKeyLength);
}
if (usedTokenAuthenticator == _primaryTokenAuthenticator)
{
_allowedAuthenticators.Remove(usedTokenAuthenticator);
}
ReceiveSecurityHeaderBindingModes mode;
TokenTracker supportingTokenTracker = null;
if (usedTokenAuthenticator == _primaryTokenAuthenticator)
{
// this is the primary token. Add to resolver as such
_universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters);
_primaryTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters);
if (_pendingSupportingTokenAuthenticator != null)
{
_allowedAuthenticators.Add(_pendingSupportingTokenAuthenticator);
_pendingSupportingTokenAuthenticator = null;
}
_primaryTokenTracker.RecordToken(token);
mode = ReceiveSecurityHeaderBindingModes.Primary;
}
else if (usedTokenAuthenticator == DerivedTokenAuthenticator)
{
if (token is DerivedKeySecurityTokenStub)
{
if (Layout == SecurityHeaderLayout.Strict)
{
DerivedKeySecurityTokenStub tmpToken = (DerivedKeySecurityTokenStub)token;
throw TraceUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToResolveKeyInfoClauseInDerivedKeyToken, tmpToken.TokenToDeriveIdentifier)), Message);
}
}
else
{
AddDerivedKeyTokenToResolvers(token);
}
mode = ReceiveSecurityHeaderBindingModes.Unknown;
}
else
{
SupportingTokenAuthenticatorSpecification supportingTokenSpec;
supportingTokenTracker = GetSupportingTokenTracker(usedTokenAuthenticator, out supportingTokenSpec);
if (supportingTokenTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, usedTokenAuthenticator)));
}
if (supportingTokenTracker.Token != null)
{
supportingTokenTracker = new TokenTracker(supportingTokenSpec);
_supportingTokenTrackers.Add(supportingTokenTracker);
}
supportingTokenTracker.RecordToken(token);
if (encryptionToken != null)
{
supportingTokenTracker.IsEncrypted = true;
}
bool isBasic;
bool isSignedButNotBasic;
SecurityTokenAttachmentModeHelper.Categorize(supportingTokenSpec.SecurityTokenAttachmentMode, out isBasic, out isSignedButNotBasic, out mode);
if (isBasic)
{
if (!ExpectBasicTokens)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.BasicTokenNotExpected));
}
// only basic tokens have to be part of the reference list. Encrypted Saml tokens dont for example
if (RequireMessageProtection && encryptionToken != null)
{
throw ExceptionHelper.PlatformNotSupported();
}
}
if (isSignedButNotBasic && !ExpectSignedTokens)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.SignedSupportingTokenNotExpected));
}
_universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, supportingTokenSpec.TokenParameters);
}
if (position == AppendPosition)
{
ElementManager.AppendToken(token, mode, supportingTokenTracker);
}
else
{
ElementManager.SetTokenAfterDecryption(position, token, mode, decryptedBuffer, supportingTokenTracker);
}
}
internal static void OpenTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout)
{
OpenCommunicationObject(tokenAuthenticator as ICommunicationObject, timeout);
}
internal static void CloseTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, bool aborted, TimeSpan timeout)
{
CloseCommunicationObject(tokenAuthenticator, aborted, timeout);
}
public void Release()
{
ReleaseCore();
authenticator = null;
}
private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols)
: base(timeouts)
{
_serverTokenProvider = serverTokenProvider;
_requireClientCertificate = requireClientCertificate;
_clientCertificateAuthenticator = clientCertificateAuthenticator;
_identityVerifier = identityVerifier;
_scheme = scheme;
_sslProtocols = sslProtocols;
}
/// <summary>
/// Overriden from the base class. Creates the requested Token Authenticator.
/// Looks up the list of Token Handlers registered with the token Manager
/// based on the TokenType Uri in the SecurityTokenRequirement. If none is found,
/// then the call is delegated to the inner Token Manager.
/// </summary>
/// <param name="tokenRequirement">Security Token Requirement for which the Authenticator should be created.</param>
/// <param name="outOfBandTokenResolver">Token resolver that resolves any out-of-band tokens.</param>
/// <returns>Instance of Security Token Authenticator.</returns>
/// <exception cref="ArgumentNullException">'tokenRequirement' parameter is null.</exception>
/// <exception cref="NotSupportedException">No Authenticator is registered for the given token type.</exception>
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
outOfBandTokenResolver = null;
// Check for a registered authenticator
SecurityTokenAuthenticator securityTokenAuthenticator = null;
string tokenType = tokenRequirement.TokenType;
//
// When the TokenRequirement.TokenType is null, we treat this as a SAML issued token case. It may be SAML 1.1 or SAML 2.0.
//
if (String.IsNullOrEmpty(tokenType))
{
return(CreateSamlSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
//
// When the TokenType is set, build a token authenticator for the specified token type.
//
SecurityTokenHandler securityTokenHandler = _securityTokenHandlerCollection[tokenType];
if ((securityTokenHandler != null) && (securityTokenHandler.CanValidateToken))
{
outOfBandTokenResolver = GetDefaultOutOfBandTokenResolver();
if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.UserName))
{
UserNameSecurityTokenHandler upSecurityTokenHandler = securityTokenHandler as UserNameSecurityTokenHandler;
if (upSecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(UserNameSecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedUserNameSecurityTokenAuthenticator(upSecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Kerberos))
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Rsa))
{
RsaSecurityTokenHandler rsaSecurityTokenHandler = securityTokenHandler as RsaSecurityTokenHandler;
if (rsaSecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(RsaSecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedRsaSecurityTokenAuthenticator(rsaSecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.X509Certificate))
{
X509SecurityTokenHandler x509SecurityTokenHandler = securityTokenHandler as X509SecurityTokenHandler;
if (x509SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(X509SecurityTokenHandler))));
}
securityTokenAuthenticator = new WrappedX509SecurityTokenAuthenticator(x509SecurityTokenHandler, _exceptionMapper);
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.SamlTokenProfile11) ||
StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSamlTokenProfile11))
{
SamlSecurityTokenHandler saml11SecurityTokenHandler = securityTokenHandler as SamlSecurityTokenHandler;
if (saml11SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(SamlSecurityTokenHandler))));
}
if (saml11SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Saml2TokenProfile11) ||
StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSaml2TokenProfile11))
{
Saml2SecurityTokenHandler saml2SecurityTokenHandler = securityTokenHandler as Saml2SecurityTokenHandler;
if (saml2SecurityTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(Saml2SecurityTokenHandler))));
}
if (saml2SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (StringComparer.Ordinal.Equals(tokenType, ServiceModelSecurityTokenTypes.SecureConversation))
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (tr == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
}
securityTokenAuthenticator = SetupSecureConversationWrapper(tr, securityTokenHandler as SessionSecurityTokenHandler, out outOfBandTokenResolver);
}
else
{
securityTokenAuthenticator = new SecurityTokenAuthenticatorAdapter(securityTokenHandler, _exceptionMapper);
}
}
else
{
if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
tokenType == ServiceModelSecurityTokenTypes.SecurityContext ||
tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (tr == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString()));
}
securityTokenAuthenticator = SetupSecureConversationWrapper(tr, null, out outOfBandTokenResolver);
}
else
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
}
return(securityTokenAuthenticator);
}
/// <summary>
/// This method creates a SAML security token authenticator when token type is null.
/// It wraps the SAML 1.1 and the SAML 2.0 token handlers that are configured.
/// If no token handler was found, then the inner token manager is created.
/// </summary>
SecurityTokenAuthenticator CreateSamlSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
outOfBandTokenResolver = null;
SecurityTokenAuthenticator securityTokenAuthenticator = null;
SamlSecurityTokenHandler saml11SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.SamlTokenProfile11] as SamlSecurityTokenHandler;
Saml2SecurityTokenHandler saml2SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.Saml2TokenProfile11] as Saml2SecurityTokenHandler;
if (saml11SecurityTokenHandler != null && saml11SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
if (saml2SecurityTokenHandler != null && saml2SecurityTokenHandler.Configuration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
if (saml11SecurityTokenHandler != null && saml2SecurityTokenHandler != null)
{
//
// Both SAML 1.1 and SAML 2.0 token handlers have been configured.
//
WrappedSaml11SecurityTokenAuthenticator wrappedSaml11SecurityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
WrappedSaml2SecurityTokenAuthenticator wrappedSaml2SecurityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
securityTokenAuthenticator = new WrappedSamlSecurityTokenAuthenticator(wrappedSaml11SecurityTokenAuthenticator, wrappedSaml2SecurityTokenAuthenticator);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
List <SecurityTokenResolver> resolvers = new List <SecurityTokenResolver>();
resolvers.Add(saml11SecurityTokenHandler.Configuration.ServiceTokenResolver);
resolvers.Add(saml2SecurityTokenHandler.Configuration.ServiceTokenResolver);
outOfBandTokenResolver = new AggregateTokenResolver(resolvers);
}
else if (saml11SecurityTokenHandler == null && saml2SecurityTokenHandler != null)
{
//
// SAML 1.1 token handler is not present but SAML 2.0 is. Set the token type to SAML 2.0
//
securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if (saml11SecurityTokenHandler != null && saml2SecurityTokenHandler == null)
{
//
// SAML 1.1 token handler is present but SAML 2.0 is not. Set the token type to SAML 1.1
//
securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper);
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
}
return(securityTokenAuthenticator);
}
internal static Task CloseTokenAuthenticatorIfRequiredAsync(SecurityTokenAuthenticator tokenAuthenticator, CancellationToken token)
{
return(CloseTokenAuthenticatorIfRequiredAsync(tokenAuthenticator, false, token));
}
internal static Task CloseTokenAuthenticatorIfRequiredAsync(SecurityTokenAuthenticator tokenAuthenticator, bool aborted, CancellationToken token)
{
return(CloseCommunicationObjectAsync(tokenAuthenticator, aborted, token));
}
internal static Task OpenTokenAuthenticatorIfRequiredAsync(SecurityTokenAuthenticator tokenAuthenticator, CancellationToken token)
{
return(OpenCommunicationObjectAsync(tokenAuthenticator as ICommunicationObject, token));
}
internal static void AbortTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator)
{
CloseCommunicationObjectAsync(tokenAuthenticator, true, CancellationToken.None).GetAwaiter().GetResult();
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
string tokenType = tokenRequirement.TokenType;
outOfBandTokenResolver = null;
SecurityTokenAuthenticator result = null;
if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
// this is the uncorrelated duplex case in which the server is asking for
// an authenticator to validate its provisioned client certificate
if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
}
}
RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (recipientRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
result = CreateClientX509TokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
result = new KerberosSecurityTokenAuthenticatorWrapper(
new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
{
if (parent.UserNameAuthentication.CacheLogonTokens)
{
result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups,
parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime);
}
else
{
result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups);
}
}
else
{
result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator());
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
result = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if ((tokenType == SecurityTokenTypes.Saml) ||
(tokenType == SecurityXXX2005Strings.SamlTokenType) ||
(tokenType == SecurityJan2004Strings.SamlUri) ||
(tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement)))
{
result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
if (result == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
return(result);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
outOfBandTokenResolver = null;
SecurityTokenAuthenticator result = null;
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
if (initiatorRequirement != null)
{
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.IsOutOfBandToken)
{
// when the client side soap security asks for a token authenticator, its for doing
// identity checks on the out of band server certificate
result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
}
else if (initiatorRequirement.PreferSslCertificateAuthenticator)
{
result = CreateServerSslX509TokenAuthenticator();
}
else
{
result = CreateServerX509TokenAuthenticator();
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Rsa");
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Kerberos");
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
}
}
else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
{
// uncorrelated duplex case
result = CreateServerX509TokenAuthenticator();
}
if (result == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
return(result);
}
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
{
IList <SupportingTokenAuthenticatorSpecification> list;
AsymmetricSecurityProtocolFactory factory = this.Factory;
TimeoutHelper helper = new TimeoutHelper(timeout);
ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list);
SecurityToken requiredSigningToken = null;
if (factory.ActAsInitiator)
{
SecurityTokenAuthenticator initiatorAsymmetricTokenAuthenticator;
SecurityToken token = null;
SecurityToken primaryToken = null;
if (factory.RequireIntegrity)
{
primaryToken = SecurityProtocol.GetToken(this.initiatorAsymmetricTokenProvider, null, helper.RemainingTime());
requiredSigningToken = primaryToken;
}
if (factory.RequireConfidentiality)
{
token = base.GetCorrelationToken(correlationStates);
if (!System.ServiceModel.Security.SecurityUtils.HasSymmetricSecurityKey(token))
{
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
}
}
if (factory.AllowSerializedSigningTokenOnReply)
{
initiatorAsymmetricTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator;
requiredSigningToken = null;
}
else
{
initiatorAsymmetricTokenAuthenticator = null;
}
securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(primaryToken, factory.AsymmetricTokenParameters, token, factory.CryptoTokenParameters, initiatorAsymmetricTokenAuthenticator);
}
else
{
SecurityToken token4;
if ((this.Factory.RecipientAsymmetricTokenProvider != null) && this.Factory.RequireConfidentiality)
{
token4 = SecurityProtocol.GetToken(factory.RecipientAsymmetricTokenProvider, null, helper.RemainingTime());
}
else
{
token4 = null;
}
securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator, this.Factory.CryptoTokenParameters, token4, this.Factory.AsymmetricTokenParameters, list);
securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator;
securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList));
}
base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates);
SecurityToken signatureToken = securityHeader.SignatureToken;
SecurityToken encryptionToken = securityHeader.EncryptionToken;
if (factory.RequireIntegrity)
{
if (factory.ActAsInitiator)
{
ReadOnlyCollection <IAuthorizationPolicy> recipientTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signatureToken);
MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
this.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptionToken, signatureToken, recipientTokenPolicies);
}
else
{
MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message);
this.AttachRecipientSecurityProperty(message, signatureToken, encryptionToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
}
}
return(base.GetCorrelationState(signatureToken, securityHeader));
}
protected void PrepareAuthenticator()
{
authenticator = CreateTokenAuthenticator(RecipientParameters, out auth_token_resolver);
}
private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols)
: base(timeouts)
{
_serverTokenProvider = serverTokenProvider;
RequireClientCertificate = requireClientCertificate;
_clientCertificateAuthenticator = clientCertificateAuthenticator;
IdentityVerifier = identityVerifier;
Scheme = scheme;
SslProtocols = sslProtocols;
ClientSecurityTokenManager = null; // Used for client but there's public api which need this and the compiler complains it's never assigned
}
void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode)
{
foreach (SecurityTokenParameters p in plist)
{
SecurityTokenResolver r;
SecurityTokenAuthenticator a =
security.CreateTokenAuthenticator(p, out r);
SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens);
if (spec == null)
{
if (optional)
{
continue;
}
else
{
throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode));
}
}
else
{
// For endorsing tokens, verify corresponding signatures.
switch (attachMode)
{
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.SignedEndorsing:
WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken);
if (esxml == null)
{
throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode));
}
bool confirmed;
SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite;
foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo)
{
SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause);
SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey;
if (symkey != null)
{
confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm));
}
else
{
AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false);
confirmed = esxml.CheckSignature(alg);
}
if (!confirmed)
{
throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode));
}
break;
}
sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue));
break;
}
}
sec_prop.IncomingSupportingTokens.Add(spec);
}
}
public SecureOutgoingMessageAsyncResult(Message m, AsymmetricSecurityProtocol binding,
SecurityTokenProvider primaryProvider, SecurityTokenProvider secondaryProvider, bool doIdentityChecks, SecurityTokenAuthenticator identityCheckAuthenticator,
SecurityProtocolCorrelationState correlationState, TimeSpan timeout, AsyncCallback callback, object state)
: base(m, binding, primaryProvider, secondaryProvider, doIdentityChecks, identityCheckAuthenticator, correlationState, timeout, callback, state)
{
Start();
}
public SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
: this(tokenAuthenticator, securityTokenResolver, attachmentMode, tokenParameters, false)
{
}
public override void OnOpen(TimeSpan timeout)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
base.OnOpen(timeoutHelper.RemainingTime());
if (this.tokenParameters == null)
{
OnPropertySettingsError("SecurityTokenParameters", true);
}
if (!this.ActAsInitiator)
{
SecurityTokenRequirement recipientTokenRequirement = CreateRecipientTokenRequirement();
SecurityTokenResolver resolver = null;
if (this.SecurityTokenParameters.HasAsymmetricKey)
{
this.recipientAsymmetricTokenProvider = this.SecurityTokenManager.CreateSecurityTokenProvider(recipientTokenRequirement);
}
else
{
this.recipientSymmetricTokenAuthenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(recipientTokenRequirement, out resolver);
}
if (this.RecipientSymmetricTokenAuthenticator != null && this.RecipientAsymmetricTokenProvider != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.OnlyOneOfEncryptedKeyOrSymmetricBindingCanBeSelected)));
}
if (resolver != null)
{
Collection <SecurityTokenResolver> tmp = new Collection <SecurityTokenResolver>();
tmp.Add(resolver);
this.recipientOutOfBandTokenResolverList = new ReadOnlyCollection <SecurityTokenResolver>(tmp);
}
else
{
this.recipientOutOfBandTokenResolverList = EmptyReadOnlyCollection <SecurityTokenResolver> .Instance;
}
if (this.RecipientAsymmetricTokenProvider != null)
{
Open("RecipientAsymmetricTokenProvider", true, this.RecipientAsymmetricTokenProvider, timeoutHelper.RemainingTime());
}
else
{
Open("RecipientSymmetricTokenAuthenticator", true, this.RecipientSymmetricTokenAuthenticator, timeoutHelper.RemainingTime());
}
}
if (this.tokenParameters.RequireDerivedKeys)
{
this.ExpectKeyDerivation = true;
}
if (this.tokenParameters.HasAsymmetricKey)
{
this.protectionTokenParameters = new WrappedKeySecurityTokenParameters();
this.protectionTokenParameters.RequireDerivedKeys = this.SecurityTokenParameters.RequireDerivedKeys;
}
else
{
this.protectionTokenParameters = this.tokenParameters;
}
}
internal static void CloseTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout)
{
CloseTokenAuthenticatorIfRequired(tokenAuthenticator, false, timeout);
}
public void Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
{
Fx.Assert(ReaderQuotas != null, "Reader quotas must be set before processing");
MessageProtectionOrder actualProtectionOrder = _protectionOrder;
bool wasProtectionOrderDowngraded = false;
if (_protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature)
{
throw ExceptionHelper.PlatformNotSupported(); // No support for message encryption
}
_channelBinding = channelBinding;
_extendedProtectionPolicy = extendedProtectionPolicy;
_orderTracker.SetRequiredProtectionOrder(actualProtectionOrder);
SetProcessingStarted();
_timeoutHelper = new TimeoutHelper(timeout);
Message = SecurityVerifiedMessage = new SecurityVerifiedMessage(Message, this);
XmlDictionaryReader reader = CreateSecurityHeaderReader();
reader.MoveToStartElement();
if (reader.IsEmptyElement)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.SecurityHeaderIsEmpty), Message);
}
if (RequireMessageProtection)
{
_securityElementAttributes = XmlAttributeHolder.ReadAttributes(reader);
}
else
{
_securityElementAttributes = XmlAttributeHolder.emptyArray;
}
reader.ReadStartElement();
if (_primaryTokenParameters != null)
{
_primaryTokenTracker = new TokenTracker(null, _outOfBandPrimaryToken, _allowFirstTokenMismatch);
}
// universalTokenResolver is used for resolving tokens
_universalTokenResolver = new SecurityHeaderTokenResolver(this);
// primary token resolver is used for resolving primary signature and decryption
_primaryTokenResolver = new SecurityHeaderTokenResolver(this);
if (_outOfBandPrimaryToken != null)
{
_universalTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters);
_primaryTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters);
}
else if (_outOfBandPrimaryTokenCollection != null)
{
for (int i = 0; i < _outOfBandPrimaryTokenCollection.Count; ++i)
{
_universalTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters);
_primaryTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters);
}
}
if (_wrappingToken != null)
{
_universalTokenResolver.ExpectedWrapper = _wrappingToken;
_universalTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters;
_primaryTokenResolver.ExpectedWrapper = _wrappingToken;
_primaryTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters;
}
if (_outOfBandTokenResolver == null)
{
CombinedUniversalTokenResolver = _universalTokenResolver;
_combinedPrimaryTokenResolver = _primaryTokenResolver;
}
else
{
CombinedUniversalTokenResolver = new AggregateSecurityHeaderTokenResolver(_universalTokenResolver, _outOfBandTokenResolver);
_combinedPrimaryTokenResolver = new AggregateSecurityHeaderTokenResolver(_primaryTokenResolver, _outOfBandTokenResolver);
}
_allowedAuthenticators = new List <SecurityTokenAuthenticator>();
if (_primaryTokenAuthenticator != null)
{
_allowedAuthenticators.Add(_primaryTokenAuthenticator);
}
if (DerivedTokenAuthenticator != null)
{
_allowedAuthenticators.Add(DerivedTokenAuthenticator);
}
_pendingSupportingTokenAuthenticator = null;
int numSupportingTokensRequiringDerivation = 0;
if (_supportingTokenAuthenticators != null && _supportingTokenAuthenticators.Count > 0)
{
_supportingTokenTrackers = new List <TokenTracker>(_supportingTokenAuthenticators.Count);
for (int i = 0; i < _supportingTokenAuthenticators.Count; ++i)
{
SupportingTokenAuthenticatorSpecification spec = _supportingTokenAuthenticators[i];
switch (spec.SecurityTokenAttachmentMode)
{
case SecurityTokenAttachmentMode.Endorsing:
_hasEndorsingOrSignedEndorsingSupportingTokens = true;
break;
case SecurityTokenAttachmentMode.Signed:
break;
case SecurityTokenAttachmentMode.SignedEndorsing:
_hasEndorsingOrSignedEndorsingSupportingTokens = true;
break;
case SecurityTokenAttachmentMode.SignedEncrypted:
break;
}
if ((_primaryTokenAuthenticator != null) && (_primaryTokenAuthenticator.GetType().Equals(spec.TokenAuthenticator.GetType())))
{
_pendingSupportingTokenAuthenticator = spec.TokenAuthenticator;
}
else
{
_allowedAuthenticators.Add(spec.TokenAuthenticator);
}
if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey &&
(spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing))
{
++numSupportingTokensRequiringDerivation;
}
_supportingTokenTrackers.Add(new TokenTracker(spec));
}
}
if (DerivedTokenAuthenticator != null)
{
// we expect key derivation. Compute quotas for derived keys
int maxKeyDerivationLengthInBits = AlgorithmSuite.DefaultEncryptionKeyDerivationLength >= AlgorithmSuite.DefaultSignatureKeyDerivationLength ?
AlgorithmSuite.DefaultEncryptionKeyDerivationLength : AlgorithmSuite.DefaultSignatureKeyDerivationLength;
MaxDerivedKeyLength = maxKeyDerivationLengthInBits / 8;
// the upper bound of derived keys is (1 for primary signature + 1 for encryption + supporting token signatures requiring derivation)*2
// the multiplication by 2 is to take care of interop scenarios that may arise that require more derived keys than the lower bound.
_maxDerivedKeys = (1 + 1 + numSupportingTokensRequiringDerivation) * 2;
}
SecurityHeaderElementInferenceEngine engine = SecurityHeaderElementInferenceEngine.GetInferenceEngine(Layout);
engine.ExecuteProcessingPasses(this, reader);
if (RequireMessageProtection)
{
throw ExceptionHelper.PlatformNotSupported();
}
EnsureDecryptionComplete();
_signatureTracker.SetDerivationSourceIfRequired();
_encryptionTracker.SetDerivationSourceIfRequired();
if (EncryptionToken != null)
{
throw ExceptionHelper.PlatformNotSupported();
}
// ensure that the primary signature was signed with derived keys if required
if (EnforceDerivedKeyRequirement)
{
if (SignatureToken != null)
{
if (_primaryTokenParameters != null)
{
if (_primaryTokenParameters.RequireDerivedKeys && !_primaryTokenParameters.HasAsymmetricKey && !_primaryTokenTracker.IsDerivedFrom)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedKey, _primaryTokenParameters)));
}
}
else if (_wrappingTokenParameters != null && _wrappingTokenParameters.RequireDerivedKeys)
{
if (!_signatureTracker.IsDerivedToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedWrappedKey, _wrappingTokenParameters)));
}
}
}
// verify that the encryption is using key derivation
if (EncryptionToken != null)
{
throw ExceptionHelper.PlatformNotSupported();
}
}
if (wasProtectionOrderDowngraded && (BasicSupportingTokens != null) && (BasicSupportingTokens.Count > 0))
{
throw ExceptionHelper.PlatformNotSupported();
}
// verify all supporting token parameters have their requirements met
if (_supportingTokenTrackers != null && _supportingTokenTrackers.Count > 0)
{
throw ExceptionHelper.PlatformNotSupported();
}
if (_replayDetectionEnabled)
{
throw ExceptionHelper.PlatformNotSupported();
}
if (ExpectSignatureConfirmation)
{
throw ExceptionHelper.PlatformNotSupported();
}
MarkHeaderAsUnderstood();
}
internal static void AbortTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator)
{
CloseCommunicationObject(tokenAuthenticator, true, TimeSpan.Zero);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
string tokenType = tokenRequirement.TokenType;
outOfBandTokenResolver = null;
SecurityTokenAuthenticator authenticator = null;
if (((tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) && (tokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange))
{
return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
}
RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (recipientRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
authenticator = this.CreateClientX509TokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
authenticator = new KerberosSecurityTokenAuthenticatorWrapper(new KerberosSecurityTokenAuthenticator(this.parent.WindowsAuthentication.IncludeWindowsGroups));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (this.parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
{
if (this.parent.UserNameAuthentication.CacheLogonTokens)
{
authenticator = new WindowsUserNameCachingSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups, this.parent.UserNameAuthentication.MaxCachedLogonTokens, this.parent.UserNameAuthentication.CachedLogonTokenLifetime);
}
else
{
authenticator = new WindowsUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups);
}
}
else
{
authenticator = new CustomUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.GetUserNamePasswordValidator());
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
authenticator = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
authenticator = this.CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
authenticator = this.CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (((tokenType == SecurityTokenTypes.Saml) || (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) || ((tokenType == "urn:oasis:names:tc:SAML:1.0:assertion") || ((tokenType == null) && this.IsIssuedSecurityTokenRequirement(recipientRequirement))))
{
authenticator = this.CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
if (authenticator == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement })));
}
return(authenticator);
}
