private SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList <SecurityTokenAuthenticator> allowedTokenAuthenticators, out SecurityTokenAuthenticator usedTokenAuthenticator) { SecurityToken token = StandardsManager.SecurityTokenSerializer.ReadToken(reader, tokenResolver); if (token is DerivedKeySecurityTokenStub) { if (DerivedTokenAuthenticator == null) { // No Authenticator registered for DerivedKeySecurityToken throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToFindTokenAuthenticator, typeof(DerivedKeySecurityToken)))); } // This is just the stub. Nothing to Validate. Set the usedTokenAuthenticator to // DerivedKeySecurityTokenAuthenticator. usedTokenAuthenticator = DerivedTokenAuthenticator; return(token); } for (int i = 0; i < allowedTokenAuthenticators.Count; ++i) { SecurityTokenAuthenticator tokenAuthenticator = allowedTokenAuthenticators[i]; if (tokenAuthenticator.CanValidateToken(token)) { ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies; authorizationPolicies = tokenAuthenticator.ValidateToken(token); SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies); usedTokenAuthenticator = tokenAuthenticator; return(token); } } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToFindTokenAuthenticator, token.GetType()))); }
public override void OnOpen(TimeSpan timeout) { TimeoutHelper helper = new TimeoutHelper(timeout); base.OnOpen(helper.RemainingTime()); if (base.ActAsInitiator) { if (base.ApplyIntegrity) { if (this.CryptoTokenParameters == null) { base.OnPropertySettingsError("CryptoTokenParameters", true); } if (this.CryptoTokenParameters.RequireDerivedKeys) { base.ExpectKeyDerivation = true; } } } else { if (this.CryptoTokenParameters == null) { base.OnPropertySettingsError("CryptoTokenParameters", true); } if (this.CryptoTokenParameters.RequireDerivedKeys) { base.ExpectKeyDerivation = true; } SecurityTokenResolver outOfBandTokenResolver = null; if (base.RequireIntegrity) { RecipientServiceModelSecurityTokenRequirement requirement = base.CreateRecipientSecurityTokenRequirement(); this.CryptoTokenParameters.InitializeSecurityTokenRequirement(requirement); requirement.KeyUsage = SecurityKeyUsage.Signature; requirement.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = MessageDirection.Input; this.recipientCryptoTokenAuthenticator = base.SecurityTokenManager.CreateSecurityTokenAuthenticator(requirement, out outOfBandTokenResolver); base.Open("RecipientCryptoTokenAuthenticator", true, this.recipientCryptoTokenAuthenticator, helper.RemainingTime()); } if (outOfBandTokenResolver != null) { Collection <SecurityTokenResolver> list = new Collection <SecurityTokenResolver> { outOfBandTokenResolver }; this.recipientOutOfBandTokenResolverList = new ReadOnlyCollection <SecurityTokenResolver>(list); } else { this.recipientOutOfBandTokenResolverList = EmptyReadOnlyCollection <SecurityTokenResolver> .Instance; } } if (this.RequiresAsymmetricTokenProviderForForwardDirection || this.RequiresAsymmetricTokenProviderForReturnDirection) { if (this.AsymmetricTokenParameters == null) { base.OnPropertySettingsError("AsymmetricTokenParameters", this.RequiresAsymmetricTokenProviderForForwardDirection); } else if (this.AsymmetricTokenParameters.RequireDerivedKeys) { base.ExpectKeyDerivation = true; } if (!base.ActAsInitiator) { RecipientServiceModelSecurityTokenRequirement requirement2 = base.CreateRecipientSecurityTokenRequirement(); this.AsymmetricTokenParameters.InitializeSecurityTokenRequirement(requirement2); requirement2.KeyUsage = this.RequiresAsymmetricTokenProviderForForwardDirection ? SecurityKeyUsage.Exchange : SecurityKeyUsage.Signature; requirement2.Properties[ServiceModelSecurityTokenRequirement.MessageDirectionProperty] = this.RequiresAsymmetricTokenProviderForForwardDirection ? MessageDirection.Input : MessageDirection.Output; this.recipientAsymmetricTokenProvider = base.SecurityTokenManager.CreateSecurityTokenProvider(requirement2); base.Open("RecipientAsymmetricTokenProvider", this.RequiresAsymmetricTokenProviderForForwardDirection, this.recipientAsymmetricTokenProvider, helper.RemainingTime()); } } if ((base.ActAsInitiator && this.AllowSerializedSigningTokenOnReply) && (base.IdentityVerifier == null)) { base.OnPropertySettingsError("IdentityVerifier", false); } }
private void ReadToken(XmlDictionaryReader reader, int position, byte[] decryptedBuffer, SecurityToken encryptionToken, string idInEncryptedForm, TimeSpan timeout) { Fx.Assert((position == AppendPosition) == (decryptedBuffer == null), "inconsistent position, decryptedBuffer parameters"); Fx.Assert((position == AppendPosition) == (encryptionToken == null), "inconsistent position, encryptionToken parameters"); string localName = reader.LocalName; string namespaceUri = reader.NamespaceURI; string valueType = reader.GetAttribute(XD.SecurityJan2004Dictionary.ValueType, null); SecurityTokenAuthenticator usedTokenAuthenticator; SecurityToken token = ReadToken(reader, CombinedUniversalTokenResolver, _allowedAuthenticators, out usedTokenAuthenticator); if (token == null) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.TokenManagerCouldNotReadToken, localName, namespaceUri, valueType)), Message); } DerivedKeySecurityToken derivedKeyToken = token as DerivedKeySecurityToken; if (derivedKeyToken != null) { EnsureDerivedKeyLimitNotReached(); derivedKeyToken.InitializeDerivedKey(MaxDerivedKeyLength); } if (usedTokenAuthenticator == _primaryTokenAuthenticator) { _allowedAuthenticators.Remove(usedTokenAuthenticator); } ReceiveSecurityHeaderBindingModes mode; TokenTracker supportingTokenTracker = null; if (usedTokenAuthenticator == _primaryTokenAuthenticator) { // this is the primary token. Add to resolver as such _universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters); _primaryTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, _primaryTokenParameters); if (_pendingSupportingTokenAuthenticator != null) { _allowedAuthenticators.Add(_pendingSupportingTokenAuthenticator); _pendingSupportingTokenAuthenticator = null; } _primaryTokenTracker.RecordToken(token); mode = ReceiveSecurityHeaderBindingModes.Primary; } else if (usedTokenAuthenticator == DerivedTokenAuthenticator) { if (token is DerivedKeySecurityTokenStub) { if (Layout == SecurityHeaderLayout.Strict) { DerivedKeySecurityTokenStub tmpToken = (DerivedKeySecurityTokenStub)token; throw TraceUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToResolveKeyInfoClauseInDerivedKeyToken, tmpToken.TokenToDeriveIdentifier)), Message); } } else { AddDerivedKeyTokenToResolvers(token); } mode = ReceiveSecurityHeaderBindingModes.Unknown; } else { SupportingTokenAuthenticatorSpecification supportingTokenSpec; supportingTokenTracker = GetSupportingTokenTracker(usedTokenAuthenticator, out supportingTokenSpec); if (supportingTokenTracker == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, usedTokenAuthenticator))); } if (supportingTokenTracker.Token != null) { supportingTokenTracker = new TokenTracker(supportingTokenSpec); _supportingTokenTrackers.Add(supportingTokenTracker); } supportingTokenTracker.RecordToken(token); if (encryptionToken != null) { supportingTokenTracker.IsEncrypted = true; } bool isBasic; bool isSignedButNotBasic; SecurityTokenAttachmentModeHelper.Categorize(supportingTokenSpec.SecurityTokenAttachmentMode, out isBasic, out isSignedButNotBasic, out mode); if (isBasic) { if (!ExpectBasicTokens) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.BasicTokenNotExpected)); } // only basic tokens have to be part of the reference list. Encrypted Saml tokens dont for example if (RequireMessageProtection && encryptionToken != null) { throw ExceptionHelper.PlatformNotSupported(); } } if (isSignedButNotBasic && !ExpectSignedTokens) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.SignedSupportingTokenNotExpected)); } _universalTokenResolver.Add(token, SecurityTokenReferenceStyle.Internal, supportingTokenSpec.TokenParameters); } if (position == AppendPosition) { ElementManager.AppendToken(token, mode, supportingTokenTracker); } else { ElementManager.SetTokenAfterDecryption(position, token, mode, decryptedBuffer, supportingTokenTracker); } }
internal static void OpenTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout) { OpenCommunicationObject(tokenAuthenticator as ICommunicationObject, timeout); }
internal static void CloseTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, bool aborted, TimeSpan timeout) { CloseCommunicationObject(tokenAuthenticator, aborted, timeout); }
public void Release() { ReleaseCore(); authenticator = null; }
private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols) : base(timeouts) { _serverTokenProvider = serverTokenProvider; _requireClientCertificate = requireClientCertificate; _clientCertificateAuthenticator = clientCertificateAuthenticator; _identityVerifier = identityVerifier; _scheme = scheme; _sslProtocols = sslProtocols; }
/// <summary> /// Overriden from the base class. Creates the requested Token Authenticator. /// Looks up the list of Token Handlers registered with the token Manager /// based on the TokenType Uri in the SecurityTokenRequirement. If none is found, /// then the call is delegated to the inner Token Manager. /// </summary> /// <param name="tokenRequirement">Security Token Requirement for which the Authenticator should be created.</param> /// <param name="outOfBandTokenResolver">Token resolver that resolves any out-of-band tokens.</param> /// <returns>Instance of Security Token Authenticator.</returns> /// <exception cref="ArgumentNullException">'tokenRequirement' parameter is null.</exception> /// <exception cref="NotSupportedException">No Authenticator is registered for the given token type.</exception> public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } outOfBandTokenResolver = null; // Check for a registered authenticator SecurityTokenAuthenticator securityTokenAuthenticator = null; string tokenType = tokenRequirement.TokenType; // // When the TokenRequirement.TokenType is null, we treat this as a SAML issued token case. It may be SAML 1.1 or SAML 2.0. // if (String.IsNullOrEmpty(tokenType)) { return(CreateSamlSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver)); } // // When the TokenType is set, build a token authenticator for the specified token type. // SecurityTokenHandler securityTokenHandler = _securityTokenHandlerCollection[tokenType]; if ((securityTokenHandler != null) && (securityTokenHandler.CanValidateToken)) { outOfBandTokenResolver = GetDefaultOutOfBandTokenResolver(); if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.UserName)) { UserNameSecurityTokenHandler upSecurityTokenHandler = securityTokenHandler as UserNameSecurityTokenHandler; if (upSecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(UserNameSecurityTokenHandler)))); } securityTokenAuthenticator = new WrappedUserNameSecurityTokenAuthenticator(upSecurityTokenHandler, _exceptionMapper); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Kerberos)) { securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Rsa)) { RsaSecurityTokenHandler rsaSecurityTokenHandler = securityTokenHandler as RsaSecurityTokenHandler; if (rsaSecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(RsaSecurityTokenHandler)))); } securityTokenAuthenticator = new WrappedRsaSecurityTokenAuthenticator(rsaSecurityTokenHandler, _exceptionMapper); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.X509Certificate)) { X509SecurityTokenHandler x509SecurityTokenHandler = securityTokenHandler as X509SecurityTokenHandler; if (x509SecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(X509SecurityTokenHandler)))); } securityTokenAuthenticator = new WrappedX509SecurityTokenAuthenticator(x509SecurityTokenHandler, _exceptionMapper); } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.SamlTokenProfile11) || StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSamlTokenProfile11)) { SamlSecurityTokenHandler saml11SecurityTokenHandler = securityTokenHandler as SamlSecurityTokenHandler; if (saml11SecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(SamlSecurityTokenHandler)))); } if (saml11SecurityTokenHandler.Configuration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274)); } securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper); // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens. outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver; } else if (StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.Saml2TokenProfile11) || StringComparer.Ordinal.Equals(tokenType, SecurityTokenTypes.OasisWssSaml2TokenProfile11)) { Saml2SecurityTokenHandler saml2SecurityTokenHandler = securityTokenHandler as Saml2SecurityTokenHandler; if (saml2SecurityTokenHandler == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof(Saml2SecurityTokenHandler)))); } if (saml2SecurityTokenHandler.Configuration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274)); } securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper); // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens. outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver; } else if (StringComparer.Ordinal.Equals(tokenType, ServiceModelSecurityTokenTypes.SecureConversation)) { RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (tr == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString())); } securityTokenAuthenticator = SetupSecureConversationWrapper(tr, securityTokenHandler as SessionSecurityTokenHandler, out outOfBandTokenResolver); } else { securityTokenAuthenticator = new SecurityTokenAuthenticatorAdapter(securityTokenHandler, _exceptionMapper); } } else { if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation || tokenType == ServiceModelSecurityTokenTypes.MutualSslnego || tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego || tokenType == ServiceModelSecurityTokenTypes.SecurityContext || tokenType == ServiceModelSecurityTokenTypes.Spnego) { RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (tr == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4240, tokenRequirement.GetType().ToString())); } securityTokenAuthenticator = SetupSecureConversationWrapper(tr, null, out outOfBandTokenResolver); } else { securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); } } return(securityTokenAuthenticator); }
/// <summary> /// This method creates a SAML security token authenticator when token type is null. /// It wraps the SAML 1.1 and the SAML 2.0 token handlers that are configured. /// If no token handler was found, then the inner token manager is created. /// </summary> SecurityTokenAuthenticator CreateSamlSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { outOfBandTokenResolver = null; SecurityTokenAuthenticator securityTokenAuthenticator = null; SamlSecurityTokenHandler saml11SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.SamlTokenProfile11] as SamlSecurityTokenHandler; Saml2SecurityTokenHandler saml2SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.Saml2TokenProfile11] as Saml2SecurityTokenHandler; if (saml11SecurityTokenHandler != null && saml11SecurityTokenHandler.Configuration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274)); } if (saml2SecurityTokenHandler != null && saml2SecurityTokenHandler.Configuration == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274)); } if (saml11SecurityTokenHandler != null && saml2SecurityTokenHandler != null) { // // Both SAML 1.1 and SAML 2.0 token handlers have been configured. // WrappedSaml11SecurityTokenAuthenticator wrappedSaml11SecurityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper); WrappedSaml2SecurityTokenAuthenticator wrappedSaml2SecurityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper); securityTokenAuthenticator = new WrappedSamlSecurityTokenAuthenticator(wrappedSaml11SecurityTokenAuthenticator, wrappedSaml2SecurityTokenAuthenticator); // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens. List <SecurityTokenResolver> resolvers = new List <SecurityTokenResolver>(); resolvers.Add(saml11SecurityTokenHandler.Configuration.ServiceTokenResolver); resolvers.Add(saml2SecurityTokenHandler.Configuration.ServiceTokenResolver); outOfBandTokenResolver = new AggregateTokenResolver(resolvers); } else if (saml11SecurityTokenHandler == null && saml2SecurityTokenHandler != null) { // // SAML 1.1 token handler is not present but SAML 2.0 is. Set the token type to SAML 2.0 // securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator(saml2SecurityTokenHandler, _exceptionMapper); // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens. outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver; } else if (saml11SecurityTokenHandler != null && saml2SecurityTokenHandler == null) { // // SAML 1.1 token handler is present but SAML 2.0 is not. Set the token type to SAML 1.1 // securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator(saml11SecurityTokenHandler, _exceptionMapper); // The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens. outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver; } else { securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); } return(securityTokenAuthenticator); }
internal static Task CloseTokenAuthenticatorIfRequiredAsync(SecurityTokenAuthenticator tokenAuthenticator, CancellationToken token) { return(CloseTokenAuthenticatorIfRequiredAsync(tokenAuthenticator, false, token)); }
internal static Task CloseTokenAuthenticatorIfRequiredAsync(SecurityTokenAuthenticator tokenAuthenticator, bool aborted, CancellationToken token) { return(CloseCommunicationObjectAsync(tokenAuthenticator, aborted, token)); }
internal static Task OpenTokenAuthenticatorIfRequiredAsync(SecurityTokenAuthenticator tokenAuthenticator, CancellationToken token) { return(OpenCommunicationObjectAsync(tokenAuthenticator as ICommunicationObject, token)); }
internal static void AbortTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator) { CloseCommunicationObjectAsync(tokenAuthenticator, true, CancellationToken.None).GetAwaiter().GetResult(); }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } string tokenType = tokenRequirement.TokenType; outOfBandTokenResolver = null; SecurityTokenAuthenticator result = null; if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) { // this is the uncorrelated duplex case in which the server is asking for // an authenticator to validate its provisioned client certificate if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange) { return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false)); } } RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (recipientRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } if (tokenType == SecurityTokenTypes.X509Certificate) { result = CreateClientX509TokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { result = new KerberosSecurityTokenAuthenticatorWrapper( new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups)); } else if (tokenType == SecurityTokenTypes.UserName) { if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows) { if (parent.UserNameAuthentication.CacheLogonTokens) { result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups, parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime); } else { result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups); } } else { result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator()); } } else if (tokenType == SecurityTokenTypes.Rsa) { result = new RsaSecurityTokenAuthenticator(); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if ((tokenType == SecurityTokenTypes.Saml) || (tokenType == SecurityXXX2005Strings.SamlTokenType) || (tokenType == SecurityJan2004Strings.SamlUri) || (tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement))) { result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } if (result == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } return(result); }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } outOfBandTokenResolver = null; SecurityTokenAuthenticator result = null; InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement; if (initiatorRequirement != null) { string tokenType = initiatorRequirement.TokenType; if (IsIssuedSecurityTokenRequirement(initiatorRequirement)) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator"); } else if (tokenType == SecurityTokenTypes.X509Certificate) { if (initiatorRequirement.IsOutOfBandToken) { // when the client side soap security asks for a token authenticator, its for doing // identity checks on the out of band server certificate result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None); } else if (initiatorRequirement.PreferSslCertificateAuthenticator) { result = CreateServerSslX509TokenAuthenticator(); } else { result = CreateServerX509TokenAuthenticator(); } } else if (tokenType == SecurityTokenTypes.Rsa) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Rsa"); } else if (tokenType == SecurityTokenTypes.Kerberos) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Kerberos"); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation || tokenType == ServiceModelSecurityTokenTypes.MutualSslnego || tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego || tokenType == ServiceModelSecurityTokenTypes.Spnego) { throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator"); } } else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate) { // uncorrelated duplex case result = CreateServerX509TokenAuthenticator(); } if (result == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); } return(result); }
protected override SecurityProtocolCorrelationState VerifyIncomingMessageCore(ref Message message, string actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) { IList <SupportingTokenAuthenticatorSpecification> list; AsymmetricSecurityProtocolFactory factory = this.Factory; TimeoutHelper helper = new TimeoutHelper(timeout); ReceiveSecurityHeader securityHeader = base.ConfigureReceiveSecurityHeader(message, string.Empty, correlationStates, out list); SecurityToken requiredSigningToken = null; if (factory.ActAsInitiator) { SecurityTokenAuthenticator initiatorAsymmetricTokenAuthenticator; SecurityToken token = null; SecurityToken primaryToken = null; if (factory.RequireIntegrity) { primaryToken = SecurityProtocol.GetToken(this.initiatorAsymmetricTokenProvider, null, helper.RemainingTime()); requiredSigningToken = primaryToken; } if (factory.RequireConfidentiality) { token = base.GetCorrelationToken(correlationStates); if (!System.ServiceModel.Security.SecurityUtils.HasSymmetricSecurityKey(token)) { securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; } } if (factory.AllowSerializedSigningTokenOnReply) { initiatorAsymmetricTokenAuthenticator = this.initiatorAsymmetricTokenAuthenticator; requiredSigningToken = null; } else { initiatorAsymmetricTokenAuthenticator = null; } securityHeader.ConfigureAsymmetricBindingClientReceiveHeader(primaryToken, factory.AsymmetricTokenParameters, token, factory.CryptoTokenParameters, initiatorAsymmetricTokenAuthenticator); } else { SecurityToken token4; if ((this.Factory.RecipientAsymmetricTokenProvider != null) && this.Factory.RequireConfidentiality) { token4 = SecurityProtocol.GetToken(factory.RecipientAsymmetricTokenProvider, null, helper.RemainingTime()); } else { token4 = null; } securityHeader.ConfigureAsymmetricBindingServerReceiveHeader(this.Factory.RecipientCryptoTokenAuthenticator, this.Factory.CryptoTokenParameters, token4, this.Factory.AsymmetricTokenParameters, list); securityHeader.WrappedKeySecurityTokenAuthenticator = this.Factory.WrappedKeySecurityTokenAuthenticator; securityHeader.ConfigureOutOfBandTokenResolver(base.MergeOutOfBandResolvers(list, this.Factory.RecipientOutOfBandTokenResolverList)); } base.ProcessSecurityHeader(securityHeader, ref message, requiredSigningToken, helper.RemainingTime(), correlationStates); SecurityToken signatureToken = securityHeader.SignatureToken; SecurityToken encryptionToken = securityHeader.EncryptionToken; if (factory.RequireIntegrity) { if (factory.ActAsInitiator) { ReadOnlyCollection <IAuthorizationPolicy> recipientTokenPolicies = this.initiatorAsymmetricTokenAuthenticator.ValidateToken(signatureToken); MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message); this.DoIdentityCheckAndAttachInitiatorSecurityProperty(message, encryptionToken, signatureToken, recipientTokenPolicies); } else { MessageSecurityProtocol.EnsureNonWrappedToken(signatureToken, message); this.AttachRecipientSecurityProperty(message, signatureToken, encryptionToken, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens, securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping); } } return(base.GetCorrelationState(signatureToken, securityHeader)); }
protected void PrepareAuthenticator() { authenticator = CreateTokenAuthenticator(RecipientParameters, out auth_token_resolver); }
private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols) : base(timeouts) { _serverTokenProvider = serverTokenProvider; RequireClientCertificate = requireClientCertificate; _clientCertificateAuthenticator = clientCertificateAuthenticator; IdentityVerifier = identityVerifier; Scheme = scheme; SslProtocols = sslProtocols; ClientSecurityTokenManager = null; // Used for client but there's public api which need this and the compiler complains it's never assigned }
void ValidateTokensByParameters(IEnumerable <SecurityTokenParameters> plist, List <SupportingTokenInfo> tokens, bool optional, SecurityTokenAttachmentMode attachMode) { foreach (SecurityTokenParameters p in plist) { SecurityTokenResolver r; SecurityTokenAuthenticator a = security.CreateTokenAuthenticator(p, out r); SupportingTokenSpecification spec = ValidateTokensByParameters(a, r, tokens); if (spec == null) { if (optional) { continue; } else { throw new MessageSecurityException(String.Format("No security token could be validated for authenticator '{0}' which is indicated by the '{1}' supporting token parameters", a, attachMode)); } } else { // For endorsing tokens, verify corresponding signatures. switch (attachMode) { case SecurityTokenAttachmentMode.Endorsing: case SecurityTokenAttachmentMode.SignedEndorsing: WSSignedXml esxml = GetSignatureForToken(spec.SecurityToken); if (esxml == null) { throw new MessageSecurityException(String.Format("The '{1}' token '{0}' is expected to endorse the primary signature but no corresponding signature is found.", spec.SecurityToken, attachMode)); } bool confirmed; SecurityAlgorithmSuite suite = security.Element.DefaultAlgorithmSuite; foreach (SecurityTokenReferenceKeyInfo kic in esxml.KeyInfo) { SecurityKey signKey = spec.SecurityToken.ResolveKeyIdentifierClause(kic.Clause); SymmetricSecurityKey symkey = signKey as SymmetricSecurityKey; if (symkey != null) { confirmed = esxml.CheckSignature(symkey.GetKeyedHashAlgorithm(suite.DefaultSymmetricSignatureAlgorithm)); } else { AsymmetricAlgorithm alg = ((AsymmetricSecurityKey)signKey).GetAsymmetricAlgorithm(suite.DefaultAsymmetricSignatureAlgorithm, false); confirmed = esxml.CheckSignature(alg); } if (!confirmed) { throw new MessageSecurityException(String.Format("Signature for '{1}' token '{0}' is invalid.", spec.SecurityToken, attachMode)); } break; } sec_prop.ConfirmedSignatures.Insert(0, Convert.ToBase64String(esxml.SignatureValue)); break; } } sec_prop.IncomingSupportingTokens.Add(spec); } }
public SecureOutgoingMessageAsyncResult(Message m, AsymmetricSecurityProtocol binding, SecurityTokenProvider primaryProvider, SecurityTokenProvider secondaryProvider, bool doIdentityChecks, SecurityTokenAuthenticator identityCheckAuthenticator, SecurityProtocolCorrelationState correlationState, TimeSpan timeout, AsyncCallback callback, object state) : base(m, binding, primaryProvider, secondaryProvider, doIdentityChecks, identityCheckAuthenticator, correlationState, timeout, callback, state) { Start(); }
public SupportingTokenAuthenticatorSpecification(SecurityTokenAuthenticator tokenAuthenticator, SecurityTokenResolver securityTokenResolver, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters) : this(tokenAuthenticator, securityTokenResolver, attachmentMode, tokenParameters, false) { }
public override void OnOpen(TimeSpan timeout) { TimeoutHelper timeoutHelper = new TimeoutHelper(timeout); base.OnOpen(timeoutHelper.RemainingTime()); if (this.tokenParameters == null) { OnPropertySettingsError("SecurityTokenParameters", true); } if (!this.ActAsInitiator) { SecurityTokenRequirement recipientTokenRequirement = CreateRecipientTokenRequirement(); SecurityTokenResolver resolver = null; if (this.SecurityTokenParameters.HasAsymmetricKey) { this.recipientAsymmetricTokenProvider = this.SecurityTokenManager.CreateSecurityTokenProvider(recipientTokenRequirement); } else { this.recipientSymmetricTokenAuthenticator = this.SecurityTokenManager.CreateSecurityTokenAuthenticator(recipientTokenRequirement, out resolver); } if (this.RecipientSymmetricTokenAuthenticator != null && this.RecipientAsymmetricTokenProvider != null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.OnlyOneOfEncryptedKeyOrSymmetricBindingCanBeSelected))); } if (resolver != null) { Collection <SecurityTokenResolver> tmp = new Collection <SecurityTokenResolver>(); tmp.Add(resolver); this.recipientOutOfBandTokenResolverList = new ReadOnlyCollection <SecurityTokenResolver>(tmp); } else { this.recipientOutOfBandTokenResolverList = EmptyReadOnlyCollection <SecurityTokenResolver> .Instance; } if (this.RecipientAsymmetricTokenProvider != null) { Open("RecipientAsymmetricTokenProvider", true, this.RecipientAsymmetricTokenProvider, timeoutHelper.RemainingTime()); } else { Open("RecipientSymmetricTokenAuthenticator", true, this.RecipientSymmetricTokenAuthenticator, timeoutHelper.RemainingTime()); } } if (this.tokenParameters.RequireDerivedKeys) { this.ExpectKeyDerivation = true; } if (this.tokenParameters.HasAsymmetricKey) { this.protectionTokenParameters = new WrappedKeySecurityTokenParameters(); this.protectionTokenParameters.RequireDerivedKeys = this.SecurityTokenParameters.RequireDerivedKeys; } else { this.protectionTokenParameters = this.tokenParameters; } }
internal static void CloseTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout) { CloseTokenAuthenticatorIfRequired(tokenAuthenticator, false, timeout); }
public void Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy) { Fx.Assert(ReaderQuotas != null, "Reader quotas must be set before processing"); MessageProtectionOrder actualProtectionOrder = _protectionOrder; bool wasProtectionOrderDowngraded = false; if (_protectionOrder == MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature) { throw ExceptionHelper.PlatformNotSupported(); // No support for message encryption } _channelBinding = channelBinding; _extendedProtectionPolicy = extendedProtectionPolicy; _orderTracker.SetRequiredProtectionOrder(actualProtectionOrder); SetProcessingStarted(); _timeoutHelper = new TimeoutHelper(timeout); Message = SecurityVerifiedMessage = new SecurityVerifiedMessage(Message, this); XmlDictionaryReader reader = CreateSecurityHeaderReader(); reader.MoveToStartElement(); if (reader.IsEmptyElement) { throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.SecurityHeaderIsEmpty), Message); } if (RequireMessageProtection) { _securityElementAttributes = XmlAttributeHolder.ReadAttributes(reader); } else { _securityElementAttributes = XmlAttributeHolder.emptyArray; } reader.ReadStartElement(); if (_primaryTokenParameters != null) { _primaryTokenTracker = new TokenTracker(null, _outOfBandPrimaryToken, _allowFirstTokenMismatch); } // universalTokenResolver is used for resolving tokens _universalTokenResolver = new SecurityHeaderTokenResolver(this); // primary token resolver is used for resolving primary signature and decryption _primaryTokenResolver = new SecurityHeaderTokenResolver(this); if (_outOfBandPrimaryToken != null) { _universalTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters); _primaryTokenResolver.Add(_outOfBandPrimaryToken, SecurityTokenReferenceStyle.External, _primaryTokenParameters); } else if (_outOfBandPrimaryTokenCollection != null) { for (int i = 0; i < _outOfBandPrimaryTokenCollection.Count; ++i) { _universalTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters); _primaryTokenResolver.Add(_outOfBandPrimaryTokenCollection[i], SecurityTokenReferenceStyle.External, _primaryTokenParameters); } } if (_wrappingToken != null) { _universalTokenResolver.ExpectedWrapper = _wrappingToken; _universalTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters; _primaryTokenResolver.ExpectedWrapper = _wrappingToken; _primaryTokenResolver.ExpectedWrapperTokenParameters = _wrappingTokenParameters; } if (_outOfBandTokenResolver == null) { CombinedUniversalTokenResolver = _universalTokenResolver; _combinedPrimaryTokenResolver = _primaryTokenResolver; } else { CombinedUniversalTokenResolver = new AggregateSecurityHeaderTokenResolver(_universalTokenResolver, _outOfBandTokenResolver); _combinedPrimaryTokenResolver = new AggregateSecurityHeaderTokenResolver(_primaryTokenResolver, _outOfBandTokenResolver); } _allowedAuthenticators = new List <SecurityTokenAuthenticator>(); if (_primaryTokenAuthenticator != null) { _allowedAuthenticators.Add(_primaryTokenAuthenticator); } if (DerivedTokenAuthenticator != null) { _allowedAuthenticators.Add(DerivedTokenAuthenticator); } _pendingSupportingTokenAuthenticator = null; int numSupportingTokensRequiringDerivation = 0; if (_supportingTokenAuthenticators != null && _supportingTokenAuthenticators.Count > 0) { _supportingTokenTrackers = new List <TokenTracker>(_supportingTokenAuthenticators.Count); for (int i = 0; i < _supportingTokenAuthenticators.Count; ++i) { SupportingTokenAuthenticatorSpecification spec = _supportingTokenAuthenticators[i]; switch (spec.SecurityTokenAttachmentMode) { case SecurityTokenAttachmentMode.Endorsing: _hasEndorsingOrSignedEndorsingSupportingTokens = true; break; case SecurityTokenAttachmentMode.Signed: break; case SecurityTokenAttachmentMode.SignedEndorsing: _hasEndorsingOrSignedEndorsingSupportingTokens = true; break; case SecurityTokenAttachmentMode.SignedEncrypted: break; } if ((_primaryTokenAuthenticator != null) && (_primaryTokenAuthenticator.GetType().Equals(spec.TokenAuthenticator.GetType()))) { _pendingSupportingTokenAuthenticator = spec.TokenAuthenticator; } else { _allowedAuthenticators.Add(spec.TokenAuthenticator); } if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey && (spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing || spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)) { ++numSupportingTokensRequiringDerivation; } _supportingTokenTrackers.Add(new TokenTracker(spec)); } } if (DerivedTokenAuthenticator != null) { // we expect key derivation. Compute quotas for derived keys int maxKeyDerivationLengthInBits = AlgorithmSuite.DefaultEncryptionKeyDerivationLength >= AlgorithmSuite.DefaultSignatureKeyDerivationLength ? AlgorithmSuite.DefaultEncryptionKeyDerivationLength : AlgorithmSuite.DefaultSignatureKeyDerivationLength; MaxDerivedKeyLength = maxKeyDerivationLengthInBits / 8; // the upper bound of derived keys is (1 for primary signature + 1 for encryption + supporting token signatures requiring derivation)*2 // the multiplication by 2 is to take care of interop scenarios that may arise that require more derived keys than the lower bound. _maxDerivedKeys = (1 + 1 + numSupportingTokensRequiringDerivation) * 2; } SecurityHeaderElementInferenceEngine engine = SecurityHeaderElementInferenceEngine.GetInferenceEngine(Layout); engine.ExecuteProcessingPasses(this, reader); if (RequireMessageProtection) { throw ExceptionHelper.PlatformNotSupported(); } EnsureDecryptionComplete(); _signatureTracker.SetDerivationSourceIfRequired(); _encryptionTracker.SetDerivationSourceIfRequired(); if (EncryptionToken != null) { throw ExceptionHelper.PlatformNotSupported(); } // ensure that the primary signature was signed with derived keys if required if (EnforceDerivedKeyRequirement) { if (SignatureToken != null) { if (_primaryTokenParameters != null) { if (_primaryTokenParameters.RequireDerivedKeys && !_primaryTokenParameters.HasAsymmetricKey && !_primaryTokenTracker.IsDerivedFrom) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedKey, _primaryTokenParameters))); } } else if (_wrappingTokenParameters != null && _wrappingTokenParameters.RequireDerivedKeys) { if (!_signatureTracker.IsDerivedToken) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.PrimarySignatureWasNotSignedByDerivedWrappedKey, _wrappingTokenParameters))); } } } // verify that the encryption is using key derivation if (EncryptionToken != null) { throw ExceptionHelper.PlatformNotSupported(); } } if (wasProtectionOrderDowngraded && (BasicSupportingTokens != null) && (BasicSupportingTokens.Count > 0)) { throw ExceptionHelper.PlatformNotSupported(); } // verify all supporting token parameters have their requirements met if (_supportingTokenTrackers != null && _supportingTokenTrackers.Count > 0) { throw ExceptionHelper.PlatformNotSupported(); } if (_replayDetectionEnabled) { throw ExceptionHelper.PlatformNotSupported(); } if (ExpectSignatureConfirmation) { throw ExceptionHelper.PlatformNotSupported(); } MarkHeaderAsUnderstood(); }
internal static void AbortTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator) { CloseCommunicationObject(tokenAuthenticator, true, TimeSpan.Zero); }
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (tokenRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } string tokenType = tokenRequirement.TokenType; outOfBandTokenResolver = null; SecurityTokenAuthenticator authenticator = null; if (((tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) && (tokenType == SecurityTokenTypes.X509Certificate)) && (tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)) { return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false)); } RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; if (recipientRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } if (tokenType == SecurityTokenTypes.X509Certificate) { authenticator = this.CreateClientX509TokenAuthenticator(); } else if (tokenType == SecurityTokenTypes.Kerberos) { authenticator = new KerberosSecurityTokenAuthenticatorWrapper(new KerberosSecurityTokenAuthenticator(this.parent.WindowsAuthentication.IncludeWindowsGroups)); } else if (tokenType == SecurityTokenTypes.UserName) { if (this.parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows) { if (this.parent.UserNameAuthentication.CacheLogonTokens) { authenticator = new WindowsUserNameCachingSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups, this.parent.UserNameAuthentication.MaxCachedLogonTokens, this.parent.UserNameAuthentication.CachedLogonTokenLifetime); } else { authenticator = new WindowsUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.IncludeWindowsGroups); } } else { authenticator = new CustomUserNameSecurityTokenAuthenticator(this.parent.UserNameAuthentication.GetUserNamePasswordValidator()); } } else if (tokenType == SecurityTokenTypes.Rsa) { authenticator = new RsaSecurityTokenAuthenticator(); } else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego) { authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) { authenticator = this.CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) { authenticator = this.CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) { authenticator = this.CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); } else if (((tokenType == SecurityTokenTypes.Saml) || (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) || ((tokenType == "urn:oasis:names:tc:SAML:1.0:assertion") || ((tokenType == null) && this.IsIssuedSecurityTokenRequirement(recipientRequirement)))) { authenticator = this.CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); } if (authenticator == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(System.ServiceModel.SR.GetString("SecurityTokenManagerCannotCreateAuthenticatorForRequirement", new object[] { tokenRequirement }))); } return(authenticator); }