// used by server WindowsStream security (from Open)
public static async Task <(NetworkCredential, bool)> GetSspiCredentialAsync(SecurityTokenManager credentialProvider,
SecurityTokenRequirement sspiTokenRequirement, CancellationToken token)
{
bool extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
NetworkCredential result = null;
if (credentialProvider != null)
{
SecurityTokenProvider tokenProvider = credentialProvider.CreateSecurityTokenProvider(sspiTokenRequirement);
if (tokenProvider != null)
{
await SecurityUtils.OpenTokenProviderIfRequiredAsync(tokenProvider, token);
bool success = false;
try
{
TokenImpersonationLevel dummyImpersonationLevel;
bool dummyAllowNtlm;
(result, extractGroupsForWindowsAccounts, dummyImpersonationLevel, dummyAllowNtlm) = await GetSspiCredentialAsync((SspiSecurityTokenProvider)tokenProvider, token);
success = true;
}
finally
{
if (!success)
{
SecurityUtils.AbortTokenProviderIfRequired(tokenProvider);
}
}
await SecurityUtils.CloseTokenProviderIfRequiredAsync(tokenProvider, token);
}
}
return(result, extractGroupsForWindowsAccounts);
}
public static SslStreamSecurityUpgradeProvider CreateServerProvider(SslStreamSecurityBindingElement bindingElement, BindingContext context)
{
SecurityCredentialsManager manager = context.BindingParameters.Find <SecurityCredentialsManager>();
if (manager == null)
{
manager = ServiceCredentials.CreateDefaultCredentials();
}
Uri listenUri = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress);
SecurityTokenManager tokenManager = manager.CreateSecurityTokenManager();
RecipientServiceModelSecurityTokenRequirement tokenRequirement = new RecipientServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
RequireCryptographicToken = true,
KeyUsage = SecurityKeyUsage.Exchange,
TransportScheme = context.Binding.Scheme,
ListenUri = listenUri
};
SecurityTokenProvider serverTokenProvider = tokenManager.CreateSecurityTokenProvider(tokenRequirement);
if (serverTokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialsUnableToCreateLocalTokenProvider", new object[] { tokenRequirement })));
}
return(new SslStreamSecurityUpgradeProvider(context.Binding, serverTokenProvider, bindingElement.RequireClientCertificate, TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, listenUri), context.Binding.Scheme, bindingElement.IdentityVerifier));
}
public static NetworkCredential GetSspiCredential(SecurityTokenManager credentialProvider, SecurityTokenRequirement sspiTokenRequirement, TimeSpan timeout, out bool extractGroupsForWindowsAccounts)
{
extractGroupsForWindowsAccounts = true;
NetworkCredential credential = null;
if (credentialProvider != null)
{
SecurityTokenProvider tokenProvider = credentialProvider.CreateSecurityTokenProvider(sspiTokenRequirement);
if (tokenProvider == null)
{
return(credential);
}
TimeoutHelper helper = new TimeoutHelper(timeout);
System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, helper.RemainingTime());
bool flag = false;
try
{
TokenImpersonationLevel level;
bool flag2;
credential = GetSspiCredential((SspiSecurityTokenProvider)tokenProvider, helper.RemainingTime(), out extractGroupsForWindowsAccounts, out level, out flag2);
flag = true;
}
finally
{
if (!flag)
{
System.ServiceModel.Security.SecurityUtils.AbortTokenProviderIfRequired(tokenProvider);
}
}
System.ServiceModel.Security.SecurityUtils.CloseTokenProviderIfRequired(tokenProvider, helper.RemainingTime());
}
return(credential);
}
public static SslStreamSecurityUpgradeProvider CreateServerProvider(
SslStreamSecurityBindingElement bindingElement, BindingContext context)
{
SecurityCredentialsManager credentialProvider =
context.BindingParameters.Find <SecurityCredentialsManager>();
if (credentialProvider == null)
{
credentialProvider = ServiceCredentials.CreateDefaultCredentials();
}
Uri listenUri = TransportSecurityHelpers.GetListenUri(context.ListenUriBaseAddress, context.ListenUriRelativeAddress);
SecurityTokenManager tokenManager = credentialProvider.CreateSecurityTokenManager();
RecipientServiceModelSecurityTokenRequirement serverCertRequirement = new RecipientServiceModelSecurityTokenRequirement();
serverCertRequirement.TokenType = SecurityTokenTypes.X509Certificate;
serverCertRequirement.RequireCryptographicToken = true;
serverCertRequirement.KeyUsage = SecurityKeyUsage.Exchange;
serverCertRequirement.TransportScheme = context.Binding.Scheme;
serverCertRequirement.ListenUri = listenUri;
SecurityTokenProvider tokenProvider = tokenManager.CreateSecurityTokenProvider(serverCertRequirement);
if (tokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCredentialsUnableToCreateLocalTokenProvider, serverCertRequirement)));
}
SecurityTokenAuthenticator certificateAuthenticator =
TransportSecurityHelpers.GetCertificateTokenAuthenticator(tokenManager, context.Binding.Scheme, listenUri);
return(new SslStreamSecurityUpgradeProvider(context.Binding, tokenProvider, bindingElement.RequireClientCertificate,
certificateAuthenticator, context.Binding.Scheme, bindingElement.IdentityVerifier, bindingElement.SslProtocols));
}
UserNameSecurityTokenProvider GetPasswordTokenProvider()
{
if (delegateManager != null)
{
ServiceModelSecurityTokenRequirement requirement = CreateRequirement(SecurityTokenTypes.UserName);
UserNameSecurityTokenProvider tokenProvider = delegateManager.CreateSecurityTokenProvider(requirement) as UserNameSecurityTokenProvider;
if (tokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, requirement)));
}
return(tokenProvider);
}
else
{
return(new UserNameSecurityTokenProvider(string.Empty, credential.MeshPassword));
}
}
public static SspiSecurityTokenProvider GetSspiTokenProvider(SecurityTokenManager tokenManager, EndpointAddress target, Uri via, string transportScheme, AuthenticationSchemes authenticationScheme, ChannelParameterCollection channelParameters)
{
if (tokenManager == null)
{
return(null);
}
SecurityTokenRequirement tokenRequirement = CreateSspiTokenRequirement(target, via, transportScheme);
tokenRequirement.Properties[ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty] = authenticationScheme;
if (channelParameters != null)
{
tokenRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = channelParameters;
}
return(tokenManager.CreateSecurityTokenProvider(tokenRequirement) as SspiSecurityTokenProvider);
}
public static SspiSecurityTokenProvider GetSspiTokenProvider(SecurityTokenManager tokenManager, EndpointAddress target, Uri via, string transportScheme, out IdentityVerifier identityVerifier)
{
identityVerifier = null;
if (tokenManager == null)
{
return(null);
}
SspiSecurityTokenProvider provider = tokenManager.CreateSecurityTokenProvider(CreateSspiTokenRequirement(target, via, transportScheme)) as SspiSecurityTokenProvider;
if (provider != null)
{
identityVerifier = IdentityVerifier.CreateDefault();
}
return(provider);
}
public static SecurityTokenProvider GetUserNameTokenProvider(
SecurityTokenManager tokenManager, EndpointAddress target, Uri via, string transportScheme, AuthenticationSchemes authenticationScheme,
ChannelParameterCollection channelParameters)
{
SecurityTokenProvider result = null;
if (tokenManager != null)
{
SecurityTokenRequirement usernameRequirement = CreateUserNameTokenRequirement(target, via, transportScheme);
usernameRequirement.Properties[ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty] = authenticationScheme;
if (channelParameters != null)
{
usernameRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = channelParameters;
}
result = tokenManager.CreateSecurityTokenProvider(usernameRequirement);
}
return(result);
}
public static SecurityTokenProvider GetCertificateTokenProvider(
SecurityTokenManager tokenManager, EndpointAddress target, Uri via, string transportScheme, ChannelParameterCollection channelParameters)
{
if (tokenManager != null)
{
InitiatorServiceModelSecurityTokenRequirement certificateTokenRequirement =
new InitiatorServiceModelSecurityTokenRequirement();
certificateTokenRequirement.TokenType = SecurityTokenTypes.X509Certificate;
certificateTokenRequirement.TargetAddress = target;
certificateTokenRequirement.Via = via;
certificateTokenRequirement.RequireCryptographicToken = false;
certificateTokenRequirement.TransportScheme = transportScheme;
if (channelParameters != null)
{
certificateTokenRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = channelParameters;
}
return(tokenManager.CreateSecurityTokenProvider(certificateTokenRequirement));
}
return(null);
}
public static SecurityTokenProvider GetDigestTokenProvider(SecurityTokenManager tokenManager, EndpointAddress target, Uri via, string transportScheme, AuthenticationSchemes authenticationScheme, ChannelParameterCollection channelParameters)
{
if (tokenManager == null)
{
return(null);
}
InitiatorServiceModelSecurityTokenRequirement tokenRequirement = new InitiatorServiceModelSecurityTokenRequirement {
TokenType = ServiceModelSecurityTokenTypes.SspiCredential,
TargetAddress = target,
Via = via,
RequireCryptographicToken = false,
TransportScheme = transportScheme
};
tokenRequirement.Properties[ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty] = authenticationScheme;
if (channelParameters != null)
{
tokenRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = channelParameters;
}
return(tokenManager.CreateSecurityTokenProvider(tokenRequirement) as SspiSecurityTokenProvider);
}
// used by server WindowsStream security (from Open)
public static NetworkCredential GetSspiCredential(SecurityTokenManager credentialProvider,
SecurityTokenRequirement sspiTokenRequirement, TimeSpan timeout,
out bool extractGroupsForWindowsAccounts)
{
extractGroupsForWindowsAccounts = TransportDefaults.ExtractGroupsForWindowsAccounts;
NetworkCredential result = null;
if (credentialProvider != null)
{
SecurityTokenProvider tokenProvider = credentialProvider.CreateSecurityTokenProvider(sspiTokenRequirement);
if (tokenProvider != null)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, timeoutHelper.RemainingTime());
bool success = false;
try
{
OutWrapper <TokenImpersonationLevel> dummyImpersonationLevelWrapper = new OutWrapper <TokenImpersonationLevel>();
OutWrapper <bool> dummyAllowNtlmWrapper = new OutWrapper <bool>();
OutWrapper <bool> extractGroupsForWindowsAccountsWrapper = new OutWrapper <bool>();
result = GetSspiCredentialAsync((SspiSecurityTokenProvider)tokenProvider, extractGroupsForWindowsAccountsWrapper,
dummyImpersonationLevelWrapper, dummyAllowNtlmWrapper, timeoutHelper.RemainingTime()).GetAwaiter().GetResult();
success = true;
}
finally
{
if (!success)
{
SecurityUtils.AbortTokenProviderIfRequired(tokenProvider);
}
}
SecurityUtils.CloseTokenProviderIfRequired(tokenProvider, timeoutHelper.RemainingTime());
}
}
return(result);
}
public SecurityTokenProvider CreateTokenProvider(SecurityTokenRequirement requirement)
{
return(manager.CreateSecurityTokenProvider(requirement));
}