public virtual Task <SecurityToken> ReadTokenCoreAsync(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)
{
return(Task.FromResult(ReadTokenCore(reader, tokenResolver)));
}
public virtual void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("reader"));
}
if (samlSerializer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
}
SamlDictionary samlDictionary = samlSerializer.DictionaryManager.SamlDictionary;
reader.MoveToContent();
reader.Read();
while (reader.IsStartElement())
{
if (!reader.IsStartElement(samlDictionary.AssertionIdReference, samlDictionary.Namespace))
{
if (!reader.IsStartElement(samlDictionary.Assertion, samlDictionary.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLBadSchema", new object[] { samlDictionary.Evidence.Value })));
}
SamlAssertion item = new SamlAssertion();
item.ReadXml(reader, samlSerializer, keyInfoSerializer, outOfBandTokenResolver);
this.assertions.Add(item);
}
else
{
reader.MoveToContent();
this.assertionIdReferences.Add(reader.ReadString());
reader.ReadEndElement();
continue;
}
}
if ((this.assertionIdReferences.Count == 0) && (this.assertions.Count == 0))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLEvidenceShouldHaveOneAssertionOnRead")));
}
reader.MoveToContent();
reader.ReadEndElement();
}
public override SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
{
return(base.ReadToken(reader, tokenResolver));
}
/// <summary>
/// Initializes the object with a UA identity token
/// </summary>
private void Initialize(IssuedIdentityToken token, SecurityTokenSerializer serializer, SecurityTokenResolver resolver)
{
if (token == null)
{
throw new ArgumentNullException("token");
}
string text = new UTF8Encoding().GetString(token.DecryptedTokenData);
XmlDocument document = new XmlDocument();
document.InnerXml = text.Trim();
XmlNodeReader reader = new XmlNodeReader(document.DocumentElement);
try
{
if (document.DocumentElement.NamespaceURI == "urn:oasis:names:tc:SAML:1.0:assertion")
{
SecurityToken samlToken = new SamlSerializer().ReadToken(reader, serializer, resolver);
Initialize(samlToken);
}
else
{
SecurityToken securityToken = serializer.ReadToken(reader, resolver);
Initialize(securityToken);
}
}
finally
{
reader.Close();
}
}
public abstract void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver);
// RSTR specific method public abstract SecurityToken GetEntropy(RequestSecurityTokenResponse rstr, SecurityTokenResolver resolver);
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(
SecurityTokenRequirement requirement,
out SecurityTokenResolver outOfBandTokenResolver)
{
outOfBandTokenResolver = null;
if (requirement.TokenType == SecurityTokenTypes.UserName)
{
return(CreateUserNameAuthenticator(requirement));
}
if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
{
return(CreateX509Authenticator(requirement));
}
if (requirement.TokenType == SecurityTokenTypes.Rsa)
{
return(new RsaSecurityTokenAuthenticator());
}
if (requirement.TokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
SecurityBindingElement binding;
if (!requirement.TryGetProperty <SecurityBindingElement> (ReqType.SecurityBindingElementProperty, out binding))
{
throw new ArgumentException("SecurityBindingElement is required in the security token requirement");
}
SecureConversationSecurityTokenParameters issuedParams;
if (!requirement.TryGetProperty <SecureConversationSecurityTokenParameters> (ReqType.IssuedSecurityTokenParametersProperty, out issuedParams))
{
throw new ArgumentException("IssuedSecurityTokenParameters are required in the security token requirement");
}
BindingContext issuerBC;
if (!requirement.TryGetProperty <BindingContext> (ReqType.IssuerBindingContextProperty, out issuerBC))
{
throw new ArgumentException("IssuerBindingContext is required in the security token requirement");
}
SecurityTokenVersion secVer;
if (!requirement.TryGetProperty <SecurityTokenVersion> (ReqType.MessageSecurityVersionProperty, out secVer))
{
throw new ArgumentException("MessageSecurityVersion property (of type SecurityTokenVersion) is required in the security token requirement");
}
// FIXME: get parameters from somewhere
SecurityContextSecurityTokenResolver resolver =
new SecurityContextSecurityTokenResolver(0x1000, true);
outOfBandTokenResolver = resolver;
SecurityContextSecurityTokenAuthenticator sc =
new SecurityContextSecurityTokenAuthenticator();
return(new SecureConversationSecurityTokenAuthenticator(requirement, sc, resolver));
}
if (requirement.TokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
return(CreateSslTokenAuthenticator(requirement));
}
if (requirement.TokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
return(CreateSslTokenAuthenticator(requirement));
}
if (requirement.TokenType == ServiceModelSecurityTokenTypes.Spnego)
{
return(CreateSpnegoTokenAuthenticator(requirement));
}
else
{
throw new NotImplementedException("Not implemented token type: " + requirement.TokenType);
}
}
CreateSecurityTokenAuthenticator(SecurityTokenRequirement
tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
return(base.CreateSecurityTokenAuthenticator(tokenRequirement,
out outOfBandTokenResolver));
}
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
{
return(new DummySecurityToken());
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == SecurityTokenTypes.UserName)
{
outOfBandTokenResolver = null;
return(new ClaimsTokenAuthenticator());
}
else
{
return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
}
public virtual void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("reader"));
}
if (samlSerializer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
}
SamlDictionary samlDictionary = samlSerializer.DictionaryManager.SamlDictionary;
this.name = reader.GetAttribute(samlDictionary.AttributeName, null);
if (string.IsNullOrEmpty(this.name))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLAttributeMissingNameAttributeOnRead")));
}
this.nameSpace = reader.GetAttribute(samlDictionary.AttributeNamespace, null);
if (string.IsNullOrEmpty(this.nameSpace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLAttributeMissingNamespaceAttributeOnRead")));
}
this.claimType = string.IsNullOrEmpty(this.nameSpace) ? this.name : (this.nameSpace + "/" + this.name);
reader.MoveToContent();
reader.Read();
while (reader.IsStartElement(samlDictionary.AttributeValue, samlDictionary.Namespace))
{
string item = reader.ReadString();
this.attributeValues.Add(item);
reader.MoveToContent();
reader.ReadEndElement();
}
if (this.attributeValues.Count == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("SAMLAttributeShouldHaveOneValue")));
}
reader.MoveToContent();
reader.ReadEndElement();
}
public override System.IdentityModel.Selectors.SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement.TokenType == Constants.UsernameTokenType)
{
outOfBandTokenResolver = null;
return(new SecurityTokenAuthenticator(_serviceCredentials.Validator));
}
return(base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver));
}
protected override SecurityToken ReadTokenCore(System.Xml.XmlReader reader, SecurityTokenResolver tokenResolver)
{
throw new NotImplementedException();
}
public override SecurityTokenAuthenticator CreateTokenAuthenticator(SecurityTokenParameters p, out SecurityTokenResolver resolver)
{
resolver = null;
// This check might be almost extra, though it is
// needed to check correct signing token existence.
//
// Not sure if it is limited to this condition, but
// Ssl parameters do not support token provider and
// still do not fail. X509 parameters do fail.
if (!RecipientParameters.InternalSupportsServerAuthentication)
{
return(null);
}
SecurityTokenRequirement r = CreateRequirement();
r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input;
InitializeRequirement(p, r);
return(SecurityTokenManager.CreateSecurityTokenAuthenticator(r, out resolver));
}
SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);
TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator();
authenticator.IsClientAnonymous = !requireClientCertificate;
if (requireClientCertificate)
{
authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement);
authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount;
}
authenticator.EncryptStateInServiceToken = isCookieMode;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement);
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
if (securityBindingElement is TransportSecurityBindingElement)
{
authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext);
}
// audit settings
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
return(authenticator);
}
public SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver resolver)
{
CheckReader(reader);
return(ReadTokenCore(reader, resolver));
}
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (recipientRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
}
Collection <SecurityToken> outOfBandTokens = new Collection <SecurityToken>();
if (parent.ServiceCertificate.Certificate != null)
{
outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
}
List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();
if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
{
outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));
if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false) : null;
SamlSecurityTokenAuthenticator ssta;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
// set audience uri restrictions
ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
IList <string> allowedAudienceUris = ssta.AllowedAudienceUris;
if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++)
{
allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]);
}
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return(ssta);
}
protected static SecurityToken ResolveKeyIdentifier(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isFromSignature)
{
SecurityToken token;
if (!TryResolveKeyIdentifier(keyIdentifier, resolver, isFromSignature, out token))
{
if (isFromSignature)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToResolveKeyInfoForDecryption, keyIdentifier, resolver)));
}
}
return(token);
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
string tokenType = tokenRequirement.TokenType;
outOfBandTokenResolver = null;
SecurityTokenAuthenticator result = null;
if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
// this is the uncorrelated duplex case in which the server is asking for
// an authenticator to validate its provisioned client certificate
if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
return(new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false));
}
}
RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if (recipientRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
if (tokenType == SecurityTokenTypes.X509Certificate)
{
result = CreateClientX509TokenAuthenticator();
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
result = new KerberosSecurityTokenAuthenticatorWrapper(
new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups));
}
else if (tokenType == SecurityTokenTypes.UserName)
{
if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
{
if (parent.UserNameAuthentication.CacheLogonTokens)
{
result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups,
parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime);
}
else
{
result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups);
}
}
else
{
result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator());
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
result = new RsaSecurityTokenAuthenticator();
}
else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
{
result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
{
result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
}
else if ((tokenType == SecurityTokenTypes.Saml) ||
(tokenType == SecurityXXX2005Strings.SamlTokenType) ||
(tokenType == SecurityJan2004Strings.SamlUri) ||
(tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement)))
{
result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
}
if (result == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
return(result);
}
// RSTR specific method
public abstract GenericXmlSecurityToken GetIssuedToken(RequestSecurityTokenResponse rstr, SecurityTokenResolver resolver, IList <SecurityTokenAuthenticator> allowedAuthenticators, SecurityKeyEntropyMode keyEntropyMode, byte[] requestorEntropy,
string expectedTokenType, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies, int defaultKeySize, bool isBearerKeyType);
protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
{
SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
}
bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
IMessageFilterTable <EndpointAddress> endpointFilterTable = recipientRequirement.GetPropertyOrDefault <IMessageFilterTable <EndpointAddress> >(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null);
if (!isCookieMode)
{
sctResolver = new SecurityContextSecurityTokenResolver(Int32.MaxValue, false);
// remember this authenticator for future reference
SecuritySessionSecurityTokenAuthenticator authenticator = new SecuritySessionSecurityTokenAuthenticator();
authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.SessionTokenLifetime = TimeSpan.MaxValue;
authenticator.KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.EndpointFilterTable = endpointFilterTable;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
return(authenticator);
}
else
{
sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true, localServiceSettings.MaxClockSkew);
AcceleratedTokenAuthenticator authenticator = new AcceleratedTokenAuthenticator();
authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode;
authenticator.EncryptStateInServiceToken = true;
authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty <SecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
authenticator.IssuerBindingContext = recipientRequirement.GetProperty <BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
authenticator.ListenUri = recipientRequirement.ListenUri;
authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
authenticator.PreserveBootstrapTokens = preserveBootstrapTokens;
// local security quotas
authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
// audit settings
authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
authenticator.EndpointFilterTable = endpointFilterTable;
return(authenticator);
}
}
SecurityTokenResolver GetResolver(bool canMatchLocalId, params SecurityToken [] tokens)
{
return(SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken> (tokens), canMatchLocalId));
}
public override void ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("reader"));
}
if (samlSerializer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("samlSerializer"));
}
#pragma warning suppress 56506 // samlSerializer.DictionaryManager is never null.
SamlDictionary dictionary = samlSerializer.DictionaryManager.SamlDictionary;
reader.MoveToContent();
reader.Read();
while (reader.IsStartElement())
{
if (reader.IsStartElement(dictionary.Audience, dictionary.Namespace))
{
reader.MoveToContent();
string audience = reader.ReadString();
if (string.IsNullOrEmpty(audience))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAudienceRestrictionInvalidAudienceValueOnRead)));
}
this.audiences.Add(new Uri(audience));
reader.MoveToContent();
reader.ReadEndElement();
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLBadSchema, dictionary.AudienceRestrictionCondition.Value)));
}
}
if (this.audiences.Count == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAudienceRestrictionShouldHaveOneAudienceOnRead)));
}
reader.MoveToContent();
reader.ReadEndElement();
}
/// <summary>
/// Initializes the object with a UA identity token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="serializer">The token serializer.</param>
/// <param name="resolver">The token resolver.</param>
public UserIdentity(IssuedIdentityToken token, SecurityTokenSerializer serializer, SecurityTokenResolver resolver)
{
Initialize(token, serializer, resolver);
}
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver resolver)
{
throw new NotSupportedException();
}
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
{
XmlDictionaryReader localReader = XmlDictionaryReader.CreateDictionaryReader(reader);
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.CannotReadToken, reader.LocalName, reader.NamespaceURI, localReader.GetAttribute(CoreWCF.XD.SecurityJan2004Dictionary.ValueType, null))));
}
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(tokenRequirement));
}
outOfBandTokenResolver = null;
SecurityTokenAuthenticator result = null;
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
if (initiatorRequirement != null)
{
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.IsOutOfBandToken)
{
// when the client side soap security asks for a token authenticator, its for doing
// identity checks on the out of band server certificate
result = new X509SecurityTokenAuthenticator(X509CertificateValidator.None);
}
else if (initiatorRequirement.PreferSslCertificateAuthenticator)
{
result = CreateServerSslX509TokenAuthenticator();
}
else
{
result = CreateServerX509TokenAuthenticator();
}
}
else if (tokenType == SecurityTokenTypes.Rsa)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Rsa");
}
else if (tokenType == SecurityTokenTypes.Kerberos)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : SecurityTokenTypes.Kerberos");
}
else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation ||
tokenType == ServiceModelSecurityTokenTypes.MutualSslnego ||
tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego ||
tokenType == ServiceModelSecurityTokenTypes.Spnego)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenAuthenticator : GenericXmlSecurityTokenAuthenticator");
}
}
else if ((tokenRequirement is RecipientServiceModelSecurityTokenRequirement) && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate)
{
// uncorrelated duplex case
result = CreateServerX509TokenAuthenticator();
}
if (result == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
}
return(result);
}
public abstract SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver);
protected abstract SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver);
public abstract SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver);
public abstract SecurityTokenAuthenticator CreateTokenAuthenticator(SecurityTokenParameters p, out SecurityTokenResolver resolver);