private async Task <SecurityMessageProperty> CreateClientSecurityAsync(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { IIdentity remoteIdentity = negotiateStream.RemoteIdentity; SecurityToken token; ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies; WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts, _ldapSettings); if (remoteIdentity is WindowsIdentity) { WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity; SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false); token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType); } else { ClaimsIdentity claimsIdentity = new ClaimsIdentity(remoteIdentity); token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value); } authorizationPolicies = await authenticator.ValidateTokenAsync(token); SecurityMessageProperty clientSecurity = new SecurityMessageProperty { TransportToken = new SecurityTokenSpecification(token, authorizationPolicies), ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies) }; return(clientSecurity); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { WindowsSecurityToken windowsToken = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, _includeWindowsGroups, windowsToken.ValidTo); return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo)); }
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { IIdentity remoteIdentity = negotiateStream.RemoteIdentity; SecurityToken token; ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies; if (remoteIdentity is WindowsIdentity) { WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity; Security.SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false); WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts); token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType); authorizationPolicies = authenticator.ValidateToken(token); } else { token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value); GenericSecurityTokenAuthenticator authenticator = new GenericSecurityTokenAuthenticator(); authorizationPolicies = authenticator.ValidateToken(token); } SecurityMessageProperty clientSecurity = new SecurityMessageProperty(); clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies); clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies); return(clientSecurity); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { WindowsSecurityToken token2 = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(token2.WindowsIdentity, token2.AuthenticationType, this.includeWindowsGroups, token2.ValidTo); return(System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo)); }
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { #if SUPPORTS_WINDOWSIDENTITY // NegotiateStream WindowsSecurityToken windowsToken = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo); return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo)); #else // SUPPORTS_WINDOWSIDENTITY throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported); #endif // SUPPORTS_WINDOWSIDENTITY }
private SecurityMessageProperty ProcessAuthentication(WindowsIdentity identity, string authenticationType) { System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, false); SecurityToken token = new WindowsSecurityToken(identity, SecurityUniqueId.Create().Value, authenticationType); ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.windowsTokenAuthenticator.ValidateToken(token); return(new SecurityMessageProperty { TransportToken = new SecurityTokenSpecification(token, tokenPolicies), ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies) }); }
private SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity; System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false); WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts); SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType); ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = authenticator.ValidateToken(token); this.clientSecurity = new SecurityMessageProperty(); this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies); this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies); return(this.clientSecurity); }
/// <summary> /// Creates ClaimsIdentityCollection for the given Transport SecurityToken. /// </summary> /// <param name="transportToken">Client SecurityToken provided at the Transport layer.</param> /// <returns>ClaimsIdentityCollection built from the Transport SecurityToken</returns> static ReadOnlyCollection <ClaimsIdentity> GetTransportTokenIdentities(SecurityToken transportToken) { if (transportToken == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("transportToken"); } ServiceCredentials serviceCreds = GetServiceCredentials(); List <ClaimsIdentity> transportTokenIdentityCollection = new List <ClaimsIdentity>(); ////////////////////////////////////////////////////////////////////////////////////////// // // There are 5 well-known Client Authentication types at the transport layer. Each of these will // result either in a WindowsSecurityToken, X509SecurityToken or UserNameSecurityToken. // All other type of credentials (like OAuth token) result other token that will be passed trough regular validation process. // // ClientCredential Type || Transport Token Type // ------------------------------------------------------------------- // Basic -> UserNameSecurityToken (In Self-hosted case) // Basic -> WindowsSecurityToken (In Web-Hosted case) // NTLM -> WindowsSecurityToken // Negotiate -> WindowsSecurityToken // Windows -> WindowsSecurityToken // Certificate -> X509SecurityToken // ////////////////////////////////////////////////////////////////////////////////////////// WindowsSecurityToken windowsSecurityToken = transportToken as WindowsSecurityToken; if (windowsSecurityToken != null) { WindowsIdentity claimsIdentity = new WindowsIdentity(windowsSecurityToken.WindowsIdentity.Token, AuthenticationTypes.Windows); AddAuthenticationMethod(claimsIdentity, AuthenticationMethods.Windows); AddAuthenticationInstantClaim(claimsIdentity, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated)); // Just reflect on the wrapped WindowsIdentity and build the WindowsClaimsIdentity class. transportTokenIdentityCollection.Add(claimsIdentity); } else { // WCF does not call our SecurityTokenHandlers for the Transport token. So run the token through // the SecurityTokenHandler and generate claims for this token. transportTokenIdentityCollection.AddRange(serviceCreds.IdentityConfiguration.SecurityTokenHandlers.ValidateToken(transportToken)); } return(transportTokenIdentityCollection.AsReadOnly()); }
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts) { WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity; SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false); WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts); // When NegotiateStream returns a WindowsIdentity the AuthenticationType is passed in the constructor to WindowsIdentity // by it's internal NegoState class. If this changes, then the call to remoteIdentity.AuthenticationType could fail if the // current process token doesn't have sufficient priviledges. It is a first class exception, and caught by the CLR // null is returned. SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType); ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = authenticator.ValidateToken(token); this.clientSecurity = new SecurityMessageProperty(); this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies); this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies); return this.clientSecurity; }