private async Task <SecurityMessageProperty> CreateClientSecurityAsync(NegotiateStream negotiateStream,
bool extractGroupsForWindowsAccounts)
{
IIdentity remoteIdentity = negotiateStream.RemoteIdentity;
SecurityToken token;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts, _ldapSettings);
if (remoteIdentity is WindowsIdentity)
{
WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity;
SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false);
token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType);
}
else
{
ClaimsIdentity claimsIdentity = new ClaimsIdentity(remoteIdentity);
token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value);
}
authorizationPolicies = await authenticator.ValidateTokenAsync(token);
SecurityMessageProperty clientSecurity = new SecurityMessageProperty
{
TransportToken = new SecurityTokenSpecification(token, authorizationPolicies),
ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies)
};
return(clientSecurity);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsSecurityToken windowsToken = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, _includeWindowsGroups, windowsToken.ValidTo);
return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo));
}
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream,
bool extractGroupsForWindowsAccounts)
{
IIdentity remoteIdentity = negotiateStream.RemoteIdentity;
SecurityToken token;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (remoteIdentity is WindowsIdentity)
{
WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity;
Security.SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false);
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts);
token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType);
authorizationPolicies = authenticator.ValidateToken(token);
}
else
{
token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value);
GenericSecurityTokenAuthenticator authenticator = new GenericSecurityTokenAuthenticator();
authorizationPolicies = authenticator.ValidateToken(token);
}
SecurityMessageProperty clientSecurity = new SecurityMessageProperty();
clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies);
clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies);
return(clientSecurity);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsSecurityToken token2 = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(token2.WindowsIdentity, token2.AuthenticationType, this.includeWindowsGroups, token2.ValidTo);
return(System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
#if SUPPORTS_WINDOWSIDENTITY // NegotiateStream
WindowsSecurityToken windowsToken = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo);
return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo));
#else // SUPPORTS_WINDOWSIDENTITY
throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported);
#endif // SUPPORTS_WINDOWSIDENTITY
}
private SecurityMessageProperty ProcessAuthentication(WindowsIdentity identity, string authenticationType)
{
System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, false);
SecurityToken token = new WindowsSecurityToken(identity, SecurityUniqueId.Create().Value, authenticationType);
ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.windowsTokenAuthenticator.ValidateToken(token);
return(new SecurityMessageProperty {
TransportToken = new SecurityTokenSpecification(token, tokenPolicies), ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies)
});
}
private SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts)
{
WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity;
System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false);
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts);
SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType);
ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = authenticator.ValidateToken(token);
this.clientSecurity = new SecurityMessageProperty();
this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies);
this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies);
return(this.clientSecurity);
}
/// <summary>
/// Creates ClaimsIdentityCollection for the given Transport SecurityToken.
/// </summary>
/// <param name="transportToken">Client SecurityToken provided at the Transport layer.</param>
/// <returns>ClaimsIdentityCollection built from the Transport SecurityToken</returns>
static ReadOnlyCollection <ClaimsIdentity> GetTransportTokenIdentities(SecurityToken transportToken)
{
if (transportToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("transportToken");
}
ServiceCredentials serviceCreds = GetServiceCredentials();
List <ClaimsIdentity> transportTokenIdentityCollection = new List <ClaimsIdentity>();
//////////////////////////////////////////////////////////////////////////////////////////
//
// There are 5 well-known Client Authentication types at the transport layer. Each of these will
// result either in a WindowsSecurityToken, X509SecurityToken or UserNameSecurityToken.
// All other type of credentials (like OAuth token) result other token that will be passed trough regular validation process.
//
// ClientCredential Type || Transport Token Type
// -------------------------------------------------------------------
// Basic -> UserNameSecurityToken (In Self-hosted case)
// Basic -> WindowsSecurityToken (In Web-Hosted case)
// NTLM -> WindowsSecurityToken
// Negotiate -> WindowsSecurityToken
// Windows -> WindowsSecurityToken
// Certificate -> X509SecurityToken
//
//////////////////////////////////////////////////////////////////////////////////////////
WindowsSecurityToken windowsSecurityToken = transportToken as WindowsSecurityToken;
if (windowsSecurityToken != null)
{
WindowsIdentity claimsIdentity = new WindowsIdentity(windowsSecurityToken.WindowsIdentity.Token,
AuthenticationTypes.Windows);
AddAuthenticationMethod(claimsIdentity, AuthenticationMethods.Windows);
AddAuthenticationInstantClaim(claimsIdentity, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated));
// Just reflect on the wrapped WindowsIdentity and build the WindowsClaimsIdentity class.
transportTokenIdentityCollection.Add(claimsIdentity);
}
else
{
// WCF does not call our SecurityTokenHandlers for the Transport token. So run the token through
// the SecurityTokenHandler and generate claims for this token.
transportTokenIdentityCollection.AddRange(serviceCreds.IdentityConfiguration.SecurityTokenHandlers.ValidateToken(transportToken));
}
return(transportTokenIdentityCollection.AsReadOnly());
}
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream,
bool extractGroupsForWindowsAccounts)
{
WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity;
SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false);
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts);
// When NegotiateStream returns a WindowsIdentity the AuthenticationType is passed in the constructor to WindowsIdentity
// by it's internal NegoState class. If this changes, then the call to remoteIdentity.AuthenticationType could fail if the
// current process token doesn't have sufficient priviledges. It is a first class exception, and caught by the CLR
// null is returned.
SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType);
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = authenticator.ValidateToken(token);
this.clientSecurity = new SecurityMessageProperty();
this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies);
this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies);
return this.clientSecurity;
}
