/// <summary>
/// The purpose of this method is to set our WrappedTokenCache as the token cache for SCT's.
/// And to set our OnIssuedToken callback when in cookie mode.
/// We have to use reflection here as this is a private method.
/// </summary>
static void SetWrappedTokenCache(
WrappedTokenCache wrappedTokenCache,
SecurityTokenAuthenticator sta,
WrappedSessionSecurityTokenAuthenticator wssta,
SctClaimsHandler claimsHandler)
{
if (sta is SecuritySessionSecurityTokenAuthenticator)
{
(sta as SecuritySessionSecurityTokenAuthenticator).IssuedTokenCache = wrappedTokenCache;
}
else if (sta is AcceleratedTokenAuthenticator)
{
(sta as AcceleratedTokenAuthenticator).IssuedTokenCache = wrappedTokenCache;
}
else if (sta is SpnegoTokenAuthenticator)
{
(sta as SpnegoTokenAuthenticator).IssuedTokenCache = wrappedTokenCache;
}
else if (sta is TlsnegoTokenAuthenticator)
{
(sta as TlsnegoTokenAuthenticator).IssuedTokenCache = wrappedTokenCache;
}
// we need to special case this as the OnTokenIssued callback is not hooked up in the cookie mode case.
IIssuanceSecurityTokenAuthenticator issuanceTokenAuthenticator = sta as IIssuanceSecurityTokenAuthenticator;
if (issuanceTokenAuthenticator != null)
{
issuanceTokenAuthenticator.IssuedSecurityTokenHandler = claimsHandler.OnTokenIssued;
issuanceTokenAuthenticator.RenewedSecurityTokenHandler = claimsHandler.OnTokenRenewed;
}
}
/// <summary>
/// This method creates the inner security token authenticator from the base class.
/// The wrapped token cache is initialized with this authenticator.
/// </summary>
SecurityTokenAuthenticator CreateInnerSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
SecurityTokenAuthenticator securityTokenAuthenticator = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId(tokenRequirement));
SetWrappedTokenCache(new WrappedTokenCache(_tokenCache, claimsHandler), securityTokenAuthenticator, null, claimsHandler);
return(securityTokenAuthenticator);
}
public WrappedTokenCache(SessionSecurityTokenCache tokenCache, SctClaimsHandler sctClaimsHandler)
{
if (tokenCache == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenCache");
}
if (sctClaimsHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sctClaimsHandler");
}
_tokenCache = tokenCache;
_claimsHandler = sctClaimsHandler;
}
public WrappedTokenCache(SessionSecurityTokenCache tokenCache, SctClaimsHandler sctClaimsHandler)
{
if (tokenCache == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenCache");
}
if (sctClaimsHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sctClaimsHandler");
}
_tokenCache = tokenCache;
_claimsHandler = sctClaimsHandler;
}
/// <summary>
/// Helper method to setup the WrappedSecureConversttion
/// </summary>
SecurityTokenAuthenticator SetupSecureConversationWrapper(RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver)
{
// This code requires Orcas SP1 to compile.
// WCF expects this securityTokenAuthenticator to support:
// 1. IIssuanceSecurityTokenAuthenticator
// 2. ICommunicationObject is needed for this to work right.
// WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the
// the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens.
// when sp1 is installed, use this one.
//SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver );
// use this code if SP1 is not installed
SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
SessionSecurityTokenHandler sessionTokenHandler = tokenHandler;
//
// If there is no SCT handler here, create one.
//
if (tokenHandler == null)
{
sessionTokenHandler = new SessionSecurityTokenHandler(_cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime);
sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection;
sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration;
}
if (ServiceCredentials != null)
{
sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew;
}
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId(tokenRequirement));
WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator(sessionTokenHandler, sta,
claimsHandler, _exceptionMapper);
WrappedTokenCache wrappedTokenCache = new WrappedTokenCache(_tokenCache, claimsHandler);
SetWrappedTokenCache(wrappedTokenCache, sta, wssta, claimsHandler);
outOfBandTokenResolver = wrappedTokenCache;
return(wssta);
}
/// <summary>
/// Initializes an instance of <see cref="WrappedRsaSecurityTokenAuthenticator"/>
/// </summary>
/// <param name="sessionTokenHandler">The sessionTokenHandler to wrap</param>
/// <param name="wcfSessionAuthenticator">The wcf SessionTokenAuthenticator.</param>
/// <param name="sctClaimsHandler">Handler that converts WCF generated IAuthorizationPolicy to <see cref="AuthorizationPolicy"/></param>
/// <param name="exceptionMapper">Converts token validation exception to SOAP faults.</param>
public WrappedSessionSecurityTokenAuthenticator( SessionSecurityTokenHandler sessionTokenHandler,
SecurityTokenAuthenticator wcfSessionAuthenticator,
SctClaimsHandler sctClaimsHandler,
ExceptionMapper exceptionMapper )
: base()
{
if ( sessionTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "sessionTokenHandler" );
}
if ( wcfSessionAuthenticator == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wcfSessionAuthenticator" );
}
if ( sctClaimsHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "sctClaimsHandler" );
}
if ( exceptionMapper == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "exceptionMapper" );
}
_issuanceSecurityTokenAuthenticator = wcfSessionAuthenticator as IIssuanceSecurityTokenAuthenticator;
if ( _issuanceSecurityTokenAuthenticator == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4244 ) );
}
_communicationObject = wcfSessionAuthenticator as ICommunicationObject;
if ( _communicationObject == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4245 ) );
}
_sessionTokenHandler = sessionTokenHandler;
_sctClaimsHandler = sctClaimsHandler;
_exceptionMapper = exceptionMapper;
}
/// <summary>
/// Initializes an instance of <see cref="WrappedRsaSecurityTokenAuthenticator"/>
/// </summary>
/// <param name="sessionTokenHandler">The sessionTokenHandler to wrap</param>
/// <param name="wcfSessionAuthenticator">The wcf SessionTokenAuthenticator.</param>
/// <param name="sctClaimsHandler">Handler that converts WCF generated IAuthorizationPolicy to <see cref="AuthorizationPolicy"/></param>
/// <param name="exceptionMapper">Converts token validation exception to SOAP faults.</param>
public WrappedSessionSecurityTokenAuthenticator(SessionSecurityTokenHandler sessionTokenHandler,
SecurityTokenAuthenticator wcfSessionAuthenticator,
SctClaimsHandler sctClaimsHandler,
ExceptionMapper exceptionMapper)
: base()
{
if (sessionTokenHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sessionTokenHandler");
}
if (wcfSessionAuthenticator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("wcfSessionAuthenticator");
}
if (sctClaimsHandler == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sctClaimsHandler");
}
if (exceptionMapper == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("exceptionMapper");
}
_issuanceSecurityTokenAuthenticator = wcfSessionAuthenticator as IIssuanceSecurityTokenAuthenticator;
if (_issuanceSecurityTokenAuthenticator == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4244));
}
_communicationObject = wcfSessionAuthenticator as ICommunicationObject;
if (_communicationObject == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4245));
}
_sessionTokenHandler = sessionTokenHandler;
_sctClaimsHandler = sctClaimsHandler;
_exceptionMapper = exceptionMapper;
}
/// <summary>
/// This method creates the inner security token authenticator from the base class.
/// The wrapped token cache is initialized with this authenticator.
/// </summary>
SecurityTokenAuthenticator CreateInnerSecurityTokenAuthenticator( SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver )
{
SecurityTokenAuthenticator securityTokenAuthenticator = base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId( tokenRequirement ) );
SetWrappedTokenCache( new WrappedTokenCache( _tokenCache, claimsHandler ), securityTokenAuthenticator, null, claimsHandler );
return securityTokenAuthenticator;
}
/// <summary>
/// The purpose of this method is to set our WrappedTokenCache as the token cache for SCT's.
/// And to set our OnIssuedToken callback when in cookie mode.
/// We have to use reflection here as this is a private method.
/// </summary>
static void SetWrappedTokenCache(
WrappedTokenCache wrappedTokenCache,
SecurityTokenAuthenticator sta,
WrappedSessionSecurityTokenAuthenticator wssta,
SctClaimsHandler claimsHandler )
{
if ( sta is SecuritySessionSecurityTokenAuthenticator )
{
( sta as SecuritySessionSecurityTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is AcceleratedTokenAuthenticator )
{
( sta as AcceleratedTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is SpnegoTokenAuthenticator )
{
( sta as SpnegoTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is TlsnegoTokenAuthenticator )
{
( sta as TlsnegoTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
// we need to special case this as the OnTokenIssued callback is not hooked up in the cookie mode case.
IIssuanceSecurityTokenAuthenticator issuanceTokenAuthenticator = sta as IIssuanceSecurityTokenAuthenticator;
if ( issuanceTokenAuthenticator != null )
{
issuanceTokenAuthenticator.IssuedSecurityTokenHandler = claimsHandler.OnTokenIssued;
issuanceTokenAuthenticator.RenewedSecurityTokenHandler = claimsHandler.OnTokenRenewed;
}
}
/// <summary>
/// Helper method to setup the WrappedSecureConversttion
/// </summary>
SecurityTokenAuthenticator SetupSecureConversationWrapper( RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver )
{
// This code requires Orcas SP1 to compile.
// WCF expects this securityTokenAuthenticator to support:
// 1. IIssuanceSecurityTokenAuthenticator
// 2. ICommunicationObject is needed for this to work right.
// WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the
// the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens.
// when sp1 is installed, use this one.
//SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver );
// use this code if SP1 is not installed
SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
SessionSecurityTokenHandler sessionTokenHandler = tokenHandler;
//
// If there is no SCT handler here, create one.
//
if ( tokenHandler == null )
{
sessionTokenHandler = new SessionSecurityTokenHandler( _cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime );
sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection;
sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration;
}
if ( ServiceCredentials != null )
{
sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew;
}
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId( tokenRequirement ) );
WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator( sessionTokenHandler, sta,
claimsHandler, _exceptionMapper );
WrappedTokenCache wrappedTokenCache = new WrappedTokenCache( _tokenCache, claimsHandler);
SetWrappedTokenCache( wrappedTokenCache, sta, wssta, claimsHandler );
outOfBandTokenResolver = wrappedTokenCache;
return wssta;
}
