ServiceCredentialsSecurityTokenManager.cs source code in C# .NET

Source code for the .NET framework in C#

                        

Code:

/ WCF / WCF / 3.5.30729.1 / untmp / Orcas / SP / ndp / cdf / src / WCF / ServiceModel / System / ServiceModel / Security / ServiceCredentialsSecurityTokenManager.cs / 2 / ServiceCredentialsSecurityTokenManager.cs

                            //------------------------------------------------------------------------------ 
// Copyright (c) Microsoft Corporation.  All rights reserved.
//-----------------------------------------------------------------------------

namespace System.ServiceModel.Security 
{
    using System.ServiceModel; 
    using System.ServiceModel.Channels; 
    using System.ServiceModel.Description;
    using System.ServiceModel.Dispatcher; 
    using System.Collections.ObjectModel;
    using System.Collections.Generic;
    using System.IdentityModel.Tokens;
    using System.IdentityModel.Policy; 
    using System.IdentityModel.Selectors;
    using System.Runtime.Serialization; 
 
    using System.Net;
    using System.Security.Principal; 
    using System.ServiceModel.Security.Tokens;
    using System.Security.Cryptography.X509Certificates;
    using System.Web.Security;
 
    using SafeFreeCredentials = System.IdentityModel.SafeFreeCredentials;
 
    public class ServiceCredentialsSecurityTokenManager : SecurityTokenManager, IEndpointIdentityProvider 
    {
        ServiceCredentials parent; 

        public ServiceCredentialsSecurityTokenManager(ServiceCredentials parent)
        {
            if (parent == null) 
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parent"); 
            } 
            this.parent = parent;
        } 

        public ServiceCredentials ServiceCredentials
        {
            get { return parent; } 
        }
 
        public override SecurityTokenSerializer CreateSecurityTokenSerializer(SecurityTokenVersion version) 
        {
            if (version == null) 
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("version");
            }
            MessageSecurityTokenVersion wsVersion = version as MessageSecurityTokenVersion; 
            if (wsVersion != null)
            { 
                SamlSerializer samlSerializer = null; 
                if (parent.IssuedTokenAuthentication != null)
                    samlSerializer = parent.IssuedTokenAuthentication.SamlSerializer; 
                else
                    samlSerializer = new SamlSerializer();

                return new WSSecurityTokenSerializer(wsVersion.SecurityVersion, wsVersion.TrustVersion, wsVersion.SecureConversationVersion, wsVersion.EmitBspRequiredAttributes, samlSerializer, parent.SecureConversationAuthentication.SecurityStateEncoder, parent.SecureConversationAuthentication.SecurityContextClaimTypes); 
            }
            else 
            { 
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateSerializerForVersion, version)));
            } 
        }

        protected SecurityTokenAuthenticator CreateSecureConversationTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool preserveBootstrapTokens, out SecurityTokenResolver sctResolver)
        { 
            SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
            if (securityBindingElement == null) 
            { 
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
            } 
            bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation;
            LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
            IMessageFilterTable endpointFilterTable = recipientRequirement.GetPropertyOrDefault>(ServiceModelSecurityTokenRequirement.EndpointFilterTableProperty, null);
 
            if (!isCookieMode)
            { 
                sctResolver = new SecurityContextSecurityTokenResolver(Int32.MaxValue, false); 

                // remember this authenticator for future reference 
                SecuritySessionSecurityTokenAuthenticator authenticator = new SecuritySessionSecurityTokenAuthenticator();
                authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
                authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
                authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver; 
                authenticator.IssuerBindingContext = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
                authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode; 
                authenticator.ListenUri = recipientRequirement.ListenUri; 
                authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
                authenticator.SessionTokenLifetime = TimeSpan.MaxValue; 
                authenticator.KeyRenewalInterval = securityBindingElement.LocalServiceSettings.SessionKeyRenewalInterval;
                authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this);
                authenticator.EndpointFilterTable = endpointFilterTable;
                authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; 
                authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
                authenticator.PreserveBootstrapTokens = preserveBootstrapTokens; 
                return authenticator; 
            }
            else 
            {
                sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true);

                AcceleratedTokenAuthenticator authenticator = new AcceleratedTokenAuthenticator(); 
                authenticator.BootstrapSecurityBindingElement = SecurityUtils.GetIssuerSecurityBindingElement(recipientRequirement);
                authenticator.KeyEntropyMode = securityBindingElement.KeyEntropyMode; 
                authenticator.EncryptStateInServiceToken = true; 
                authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
                authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache) sctResolver; 
                authenticator.IssuerBindingContext = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
                authenticator.ListenUri = recipientRequirement.ListenUri;
                authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
                authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); 
                authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
                authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes; 
                authenticator.PreserveBootstrapTokens = preserveBootstrapTokens; 

                // local security quotas 
                authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
                authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
                authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
                authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; 

                // audit settings 
                authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; 
                authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
                authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; 
                authenticator.EndpointFilterTable = endpointFilterTable;
                return authenticator;
            }
        } 

        SecurityTokenAuthenticator CreateSpnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver sctResolver) 
        { 
            SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
            if (securityBindingElement == null) 
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
            }
            bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; 
            LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
            sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); 
 
            SpnegoTokenAuthenticator authenticator = new SpnegoTokenAuthenticator();
            authenticator.AllowUnauthenticatedCallers = parent.WindowsAuthentication.AllowAnonymousLogons; 
            authenticator.ExtractGroupsForWindowsAccounts = parent.WindowsAuthentication.IncludeWindowsGroups;
            authenticator.IsClientAnonymous = false;
            authenticator.EncryptStateInServiceToken = isCookieMode;
            authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); 
            authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
            authenticator.IssuerBindingContext = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty); 
            authenticator.ListenUri = recipientRequirement.ListenUri; 
            authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
            authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); 
            authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder;
            authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
            // if the SPNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced.
            if (securityBindingElement is TransportSecurityBindingElement) 
            {
                authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); 
            } 

            // local security quotas 
            authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
            authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
            authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime;
            authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations; 

            // audit settings 
            authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation; 
            authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure;
            authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel; 
            return authenticator;
        }

        SecurityTokenAuthenticator CreateTlsnegoClientX509TokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement) 
        {
            RecipientServiceModelSecurityTokenRequirement clientX509Requirement = new RecipientServiceModelSecurityTokenRequirement(); 
            clientX509Requirement.TokenType = SecurityTokenTypes.X509Certificate; 
            clientX509Requirement.KeyUsage = SecurityKeyUsage.Signature;
            clientX509Requirement.ListenUri = recipientRequirement.ListenUri; 
            clientX509Requirement.KeyType = SecurityKeyType.AsymmetricKey;
            clientX509Requirement.SecurityBindingElement = recipientRequirement.SecurityBindingElement;
            SecurityTokenResolver dummy;
            return this.CreateSecurityTokenAuthenticator(clientX509Requirement, out dummy); 
        }
 
        SecurityTokenProvider CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) 
        {
            RecipientServiceModelSecurityTokenRequirement serverX509Requirement = new RecipientServiceModelSecurityTokenRequirement(); 
            serverX509Requirement.TokenType = SecurityTokenTypes.X509Certificate;
            serverX509Requirement.KeyUsage = SecurityKeyUsage.Exchange;
            serverX509Requirement.ListenUri = recipientRequirement.ListenUri;
            serverX509Requirement.KeyType = SecurityKeyType.AsymmetricKey; 
            serverX509Requirement.SecurityBindingElement = recipientRequirement.SecurityBindingElement;
            return this.CreateSecurityTokenProvider(serverX509Requirement); 
        } 

        SecurityTokenAuthenticator CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, bool requireClientCertificate, out SecurityTokenResolver sctResolver) 
        {
            SecurityBindingElement securityBindingElement = recipientRequirement.SecurityBindingElement;
            if (securityBindingElement == null)
            { 
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenAuthenticatorRequiresSecurityBindingElement, recipientRequirement));
            } 
            bool isCookieMode = !recipientRequirement.SupportSecurityContextCancellation; 
            LocalServiceSecuritySettings localServiceSettings = securityBindingElement.LocalServiceSettings;
            sctResolver = new SecurityContextSecurityTokenResolver(localServiceSettings.MaxCachedCookies, true); 

            TlsnegoTokenAuthenticator authenticator = new TlsnegoTokenAuthenticator();
            authenticator.IsClientAnonymous = !requireClientCertificate;
            if (requireClientCertificate) 
            {
                authenticator.ClientTokenAuthenticator = this.CreateTlsnegoClientX509TokenAuthenticator(recipientRequirement); 
                authenticator.MapCertificateToWindowsAccount = this.ServiceCredentials.ClientCertificate.Authentication.MapClientCertificateToWindowsAccount; 
            }
            authenticator.EncryptStateInServiceToken = isCookieMode; 
            authenticator.IssuedSecurityTokenParameters = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
            authenticator.IssuedTokenCache = (ISecurityContextSecurityTokenCache)sctResolver;
            authenticator.IssuerBindingContext = recipientRequirement.GetProperty(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
            authenticator.ListenUri = recipientRequirement.ListenUri; 
            authenticator.SecurityAlgorithmSuite = recipientRequirement.SecurityAlgorithmSuite;
            authenticator.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(recipientRequirement, this); 
            authenticator.SecurityStateEncoder = parent.SecureConversationAuthentication.SecurityStateEncoder; 
            authenticator.KnownTypes = parent.SecureConversationAuthentication.SecurityContextClaimTypes;
            authenticator.ServerTokenProvider = CreateTlsnegoServerX509TokenProvider(recipientRequirement); 
            // local security quotas
            authenticator.MaximumCachedNegotiationState = localServiceSettings.MaxStatefulNegotiations;
            authenticator.NegotiationTimeout = localServiceSettings.NegotiationTimeout;
            authenticator.ServiceTokenLifetime = localServiceSettings.IssuedCookieLifetime; 
            authenticator.MaximumConcurrentNegotiations = localServiceSettings.MaxStatefulNegotiations;
            // if the TLSNEGO is being done in mixed-mode, the nego blobs are from an anonymous client and so there size bound needs to be enforced. 
            if (securityBindingElement is TransportSecurityBindingElement) 
            {
                authenticator.MaxMessageSize = SecurityUtils.GetMaxNegotiationBufferSize(authenticator.IssuerBindingContext); 
            }
            // audit settings
            authenticator.AuditLogLocation = recipientRequirement.AuditLogLocation;
            authenticator.SuppressAuditFailure = recipientRequirement.SuppressAuditFailure; 
            authenticator.MessageAuthenticationAuditLevel = recipientRequirement.MessageAuthenticationAuditLevel;
            return authenticator; 
        } 

        X509SecurityTokenAuthenticator CreateClientX509TokenAuthenticator() 
        {
            X509ClientCertificateAuthentication authentication = parent.ClientCertificate.Authentication;
            return new X509SecurityTokenAuthenticator(authentication.GetCertificateValidator(), authentication.MapClientCertificateToWindowsAccount, authentication.IncludeWindowsGroups);
        } 

        SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver) 
        { 
            if (recipientRequirement == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement"); 

            Collection outOfBandTokens = new Collection();
            if (parent.ServiceCertificate.Certificate != null)
            { 
                outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
            } 
            List supportingAuthenticators = new List(); 
            if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
            { 
                for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
                {
                    outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
                } 
            }
 
            X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator(); 
            supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));
 
            if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
            {
                supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
            } 

            outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection(outOfBandTokens), false) : null; 
 
            SamlSecurityTokenAuthenticator ssta;
 
            if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
            {
                ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
            } 
            else
            { 
                ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew); 
            }
 
            // set audience uri restrictions
            ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
            IList allowedAudienceUris = ssta.AllowedAudienceUris;
            if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null) 
            {
                for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++) 
                    allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]); 
            }
 
            if (recipientRequirement.ListenUri != null)
            {
                allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
            } 

            return ssta; 
        } 

        X509SecurityTokenProvider CreateServerX509TokenProvider() 
        {
            if (parent.ServiceCertificate.Certificate == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ServiceCertificateNotProvidedOnServiceCredentials))); 
            }
            SecurityUtils.EnsureCertificateCanDoKeyExchange(parent.ServiceCertificate.Certificate); 
            return new ServiceX509SecurityTokenProvider(parent.ServiceCertificate.Certificate); 
        }
 
        protected bool IsIssuedSecurityTokenRequirement(SecurityTokenRequirement requirement)
        {
            return (requirement != null && requirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.IssuerAddressProperty));
        } 

        public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) 
        { 
            if (tokenRequirement == null)
            { 
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            }
            string tokenType = tokenRequirement.TokenType;
            outOfBandTokenResolver = null; 
            SecurityTokenAuthenticator result = null;
            if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement) 
            { 
                // this is the uncorrelated duplex case in which the server is asking for
                // an authenticator to validate its provisioned client certificate 
                if (tokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
                {
                    return new X509SecurityTokenAuthenticator(X509CertificateValidator.None, false);
                } 
            }
 
            RecipientServiceModelSecurityTokenRequirement recipientRequirement = tokenRequirement as RecipientServiceModelSecurityTokenRequirement; 
            if (recipientRequirement == null)
            { 
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement)));
            }
            if (tokenType == SecurityTokenTypes.X509Certificate)
            { 
                result = CreateClientX509TokenAuthenticator();
            } 
            else if (tokenType == SecurityTokenTypes.Kerberos) 
            {
                result = new KerberosSecurityTokenAuthenticatorWrapper( 
                    new KerberosSecurityTokenAuthenticator(parent.WindowsAuthentication.IncludeWindowsGroups));
            }
            else if (tokenType == SecurityTokenTypes.UserName)
            { 
                if (parent.UserNameAuthentication.UserNamePasswordValidationMode == UserNamePasswordValidationMode.Windows)
                { 
                    if (parent.UserNameAuthentication.CacheLogonTokens) 
                    {
                        result = new WindowsUserNameCachingSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups, 
                            parent.UserNameAuthentication.MaxCachedLogonTokens, parent.UserNameAuthentication.CachedLogonTokenLifetime);
                    }
                    else
                    { 
                        result = new WindowsUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.IncludeWindowsGroups);
                    } 
                } 
                else
                { 
                    result = new CustomUserNameSecurityTokenAuthenticator(parent.UserNameAuthentication.GetUserNamePasswordValidator());
                }
            }
            else if (tokenType == SecurityTokenTypes.Rsa) 
            {
                result = new RsaSecurityTokenAuthenticator(); 
            } 
            else if (tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego)
            { 
                result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver);
            }
            else if (tokenType == ServiceModelSecurityTokenTypes.MutualSslnego)
            { 
                result = CreateTlsnegoSecurityTokenAuthenticator(recipientRequirement, true, out outOfBandTokenResolver);
            } 
            else if (tokenType == ServiceModelSecurityTokenTypes.Spnego) 
            {
                result = CreateSpnegoSecurityTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver); 
            }
            else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation)
            {
                result = CreateSecureConversationTokenAuthenticator(recipientRequirement, false, out outOfBandTokenResolver); 
            }
            else if ((tokenType == SecurityTokenTypes.Saml) 
                || (tokenType == SecurityXXX2005Strings.SamlTokenType) 
                || (tokenType == SecurityJan2004Strings.SamlUri)
                || (tokenType == null && IsIssuedSecurityTokenRequirement(recipientRequirement))) 
            {
                result = CreateSamlTokenAuthenticator(recipientRequirement, out outOfBandTokenResolver);
            }
 
            if (result == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateAuthenticatorForRequirement, tokenRequirement))); 
 
            return result;
        } 

        SecurityTokenProvider CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
        {
            string tokenType = recipientRequirement.TokenType; 
            SecurityTokenProvider result = null;
            if (tokenType == SecurityTokenTypes.X509Certificate) 
            { 
                result = CreateServerX509TokenProvider();
            } 
            else if (tokenType == ServiceModelSecurityTokenTypes.SspiCredential)
            {
                // if Transport Security, AuthenicationSchemes.Basic will look at parent.UserNameAuthentication settings.
                AuthenticationSchemes authenticationScheme; 
                if (recipientRequirement.TryGetProperty(ServiceModelSecurityTokenRequirement.HttpAuthenticationSchemeProperty, out authenticationScheme) &&
                    authenticationScheme == AuthenticationSchemes.Basic) 
                { 
                    result = new SspiSecurityTokenProvider(null, parent.UserNameAuthentication.IncludeWindowsGroups, false);
                } 
                else
                {
                    result = new SspiSecurityTokenProvider(null, parent.WindowsAuthentication.IncludeWindowsGroups, parent.WindowsAuthentication.AllowAnonymousLogons);
                } 
            }
            return result; 
        } 

        SecurityTokenProvider CreateUncorrelatedDuplexSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) 
        {
            string tokenType = initiatorRequirement.TokenType;
            SecurityTokenProvider result = null;
            if (tokenType == SecurityTokenTypes.X509Certificate) 
            {
                SecurityKeyUsage keyUsage = initiatorRequirement.KeyUsage; 
                if (keyUsage == SecurityKeyUsage.Exchange) 
                {
                    if (parent.ClientCertificate.Certificate == null) 
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnServiceCredentials)));
                    }
 
                    result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
                } 
                else 
                {
                    // this is a request for the server's own cert for signing 
                    result = CreateServerX509TokenProvider();
                }
            }
            return result; 
        }
 
        public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement) 
        {
            if (requirement == null) 
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("requirement");
            }
 
            RecipientServiceModelSecurityTokenRequirement recipientRequirement = requirement as RecipientServiceModelSecurityTokenRequirement;
            SecurityTokenProvider result = null; 
            if (recipientRequirement != null) 
            {
                result = CreateLocalSecurityTokenProvider(recipientRequirement); 
            }
            else if (requirement is InitiatorServiceModelSecurityTokenRequirement)
            {
                result = CreateUncorrelatedDuplexSecurityTokenProvider((InitiatorServiceModelSecurityTokenRequirement)requirement); 
            }
 
            if (result == null) 
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SecurityTokenManagerCannotCreateProviderForRequirement, requirement))); 
            }
            return result;
        }
 
        public virtual EndpointIdentity GetIdentityOfSelf(SecurityTokenRequirement tokenRequirement)
        { 
            if (tokenRequirement == null) 
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); 
            }
            if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement)
            {
                string tokenType = tokenRequirement.TokenType; 
                if (tokenType == SecurityTokenTypes.X509Certificate
                    || tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego 
                    || tokenType == ServiceModelSecurityTokenTypes.MutualSslnego) 
                {
                    if (parent.ServiceCertificate.Certificate != null) 
                    {
                        return EndpointIdentity.CreateX509CertificateIdentity(parent.ServiceCertificate.Certificate);
                    }
                } 
                else if (tokenType == SecurityTokenTypes.Kerberos || tokenType == ServiceModelSecurityTokenTypes.Spnego)
                { 
                    return SecurityUtils.CreateWindowsIdentity(); 
                }
                else if (tokenType == ServiceModelSecurityTokenTypes.SecureConversation) 
                {
                    SecurityBindingElement securityBindingElement = ((RecipientServiceModelSecurityTokenRequirement)tokenRequirement).SecureConversationSecurityBindingElement;
                    if (securityBindingElement != null)
                    { 
                        if (securityBindingElement == null || securityBindingElement is TransportSecurityBindingElement)
                        { 
                            return null; 
                        }
                        SecurityTokenParameters bootstrapProtectionParameters = (securityBindingElement is SymmetricSecurityBindingElement) ? ((SymmetricSecurityBindingElement)securityBindingElement).ProtectionTokenParameters : ((AsymmetricSecurityBindingElement)securityBindingElement).RecipientTokenParameters; 
                        SecurityTokenRequirement bootstrapRequirement = new RecipientServiceModelSecurityTokenRequirement();
                        bootstrapProtectionParameters.InitializeSecurityTokenRequirement(bootstrapRequirement);
                        return GetIdentityOfSelf(bootstrapRequirement);
                    } 
                }
            } 
            return null; 
        }
 
        class KerberosSecurityTokenAuthenticatorWrapper : CommunicationObjectSecurityTokenAuthenticator
        {
            KerberosSecurityTokenAuthenticator innerAuthenticator;
            SafeFreeCredentials credentialsHandle = null; 

            public KerberosSecurityTokenAuthenticatorWrapper(KerberosSecurityTokenAuthenticator innerAuthenticator) 
            { 
                this.innerAuthenticator = innerAuthenticator;
            } 

            public override void OnOpening()
            {
                base.OnOpening(); 
                if (this.credentialsHandle == null)
                { 
                    this.credentialsHandle = SecurityUtils.GetCredentialsHandle("Kerberos", null, true); 
                }
            } 

            public override void OnClose(TimeSpan timeout)
            {
                base.OnClose(timeout); 
                FreeCredentialsHandle();
            } 
 
            public override void OnAbort()
            { 
                base.OnAbort();
                FreeCredentialsHandle();
            }
 
            void FreeCredentialsHandle()
            { 
                if (this.credentialsHandle != null) 
                {
                    this.credentialsHandle.Close(); 
                    this.credentialsHandle = null;
                }
            }
 
            protected override bool CanValidateTokenCore(SecurityToken token)
            { 
                return this.innerAuthenticator.CanValidateToken(token); 
            }
 
            protected override ReadOnlyCollection ValidateTokenCore(SecurityToken token)
            {
                KerberosReceiverSecurityToken kerberosToken = (KerberosReceiverSecurityToken)token;
                kerberosToken.Initialize(this.credentialsHandle); 
                return this.innerAuthenticator.ValidateToken(kerberosToken);
            } 
        } 
    }
} 

// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
// Copyright (c) Microsoft Corporation. All rights reserved.
                        

Link Menu

Network programming in C#, Network Programming in VB.NET, Network Programming in .NET
This book is available now!
Buy at Amazon US or
Buy at Amazon UK