Code:
/ 4.0 / 4.0 / DEVDIV_TFS / Dev10 / Releases / RTMRel / ndp / cdf / src / WCF / IdentityModel / System / IdentityModel / Tokens / KerberosRequestorSecurityToken.cs / 1305376 / KerberosRequestorSecurityToken.cs
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//-----------------------------------------------------------
namespace System.IdentityModel.Tokens
{
using System.ComponentModel;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Net;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Security.Principal;
using System.Security.Authentication.ExtendedProtection;
public class KerberosRequestorSecurityToken : SecurityToken
{
string id;
byte[] apreq;
readonly string servicePrincipalName;
SymmetricSecurityKey symmetricSecurityKey;
ReadOnlyCollection securityKeys;
DateTime effectiveTime;
DateTime expirationTime;
public KerberosRequestorSecurityToken(string servicePrincipalName)
: this(servicePrincipalName, TokenImpersonationLevel.Impersonation, null, SecurityUniqueId.Create().Value, null)
{
}
public KerberosRequestorSecurityToken(string servicePrincipalName, TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, string id)
: this(servicePrincipalName, tokenImpersonationLevel, networkCredential, id, null, null)
{
}
internal KerberosRequestorSecurityToken( string servicePrincipalName, TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, string id, ChannelBinding channelBinding )
: this(servicePrincipalName, tokenImpersonationLevel, networkCredential, id, null, channelBinding)
{
}
internal KerberosRequestorSecurityToken( string servicePrincipalName, TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, string id, SafeFreeCredentials credentialsHandle, ChannelBinding channelBinding )
{
if (servicePrincipalName == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("servicePrincipalName");
if (tokenImpersonationLevel != TokenImpersonationLevel.Identification && tokenImpersonationLevel != TokenImpersonationLevel.Impersonation)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("tokenImpersonationLevel",
SR.GetString(SR.ImpersonationLevelNotSupported, tokenImpersonationLevel)));
}
if (id == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("id");
this.servicePrincipalName = servicePrincipalName;
if (networkCredential != null && networkCredential != CredentialCache.DefaultNetworkCredentials)
{
if (String.IsNullOrEmpty(networkCredential.UserName))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.ProvidedNetworkCredentialsForKerberosHasInvalidUserName));
}
// Note: we don't check the domain, since Lsa accepts
// FQ userName.
}
this.id = id;
try
{
Initialize(tokenImpersonationLevel, networkCredential, credentialsHandle, channelBinding);
}
catch (Win32Exception e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.UnableToCreateKerberosCredentials), e));
}
catch (SecurityTokenException ste)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.UnableToCreateKerberosCredentials), ste));
}
}
public override string Id
{
get { return this.id; }
}
public override ReadOnlyCollection SecurityKeys
{
get
{
if (this.securityKeys == null)
{
List temp = new List(1);
temp.Add(this.symmetricSecurityKey);
this.securityKeys = temp.AsReadOnly();
}
return this.securityKeys;
}
}
public override DateTime ValidFrom
{
get { return this.effectiveTime; }
}
public override DateTime ValidTo
{
get { return this.expirationTime; }
}
public string ServicePrincipalName
{
get { return this.servicePrincipalName; }
}
public SymmetricSecurityKey SecurityKey
{
get
{
return this.symmetricSecurityKey;
}
}
public byte[] GetRequest()
{
return SecurityUtils.CloneBuffer(this.apreq);
}
void Initialize( TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, SafeFreeCredentials credentialsHandle, ChannelBinding channelBinding )
{
bool ownCredentialsHandle = false;
SafeDeleteContext securityContext = null;
try
{
if (credentialsHandle == null)
{
if (networkCredential == null || networkCredential == CredentialCache.DefaultNetworkCredentials)
{
credentialsHandle = SspiWrapper.AcquireDefaultCredential("Kerberos", CredentialUse.Outbound);
}
else
{
AuthIdentityEx authIdentity = new AuthIdentityEx(networkCredential.UserName, networkCredential.Password, networkCredential.Domain);
credentialsHandle = SspiWrapper.AcquireCredentialsHandle("Kerberos", CredentialUse.Outbound, ref authIdentity);
}
ownCredentialsHandle = true;
}
SspiContextFlags fContextReq = SspiContextFlags.AllocateMemory
| SspiContextFlags.Confidentiality
| SspiContextFlags.ReplayDetect
| SspiContextFlags.SequenceDetect;
// we only accept Identity or Impersonation (Impersonation is default).
if (tokenImpersonationLevel == TokenImpersonationLevel.Identification)
{
fContextReq |= SspiContextFlags.InitIdentify;
}
SspiContextFlags contextFlags = SspiContextFlags.Zero;
SecurityBuffer inSecurityBuffer = null;
if (channelBinding != null)
{
inSecurityBuffer = new SecurityBuffer(channelBinding);
}
SecurityBuffer outSecurityBuffer = new SecurityBuffer(0, BufferType.Token);
int statusCode = SspiWrapper.InitializeSecurityContext(
credentialsHandle,
ref securityContext,
this.servicePrincipalName,
fContextReq,
Endianness.Native,
inSecurityBuffer,
outSecurityBuffer,
ref contextFlags);
if (statusCode != (int)SecurityStatus.OK)
{
if (statusCode == (int)SecurityStatus.ContinueNeeded)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenException(SR.GetString(SR.KerberosMultilegsNotSupported), new Win32Exception(statusCode)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenException(SR.GetString(SR.FailInitializeSecurityContext), new Win32Exception(statusCode)));
}
}
#if REMOVEGSS
//
// ... and strip GSS-framing from it
//
int offset = 0;
int len = outSecurityBuffer.token.Length;
DEREncoding.VerifyTokenHeader(outSecurityBuffer.token, ref offset, ref len);
this.apreq = SecurityUtils.CloneBuffer(outSecurityBuffer.token, offset, len);
#else
this.apreq = outSecurityBuffer.token;
#endif
// Expiration
LifeSpan lifeSpan = (LifeSpan)SspiWrapper.QueryContextAttributes(securityContext, ContextAttribute.Lifespan);
this.effectiveTime = lifeSpan.EffectiveTimeUtc;
this.expirationTime = lifeSpan.ExpiryTimeUtc;
// SessionKey
SecuritySessionKeyClass sessionKey = (SecuritySessionKeyClass)SspiWrapper.QueryContextAttributes(securityContext, ContextAttribute.SessionKey);
this.symmetricSecurityKey = new InMemorySymmetricSecurityKey(sessionKey.SessionKey);
}
finally
{
if (securityContext != null)
securityContext.Close();
if (ownCredentialsHandle && credentialsHandle != null)
credentialsHandle.Close();
}
}
public override bool CanCreateKeyIdentifierClause()
{
if (typeof(T) == typeof(KerberosTicketHashKeyIdentifierClause))
return true;
return base.CanCreateKeyIdentifierClause();
}
public override T CreateKeyIdentifierClause()
{
if (typeof(T) == typeof(KerberosTicketHashKeyIdentifierClause))
return new KerberosTicketHashKeyIdentifierClause(CryptoHelper.ComputeHash(this.apreq), false, null, 0) as T;
return base.CreateKeyIdentifierClause();
}
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
KerberosTicketHashKeyIdentifierClause kerbKeyIdentifierClause = keyIdentifierClause as KerberosTicketHashKeyIdentifierClause;
if (kerbKeyIdentifierClause != null)
return kerbKeyIdentifierClause.Matches(CryptoHelper.ComputeHash(this.apreq));
return base.MatchesKeyIdentifierClause(keyIdentifierClause);
}
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//-----------------------------------------------------------
namespace System.IdentityModel.Tokens
{
using System.ComponentModel;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Net;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Security.Principal;
using System.Security.Authentication.ExtendedProtection;
public class KerberosRequestorSecurityToken : SecurityToken
{
string id;
byte[] apreq;
readonly string servicePrincipalName;
SymmetricSecurityKey symmetricSecurityKey;
ReadOnlyCollection securityKeys;
DateTime effectiveTime;
DateTime expirationTime;
public KerberosRequestorSecurityToken(string servicePrincipalName)
: this(servicePrincipalName, TokenImpersonationLevel.Impersonation, null, SecurityUniqueId.Create().Value, null)
{
}
public KerberosRequestorSecurityToken(string servicePrincipalName, TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, string id)
: this(servicePrincipalName, tokenImpersonationLevel, networkCredential, id, null, null)
{
}
internal KerberosRequestorSecurityToken( string servicePrincipalName, TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, string id, ChannelBinding channelBinding )
: this(servicePrincipalName, tokenImpersonationLevel, networkCredential, id, null, channelBinding)
{
}
internal KerberosRequestorSecurityToken( string servicePrincipalName, TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, string id, SafeFreeCredentials credentialsHandle, ChannelBinding channelBinding )
{
if (servicePrincipalName == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("servicePrincipalName");
if (tokenImpersonationLevel != TokenImpersonationLevel.Identification && tokenImpersonationLevel != TokenImpersonationLevel.Impersonation)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("tokenImpersonationLevel",
SR.GetString(SR.ImpersonationLevelNotSupported, tokenImpersonationLevel)));
}
if (id == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("id");
this.servicePrincipalName = servicePrincipalName;
if (networkCredential != null && networkCredential != CredentialCache.DefaultNetworkCredentials)
{
if (String.IsNullOrEmpty(networkCredential.UserName))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.ProvidedNetworkCredentialsForKerberosHasInvalidUserName));
}
// Note: we don't check the domain, since Lsa accepts
// FQ userName.
}
this.id = id;
try
{
Initialize(tokenImpersonationLevel, networkCredential, credentialsHandle, channelBinding);
}
catch (Win32Exception e)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.UnableToCreateKerberosCredentials), e));
}
catch (SecurityTokenException ste)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.UnableToCreateKerberosCredentials), ste));
}
}
public override string Id
{
get { return this.id; }
}
public override ReadOnlyCollection SecurityKeys
{
get
{
if (this.securityKeys == null)
{
List temp = new List(1);
temp.Add(this.symmetricSecurityKey);
this.securityKeys = temp.AsReadOnly();
}
return this.securityKeys;
}
}
public override DateTime ValidFrom
{
get { return this.effectiveTime; }
}
public override DateTime ValidTo
{
get { return this.expirationTime; }
}
public string ServicePrincipalName
{
get { return this.servicePrincipalName; }
}
public SymmetricSecurityKey SecurityKey
{
get
{
return this.symmetricSecurityKey;
}
}
public byte[] GetRequest()
{
return SecurityUtils.CloneBuffer(this.apreq);
}
void Initialize( TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, SafeFreeCredentials credentialsHandle, ChannelBinding channelBinding )
{
bool ownCredentialsHandle = false;
SafeDeleteContext securityContext = null;
try
{
if (credentialsHandle == null)
{
if (networkCredential == null || networkCredential == CredentialCache.DefaultNetworkCredentials)
{
credentialsHandle = SspiWrapper.AcquireDefaultCredential("Kerberos", CredentialUse.Outbound);
}
else
{
AuthIdentityEx authIdentity = new AuthIdentityEx(networkCredential.UserName, networkCredential.Password, networkCredential.Domain);
credentialsHandle = SspiWrapper.AcquireCredentialsHandle("Kerberos", CredentialUse.Outbound, ref authIdentity);
}
ownCredentialsHandle = true;
}
SspiContextFlags fContextReq = SspiContextFlags.AllocateMemory
| SspiContextFlags.Confidentiality
| SspiContextFlags.ReplayDetect
| SspiContextFlags.SequenceDetect;
// we only accept Identity or Impersonation (Impersonation is default).
if (tokenImpersonationLevel == TokenImpersonationLevel.Identification)
{
fContextReq |= SspiContextFlags.InitIdentify;
}
SspiContextFlags contextFlags = SspiContextFlags.Zero;
SecurityBuffer inSecurityBuffer = null;
if (channelBinding != null)
{
inSecurityBuffer = new SecurityBuffer(channelBinding);
}
SecurityBuffer outSecurityBuffer = new SecurityBuffer(0, BufferType.Token);
int statusCode = SspiWrapper.InitializeSecurityContext(
credentialsHandle,
ref securityContext,
this.servicePrincipalName,
fContextReq,
Endianness.Native,
inSecurityBuffer,
outSecurityBuffer,
ref contextFlags);
if (statusCode != (int)SecurityStatus.OK)
{
if (statusCode == (int)SecurityStatus.ContinueNeeded)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenException(SR.GetString(SR.KerberosMultilegsNotSupported), new Win32Exception(statusCode)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenException(SR.GetString(SR.FailInitializeSecurityContext), new Win32Exception(statusCode)));
}
}
#if REMOVEGSS
//
// ... and strip GSS-framing from it
//
int offset = 0;
int len = outSecurityBuffer.token.Length;
DEREncoding.VerifyTokenHeader(outSecurityBuffer.token, ref offset, ref len);
this.apreq = SecurityUtils.CloneBuffer(outSecurityBuffer.token, offset, len);
#else
this.apreq = outSecurityBuffer.token;
#endif
// Expiration
LifeSpan lifeSpan = (LifeSpan)SspiWrapper.QueryContextAttributes(securityContext, ContextAttribute.Lifespan);
this.effectiveTime = lifeSpan.EffectiveTimeUtc;
this.expirationTime = lifeSpan.ExpiryTimeUtc;
// SessionKey
SecuritySessionKeyClass sessionKey = (SecuritySessionKeyClass)SspiWrapper.QueryContextAttributes(securityContext, ContextAttribute.SessionKey);
this.symmetricSecurityKey = new InMemorySymmetricSecurityKey(sessionKey.SessionKey);
}
finally
{
if (securityContext != null)
securityContext.Close();
if (ownCredentialsHandle && credentialsHandle != null)
credentialsHandle.Close();
}
}
public override bool CanCreateKeyIdentifierClause()
{
if (typeof(T) == typeof(KerberosTicketHashKeyIdentifierClause))
return true;
return base.CanCreateKeyIdentifierClause();
}
public override T CreateKeyIdentifierClause()
{
if (typeof(T) == typeof(KerberosTicketHashKeyIdentifierClause))
return new KerberosTicketHashKeyIdentifierClause(CryptoHelper.ComputeHash(this.apreq), false, null, 0) as T;
return base.CreateKeyIdentifierClause();
}
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
KerberosTicketHashKeyIdentifierClause kerbKeyIdentifierClause = keyIdentifierClause as KerberosTicketHashKeyIdentifierClause;
if (kerbKeyIdentifierClause != null)
return kerbKeyIdentifierClause.Matches(CryptoHelper.ComputeHash(this.apreq));
return base.MatchesKeyIdentifierClause(keyIdentifierClause);
}
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- AnnotationDocumentPaginator.cs
- ScrollChangedEventArgs.cs
- SchemaImporterExtensionElementCollection.cs
- LifetimeServices.cs
- TextBoxAutoCompleteSourceConverter.cs
- XmlSchemaAll.cs
- DuplexSecurityProtocolFactory.cs
- TemplateNameScope.cs
- SchemaImporter.cs
- ApplicationFileParser.cs
- Vector3D.cs
- ECDsa.cs
- OracleRowUpdatedEventArgs.cs
- WebAdminConfigurationHelper.cs
- FixUpCollection.cs
- LostFocusEventManager.cs
- IPeerNeighbor.cs
- WebPartEditorOkVerb.cs
- TemplateControlCodeDomTreeGenerator.cs
- BulletDecorator.cs
- SchemaType.cs
- DbProviderManifest.cs
- ActivityBuilder.cs
- KeyNotFoundException.cs
- CompilationLock.cs
- SqlProvider.cs
- InternalPermissions.cs
- DocComment.cs
- KeyPressEvent.cs
- DecimalConverter.cs
- WebSysDescriptionAttribute.cs
- XmlReaderSettings.cs
- ThicknessAnimation.cs
- CodeIndexerExpression.cs
- XmlDataSource.cs
- XmlSchemaDatatype.cs
- PagesSection.cs
- LeafCellTreeNode.cs
- ServiceThrottlingElement.cs
- AssociationType.cs
- InstanceKeyView.cs
- ErrorsHelper.cs
- ImageListStreamer.cs
- InheritanceUI.cs
- TabletCollection.cs
- DataGridAutoFormatDialog.cs
- AppSettingsExpressionBuilder.cs
- KeyPullup.cs
- ModuleConfigurationInfo.cs
- ToolStripControlHost.cs
- MsmqIntegrationInputChannel.cs
- ProcessInputEventArgs.cs
- DataTableReader.cs
- DataListCommandEventArgs.cs
- PeerTransportCredentialType.cs
- ClientTargetSection.cs
- CaseInsensitiveOrdinalStringComparer.cs
- WebEventCodes.cs
- ElementHost.cs
- ProxyManager.cs
- HtmlWindow.cs
- JsonByteArrayDataContract.cs
- EnvelopedPkcs7.cs
- DbProviderFactory.cs
- Mapping.cs
- CultureInfoConverter.cs
- dataprotectionpermission.cs
- ListViewSelectEventArgs.cs
- DbDataReader.cs
- WebRequestModuleElementCollection.cs
- DefaultTextStoreTextComposition.cs
- PerfService.cs
- DLinqAssociationProvider.cs
- CopyCodeAction.cs
- DataBinder.cs
- EFColumnProvider.cs
- XamlSerializer.cs
- TreeViewBindingsEditor.cs
- SqlRewriteScalarSubqueries.cs
- Tablet.cs
- VirtualizingPanel.cs
- ImageMap.cs
- FlowLayoutPanel.cs
- DataGridTableCollection.cs
- ParserStack.cs
- UnsafeNativeMethodsCLR.cs
- BasePropertyDescriptor.cs
- PartialCachingControl.cs
- VirtualizingPanel.cs
- ConfigurationStrings.cs
- RangeValueProviderWrapper.cs
- TypeHelpers.cs
- QilLoop.cs
- CultureTableRecord.cs
- TextTrailingWordEllipsis.cs
- UrlMapping.cs
- CallbackValidator.cs
- EncryptedKeyHashIdentifierClause.cs
- DescendantOverDescendantQuery.cs
- RsaSecurityTokenAuthenticator.cs