Code:
/ 4.0 / 4.0 / untmp / DEVDIV_TFS / Dev10 / Releases / RTMRel / ndp / cdf / src / WCF / IdentityModel / System / IdentityModel / Selectors / SamlSecurityTokenAuthenticator.cs / 1305376 / SamlSecurityTokenAuthenticator.cs
//------------------------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //----------------------------------------------------------------------------- namespace System.IdentityModel.Selectors { using System; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Text; using System.IdentityModel.Claims; using System.IdentityModel.Tokens; using System.IdentityModel.Policy; using System.Security.Principal; using System.Security; public class SamlSecurityTokenAuthenticator : SecurityTokenAuthenticator { ListsupportingAuthenticators; Collection allowedAudienceUris; AudienceUriMode audienceUriMode; TimeSpan maxClockSkew; public SamlSecurityTokenAuthenticator(IList supportingAuthenticators) : this(supportingAuthenticators, TimeSpan.Zero) {} public SamlSecurityTokenAuthenticator(IList supportingAuthenticators, TimeSpan maxClockSkew) { if (supportingAuthenticators == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("supportingAuthenticators"); this.supportingAuthenticators = new List (supportingAuthenticators.Count); for (int i = 0; i < supportingAuthenticators.Count; ++i) { this.supportingAuthenticators.Add(supportingAuthenticators[i]); } this.maxClockSkew = maxClockSkew; this.audienceUriMode = AudienceUriMode.Always; this.allowedAudienceUris = new Collection (); } public AudienceUriMode AudienceUriMode { get { return this.audienceUriMode; } set { AudienceUriModeValidationHelper.Validate(audienceUriMode); this.audienceUriMode = value; } } public IList AllowedAudienceUris { get { return this.allowedAudienceUris; } } protected override bool CanValidateTokenCore(SecurityToken token) { return token is SamlSecurityToken; } protected override ReadOnlyCollection ValidateTokenCore(SecurityToken token) { if (token == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); SamlSecurityToken samlToken = token as SamlSecurityToken; if (samlToken == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SamlTokenAuthenticatorCanOnlyProcessSamlTokens, token.GetType().ToString()))); if (samlToken.Assertion.Signature == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SamlTokenMissingSignature))); if (!this.IsCurrentlyTimeEffective(samlToken)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLTokenTimeInvalid, DateTime.UtcNow.ToUniversalTime(), samlToken.ValidFrom.ToString(), samlToken.ValidTo.ToString()))); if (samlToken.Assertion.SigningToken == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SamlSigningTokenMissing))); // Build the Issuer ClaimSet for this Saml token. ClaimSet issuer = null; bool canBeValidated = false; for (int i = 0; i < this.supportingAuthenticators.Count; ++i) { canBeValidated = this.supportingAuthenticators[i].CanValidateToken(samlToken.Assertion.SigningToken); if (canBeValidated) break; } if (!canBeValidated) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SamlInvalidSigningToken))); issuer = ResolveClaimSet(samlToken.Assertion.SigningToken) ?? ClaimSet.Anonymous; List policies = new List (); for (int i = 0; i < samlToken.Assertion.Statements.Count; ++i) { policies.Add(samlToken.Assertion.Statements[i].CreatePolicy(issuer, this)); } // Check AudienceUri if required // AudienceUriMode != Never - don't need to check can only be one of three // AudienceUriMode == Always // AudienceUriMode == BearerKey and there are no proof keys // if ((this.audienceUriMode == AudienceUriMode.Always) || (this.audienceUriMode == AudienceUriMode.BearerKeyOnly) && (samlToken.SecurityKeys.Count < 1)) { // throws if not found. bool foundAudienceCondition = false; if (this.allowedAudienceUris == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAudienceUrisNotFound))); } for (int i = 0; i < samlToken.Assertion.Conditions.Conditions.Count; i++) { SamlAudienceRestrictionCondition audienceCondition = samlToken.Assertion.Conditions.Conditions[i] as SamlAudienceRestrictionCondition; if (audienceCondition == null) continue; foundAudienceCondition = true; if (!ValidateAudienceRestriction(audienceCondition)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAudienceUriValidationFailed))); } } if (!foundAudienceCondition) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SAMLAudienceUriValidationFailed))); } return policies.AsReadOnly(); } protected virtual bool ValidateAudienceRestriction(SamlAudienceRestrictionCondition audienceRestrictionCondition) { for (int i = 0; i < audienceRestrictionCondition.Audiences.Count; i++) { if (audienceRestrictionCondition.Audiences[i] == null) continue; for (int j = 0; j < this.allowedAudienceUris.Count; j++) { if (StringComparer.Ordinal.Compare(audienceRestrictionCondition.Audiences[i].AbsoluteUri, this.allowedAudienceUris[j]) == 0) return true; else if (Uri.IsWellFormedUriString(this.allowedAudienceUris[j], UriKind.Absolute)) { Uri uri = new Uri(this.allowedAudienceUris[j]); if(audienceRestrictionCondition.Audiences[i].Equals(uri)) return true; } } } return false; } public virtual ClaimSet ResolveClaimSet(SecurityToken token) { if (token == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); for (int i = 0; i < this.supportingAuthenticators.Count; ++i) { if (this.supportingAuthenticators[i].CanValidateToken(token)) { ReadOnlyCollection authorizationPolicies = this.supportingAuthenticators[i].ValidateToken(token); AuthorizationContext authContext = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies); if (authContext.ClaimSets.Count > 0) { return authContext.ClaimSets[0]; } } } return null; } public virtual ClaimSet ResolveClaimSet(SecurityKeyIdentifier keyIdentifier) { if (keyIdentifier == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); RsaKeyIdentifierClause rsaKeyIdentifierClause; EncryptedKeyIdentifierClause encryptedKeyIdentifierClause; if (keyIdentifier.TryFind (out rsaKeyIdentifierClause)) { return new DefaultClaimSet(new Claim(ClaimTypes.Rsa, rsaKeyIdentifierClause.Rsa, Rights.PossessProperty)); } else if (keyIdentifier.TryFind (out encryptedKeyIdentifierClause)) { return new DefaultClaimSet(Claim.CreateHashClaim(encryptedKeyIdentifierClause.GetBuffer())); } return null; } public virtual IIdentity ResolveIdentity(SecurityToken token) { if (token == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); for (int i = 0; i < this.supportingAuthenticators.Count; ++i) { if (this.supportingAuthenticators[i].CanValidateToken(token)) { ReadOnlyCollection authorizationPolicies = this.supportingAuthenticators[i].ValidateToken(token); if (authorizationPolicies != null && authorizationPolicies.Count != 0) { for (int j = 0; j < authorizationPolicies.Count; ++j) { IAuthorizationPolicy policy = authorizationPolicies[j]; if (policy is UnconditionalPolicy) { return ((UnconditionalPolicy)policy).PrimaryIdentity; } } } } } return null; } public virtual IIdentity ResolveIdentity(SecurityKeyIdentifier keyIdentifier) { if (keyIdentifier == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); RsaKeyIdentifierClause rsaKeyIdentifierClause; if (keyIdentifier.TryFind (out rsaKeyIdentifierClause)) { return SecurityUtils.CreateIdentity(rsaKeyIdentifierClause.Rsa.ToXmlString(false), this.GetType().Name); } return null; } bool IsCurrentlyTimeEffective(SamlSecurityToken token) { if (token.Assertion.Conditions != null) { return SecurityUtils.IsCurrentlyTimeEffective(token.Assertion.Conditions.NotBefore, token.Assertion.Conditions.NotOnOrAfter, this.maxClockSkew); } // If SAML Condition is not present then the assertion is valid at any given time. return true; } } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- XmlSerializerSection.cs
- LoginName.cs
- TimerEventSubscriptionCollection.cs
- OdbcConnectionOpen.cs
- Base64Encoding.cs
- HelpEvent.cs
- ExpressionEditorAttribute.cs
- MailWriter.cs
- ButtonField.cs
- StructuralObject.cs
- DeferrableContentConverter.cs
- KnownBoxes.cs
- DBCommand.cs
- _Events.cs
- RevocationPoint.cs
- MissingMethodException.cs
- SrgsDocument.cs
- RuleProcessor.cs
- HitTestDrawingContextWalker.cs
- TableDesigner.cs
- MexBindingElement.cs
- ColorConvertedBitmap.cs
- QilTypeChecker.cs
- PackagingUtilities.cs
- odbcmetadatacolumnnames.cs
- EdmToObjectNamespaceMap.cs
- IntPtr.cs
- SmiTypedGetterSetter.cs
- DataGridViewTopRowAccessibleObject.cs
- CannotUnloadAppDomainException.cs
- UnauthorizedWebPart.cs
- HttpHandlersSection.cs
- BamlTreeMap.cs
- CngAlgorithm.cs
- LinkDescriptor.cs
- ObjectHandle.cs
- FormatterServices.cs
- _BaseOverlappedAsyncResult.cs
- MsmqIntegrationSecurityMode.cs
- OperandQuery.cs
- LinqDataSourceStatusEventArgs.cs
- Drawing.cs
- DbParameterCollection.cs
- _CookieModule.cs
- SurrogateSelector.cs
- ConfigurationPermission.cs
- ResourceProviderFactory.cs
- X509RawDataKeyIdentifierClause.cs
- indexingfiltermarshaler.cs
- TrackingMemoryStreamFactory.cs
- BinaryObjectWriter.cs
- AspNetSynchronizationContext.cs
- XmlAttributeOverrides.cs
- SafeRightsManagementPubHandle.cs
- EnumConverter.cs
- SizeChangedEventArgs.cs
- CodeCompiler.cs
- DocobjHost.cs
- IpcManager.cs
- WebSysDescriptionAttribute.cs
- JsonEnumDataContract.cs
- SqlNodeAnnotations.cs
- ResourceAssociationTypeEnd.cs
- ServerIdentity.cs
- CollectionDataContract.cs
- ErrorWrapper.cs
- MSHTMLHost.cs
- BindingWorker.cs
- WindowsFormsHost.cs
- MimeTypeAttribute.cs
- SelectedDatesCollection.cs
- WindowsFormsHelpers.cs
- CompilerTypeWithParams.cs
- TextSchema.cs
- StrokeNodeOperations.cs
- TrackingStringDictionary.cs
- FocusManager.cs
- WebPageTraceListener.cs
- XhtmlBasicImageAdapter.cs
- FileInfo.cs
- XmlMapping.cs
- TextMetrics.cs
- Internal.cs
- DataSourceXmlTextReader.cs
- TraceShell.cs
- DataGridViewCellCollection.cs
- Matrix3DValueSerializer.cs
- SmtpClient.cs
- CapabilitiesAssignment.cs
- DBSchemaRow.cs
- SafeNativeMethodsMilCoreApi.cs
- XXXOnTypeBuilderInstantiation.cs
- WebServiceReceiveDesigner.cs
- BaseParser.cs
- HttpPostedFile.cs
- UIServiceHelper.cs
- TreeNodeBinding.cs
- CurrentChangingEventArgs.cs
- SqlMethodCallConverter.cs
- AspProxy.cs