Code:
/ 4.0 / 4.0 / untmp / DEVDIV_TFS / Dev10 / Releases / RTMRel / ndp / cdf / src / WCF / IdentityModel / System / IdentityModel / Tokens / KerberosReceiverSecurityToken.cs / 1305376 / KerberosReceiverSecurityToken.cs
//------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //----------------------------------------------------------- namespace System.IdentityModel.Tokens { using System.Collections.Generic; using System.Collections.ObjectModel; using System.ComponentModel; using System.Security.Authentication.ExtendedProtection; using System.Security.Principal; public class KerberosReceiverSecurityToken : WindowsSecurityToken { string id; byte[] request; SymmetricSecurityKey symmetricSecurityKey = null; ReadOnlyCollectionsecurityKeys = null; bool isAuthenticated = false; string valueTypeUri = null; ChannelBinding channelBinding; ExtendedProtectionPolicy extendedProtectionPolicy; public KerberosReceiverSecurityToken(byte[] request) : this(request, SecurityUniqueId.Create().Value) { } public KerberosReceiverSecurityToken(byte[] request, string id) : this(request, id, true, null) { } public KerberosReceiverSecurityToken(byte[] request, string id, string valueTypeUri) : this(request, id, true, valueTypeUri) { } internal KerberosReceiverSecurityToken( byte[] request, string id, bool doAuthenticate, string valueTypeUri ) : this(request, id, doAuthenticate, valueTypeUri, null, null) { } internal KerberosReceiverSecurityToken( byte[] request, string id, bool doAuthenticate, string valueTypeUri, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy ) { if (request == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("request")); if (id == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("id")); this.id = id; this.request = request; this.valueTypeUri = valueTypeUri; this.channelBinding = channelBinding; this.extendedProtectionPolicy = extendedProtectionPolicy; if (doAuthenticate) { Initialize(null, channelBinding, extendedProtectionPolicy); } } public override ReadOnlyCollection SecurityKeys { get { if (this.securityKeys == null) { List temp = new List (1); temp.Add(this.SecurityKey); this.securityKeys = temp.AsReadOnly(); } return this.securityKeys; } } public SymmetricSecurityKey SecurityKey { get { if (!this.isAuthenticated) { Initialize(null, this.channelBinding, this.extendedProtectionPolicy); } return this.symmetricSecurityKey; } } public override DateTime ValidFrom { get { if (!this.isAuthenticated) { Initialize(null, this.channelBinding, this.extendedProtectionPolicy); } return base.ValidFrom; } } public override DateTime ValidTo { get { if (!this.isAuthenticated) { Initialize(null, this.channelBinding, this.extendedProtectionPolicy); } return base.ValidTo; } } public override WindowsIdentity WindowsIdentity { get { ThrowIfDisposed(); if (!this.isAuthenticated) { Initialize(null, this.channelBinding, this.extendedProtectionPolicy); } return base.WindowsIdentity; } } /// /// The Uri that defines the ValueType of the kerberos blob. /// public string ValueTypeUri { get { return valueTypeUri; } } public byte[] GetRequest() { return SecurityUtils.CloneBuffer(this.request); } // This internal API is not thread-safe. It is acceptable since .. // 1) From public OM, Initialize happens at ctor time. // 2) From internal OM (Sfx), Initialize happens right after ctor (single thread env). // i.e. ReadToken and then AuthenticateToken. internal void Initialize( SafeFreeCredentials credentialsHandle, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy ) { if (this.isAuthenticated) { return; } bool ownCredentialsHandle = false; SafeDeleteContext securityContext = null; SafeCloseHandle tokenHandle = null; #if RECOMPUTEGSS int tokenSize = DEREncoding.TokenSize(this.request.Length); byte[] rawRequest = new byte[tokenSize]; int offset = 0; int len = this.request.Length; DEREncoding.MakeTokenHeader(this.request.Length, rawRequest, ref offset, ref len); System.Buffer.BlockCopy(this.request, 0, rawRequest, offset, this.request.Length); #else byte[] rawRequest = this.request; #endif try { if (credentialsHandle == null) { credentialsHandle = SspiWrapper.AcquireDefaultCredential("Kerberos", CredentialUse.Inbound); ownCredentialsHandle = true; } SspiContextFlags fContextReq = SspiContextFlags.AllocateMemory | SspiContextFlags.Confidentiality | SspiContextFlags.Confidentiality | SspiContextFlags.ReplayDetect | SspiContextFlags.SequenceDetect; ExtendedProtectionPolicyHelper policyHelper = new ExtendedProtectionPolicyHelper(channelBinding, extendedProtectionPolicy); if (policyHelper.PolicyEnforcement == PolicyEnforcement.Always && policyHelper.ChannelBinding == null && policyHelper.ProtectionScenario != ProtectionScenario.TrustedProxy) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.SecurityChannelBindingMissing))); } if (policyHelper.PolicyEnforcement == PolicyEnforcement.WhenSupported) { fContextReq |= SspiContextFlags.ChannelBindingAllowMissingBindings; } if (policyHelper.ProtectionScenario == ProtectionScenario.TrustedProxy) { fContextReq |= SspiContextFlags.ChannelBindingProxyBindings; } SspiContextFlags contextFlags = SspiContextFlags.Zero; SecurityBuffer outSecurityBuffer = new SecurityBuffer(0, BufferType.Token); Listlist = new List (2); list.Add(new SecurityBuffer(rawRequest, BufferType.Token)); if (policyHelper.ShouldAddChannelBindingToASC()) { list.Add(new SecurityBuffer(policyHelper.ChannelBinding)); } SecurityBuffer[] inSecurityBuffer = null; if (list.Count > 0) { inSecurityBuffer = list.ToArray(); } int statusCode = SspiWrapper.AcceptSecurityContext(credentialsHandle, ref securityContext, fContextReq, Endianness.Native, inSecurityBuffer, outSecurityBuffer, ref contextFlags); if (statusCode != (int)SecurityStatus.OK) { if (statusCode == (int)SecurityStatus.ContinueNeeded) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SecurityTokenException(SR.GetString(SR.KerberosMultilegsNotSupported), new Win32Exception(statusCode))); } else if (statusCode == (int)SecurityStatus.OutOfMemory) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SecurityTokenException(SR.GetString(SR.KerberosApReqInvalidOrOutOfMemory), new Win32Exception(statusCode))); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SecurityTokenException(SR.GetString(SR.FailAcceptSecurityContext), new Win32Exception(statusCode))); } } // Expiration LifeSpan lifeSpan = (LifeSpan)SspiWrapper.QueryContextAttributes(securityContext, ContextAttribute.Lifespan); DateTime effectiveTime = lifeSpan.EffectiveTimeUtc; DateTime expirationTime = lifeSpan.ExpiryTimeUtc; // SessionKey SecuritySessionKeyClass sessionKey = (SecuritySessionKeyClass)SspiWrapper.QueryContextAttributes(securityContext, ContextAttribute.SessionKey); this.symmetricSecurityKey = new InMemorySymmetricSecurityKey(sessionKey.SessionKey); // WindowsSecurityToken statusCode = SspiWrapper.QuerySecurityContextToken(securityContext, out tokenHandle); if (statusCode != (int)SecurityStatus.OK) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(statusCode)); } WindowsIdentity windowsIdentity = new WindowsIdentity( tokenHandle.DangerousGetHandle(), SecurityUtils.AuthTypeKerberos); Initialize(this.id, SecurityUtils.AuthTypeKerberos, effectiveTime, expirationTime, windowsIdentity, false); // Authenticated this.isAuthenticated = true; } finally { if (tokenHandle != null) tokenHandle.Close(); if (securityContext != null) securityContext.Close(); if (ownCredentialsHandle && credentialsHandle != null) credentialsHandle.Close(); } } public override bool CanCreateKeyIdentifierClause () { if (typeof(T) == typeof(KerberosTicketHashKeyIdentifierClause)) return true; return base.CanCreateKeyIdentifierClause (); } public override T CreateKeyIdentifierClause () { if (typeof(T) == typeof(KerberosTicketHashKeyIdentifierClause)) return new KerberosTicketHashKeyIdentifierClause(CryptoHelper.ComputeHash(this.request), false, null, 0) as T; return base.CreateKeyIdentifierClause (); } public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause) { KerberosTicketHashKeyIdentifierClause kerbKeyIdentifierClause = keyIdentifierClause as KerberosTicketHashKeyIdentifierClause; if (kerbKeyIdentifierClause != null) return kerbKeyIdentifierClause.Matches(CryptoHelper.ComputeHash(this.request)); return base.MatchesKeyIdentifierClause(keyIdentifierClause); } } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- StreamWithDictionary.cs
- DataGridViewCellValidatingEventArgs.cs
- StringPropertyBuilder.cs
- TdsParserSessionPool.cs
- SrgsToken.cs
- RegexStringValidator.cs
- CSharpCodeProvider.cs
- TemplateInstanceAttribute.cs
- SslStream.cs
- IdentityValidationException.cs
- Size.cs
- TrackBarRenderer.cs
- EmptyReadOnlyDictionaryInternal.cs
- TTSVoice.cs
- RowsCopiedEventArgs.cs
- SoapAttributeAttribute.cs
- AssemblyInfo.cs
- EntityDataReader.cs
- DataTemplateSelector.cs
- Simplifier.cs
- CachedCompositeFamily.cs
- TypeResolver.cs
- AdornerPresentationContext.cs
- TriState.cs
- HeaderedContentControl.cs
- ProviderMetadata.cs
- OracleParameterBinding.cs
- PocoPropertyAccessorStrategy.cs
- PostBackOptions.cs
- StringValueSerializer.cs
- _OSSOCK.cs
- SharedPerformanceCounter.cs
- TrackPointCollection.cs
- CustomValidator.cs
- RegistryDataKey.cs
- WebEventCodes.cs
- X509CertificateCollection.cs
- Logging.cs
- DataSysAttribute.cs
- SeekStoryboard.cs
- HttpWebRequestElement.cs
- AxisAngleRotation3D.cs
- CollaborationHelperFunctions.cs
- RequestStatusBarUpdateEventArgs.cs
- WindowsHyperlink.cs
- DomainUpDown.cs
- InfoCardBinaryReader.cs
- AdornerDecorator.cs
- DoubleCollectionConverter.cs
- ComplexTypeEmitter.cs
- Pointer.cs
- TemplateControlBuildProvider.cs
- X509CertificateCollection.cs
- NetCodeGroup.cs
- XmlNamedNodeMap.cs
- WeakReferenceList.cs
- Permission.cs
- xmlformatgeneratorstatics.cs
- VSDExceptions.cs
- ValidationResult.cs
- AdornerHitTestResult.cs
- PrintPreviewDialog.cs
- WindowAutomationPeer.cs
- _TLSstream.cs
- ReadWriteControlDesigner.cs
- DataExchangeServiceBinder.cs
- ConfigurationManagerInternal.cs
- WeakRefEnumerator.cs
- DefaultValueAttribute.cs
- TokenizerHelper.cs
- CurrentChangingEventManager.cs
- MultiTouchSystemGestureLogic.cs
- AdornedElementPlaceholder.cs
- userdatakeys.cs
- DocumentPageViewAutomationPeer.cs
- MobileControlsSectionHelper.cs
- DataGridViewColumnHeaderCell.cs
- SecUtil.cs
- WorkflowTerminatedException.cs
- KnownTypesProvider.cs
- LicenseProviderAttribute.cs
- HashMembershipCondition.cs
- OleAutBinder.cs
- RawStylusInputCustomDataList.cs
- OleDbParameterCollection.cs
- HttpAsyncResult.cs
- DirtyTextRange.cs
- WindowsProgressbar.cs
- ServicePoint.cs
- Version.cs
- WebPartHelpVerb.cs
- PermissionToken.cs
- BrowserTree.cs
- RenderCapability.cs
- BrowserPolicyValidator.cs
- ISAPIApplicationHost.cs
- HtmlInputPassword.cs
- DefaultTextStoreTextComposition.cs
- CodeLinePragma.cs
- Emitter.cs