Code:
/ WCF / WCF / 3.5.30729.1 / untmp / Orcas / SP / ndp / cdf / src / WCF / TransactionBridge / Microsoft / Transactions / Wsat / Messaging / Security.cs / 1 / Security.cs
//------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//-----------------------------------------------------------------------------
// Define some helper functions used for security
using System;
using System.ServiceModel;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Diagnostics;
using System.DirectoryServices.ActiveDirectory;
using System.Globalization;
using System.Net;
using System.Net.Security;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.IdentityModel.Tokens;
using System.IdentityModel.Selectors;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Security.Permissions;
using System.Security.Principal;
using System.Runtime.Serialization;
using System.ServiceModel.Channels;
using System.ServiceModel.Security;
using System.ServiceModel.Security.Tokens;
using System.ServiceModel.Transactions;
using System.Text;
using System.Transactions;
using System.Xml;
using DiagnosticUtility = Microsoft.Transactions.Bridge.DiagnosticUtility;
using Microsoft.Transactions.Wsat.Protocol;
namespace Microsoft.Transactions.Wsat.Messaging
{
class CoordinationServiceSecurity
{
IdentityVerifier identityVerifier = IdentityVerifier.CreateDefault();
static SecurityContextSecurityTokenParameters securityContextSecurityTokenParameters;
public static SecurityContextSecurityTokenParameters SecurityContextSecurityTokenParameters
{
get
{
if (securityContextSecurityTokenParameters == null)
securityContextSecurityTokenParameters = new SecurityContextSecurityTokenParameters();
return securityContextSecurityTokenParameters;
}
}
static DataContractSerializer identifierElementSerializer10;
static DataContractSerializer identifierElementSerializer11;
static DataContractSerializer IdentifierElementSerializer(ProtocolVersion protocolVersion)
{
ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "IdentifierElementSerializer"); //assert valid protocol version
switch (protocolVersion)
{
case ProtocolVersion.Version10 :
if (identifierElementSerializer10 == null)
identifierElementSerializer10 = new DataContractSerializer(typeof(IdentifierElement10));
return identifierElementSerializer10;
case ProtocolVersion.Version11 :
if (identifierElementSerializer11 == null)
identifierElementSerializer11 = new DataContractSerializer(typeof(IdentifierElement11));
return identifierElementSerializer11;
default:
return null; // inaccessible path because we have asserted the protocol version
}
}
//
// Issued tokens / supporting tokens
//
static byte[] Label = Encoding.UTF8.GetBytes("WS-AT Supporting Token");
static SecurityStandardsManager SecurityStandardsManager2007 =
CreateStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12);
static SecurityStandardsManager CreateStandardsManager(MessageSecurityVersion securityVersion)
{
return new SecurityStandardsManager(
securityVersion,
new WSSecurityTokenSerializer(securityVersion.SecurityVersion, securityVersion.TrustVersion, securityVersion.SecureConversationVersion, false, null, null, null));
}
static SecurityStandardsManager CreateStandardsManager(ProtocolVersion protocolVersion)
{
ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "CreateStandardsManager");
switch (protocolVersion)
{
case ProtocolVersion.Version10:
return SecurityStandardsManager.DefaultInstance;
case ProtocolVersion.Version11:
return CoordinationServiceSecurity.SecurityStandardsManager2007;
default:
return null; // inaccessible path because we have asserted the protocol version
}
}
//=======================================================================================
public static byte[] DeriveIssuedTokenKey(Guid transactionId, string sctId)
{
return Psha1DerivedKeyGeneratorHelper.GenerateDerivedKey(transactionId.ToByteArray(),
Label,
Encoding.UTF8.GetBytes(sctId),
SecurityAlgorithmSuite.Default.DefaultSymmetricKeyLength,
0);
}
//=======================================================================================
public static void CreateIssuedToken(Guid transactionId,
string coordinationContextId,
ProtocolVersion protocolVersion,
out RequestSecurityTokenResponse issuedToken,
out string sctId)
{
sctId = CoordinationContext.CreateNativeIdentifier(Guid.NewGuid());
byte[] derivedKey = DeriveIssuedTokenKey(transactionId, sctId);
DateTime now = DateTime.UtcNow;
SecurityContextSecurityToken sct = new SecurityContextSecurityToken(new UniqueId(sctId),
derivedKey,
now,
now + TimeSpan.FromDays(100 * 365));
BinarySecretSecurityToken proof = new BinarySecretSecurityToken(derivedKey);
SecurityStandardsManager standardsManager = CreateStandardsManager(protocolVersion);
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(standardsManager);
rstr.TokenType = standardsManager.SecureConversationDriver.TokenTypeUri;
rstr.RequestedUnattachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.External);
rstr.RequestedAttachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.Internal);
rstr.RequestedSecurityToken = sct;
rstr.RequestedProofToken = proof;
DataContractSerializer identifierElementSerializer = IdentifierElementSerializer(protocolVersion);
ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "CreateIssuedToken"); //assert valid protocol version
switch(protocolVersion)
{
case ProtocolVersion.Version10 :
rstr.SetAppliesTo(new IdentifierElement10(coordinationContextId),
identifierElementSerializer);
break;
case ProtocolVersion.Version11 :
rstr.SetAppliesTo(new IdentifierElement11(coordinationContextId),
identifierElementSerializer);
break;
default :
break; // inaccessible path because we have asserted the protocol version
}
rstr.MakeReadOnly();
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose,
"Created issued token with id {0} for transaction {1}",
sctId, transactionId);
}
issuedToken = rstr;
}
//========================================================================================
public static void AddIssuedToken(Message message, RequestSecurityTokenResponse rstr)
{
TransactionFlowProperty transactionFlowProp = TransactionFlowProperty.Ensure(message);
transactionFlowProp.IssuedTokens.Add(rstr);
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Added issued token to message");
}
}
//=======================================================================================
// This function can throw XmlException
public static RequestSecurityTokenResponse GetIssuedToken(Message message, string identifier, ProtocolVersion protocolVersion)
{
ICollection rstrCollection = TransactionFlowProperty.TryGetIssuedTokens(message);
if (rstrCollection == null)
{
if (DebugTrace.Verbose)
DebugTrace.Trace(TraceLevel.Verbose, "No issued tokens found in message");
return null;
}
string coordIdentifier = CoordinationStrings.Version(protocolVersion).Identifier;
string coordNamespace = CoordinationStrings.Version(protocolVersion).Namespace;
foreach (RequestSecurityTokenResponse rstr in rstrCollection)
{
string name, ns;
rstr.GetAppliesToQName(out name, out ns);
if (name == coordIdentifier &&
ns == coordNamespace)
{
if (DebugTrace.Verbose)
DebugTrace.Trace(TraceLevel.Verbose, "Found issued token in message");
try
{
IdentifierElement id = null;
DataContractSerializer identifierElementSerializer = IdentifierElementSerializer(protocolVersion);
ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "GetIssuedToken"); //assert valid protocol version
switch (protocolVersion)
{
case ProtocolVersion.Version10 :
id = rstr.GetAppliesTo(identifierElementSerializer);
break;
case ProtocolVersion.Version11 :
id = rstr.GetAppliesTo(identifierElementSerializer);
break;
// no default - we have asserted the protocol version
}
// Make sure the identifier matches the expected value
if (id.Identifier != identifier)
{
if (DebugTrace.Error)
DebugTrace.Trace(TraceLevel.Error,
"Issued token identifier does not match expected {0}",
identifier);
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new XmlException(SR.GetString(SR.IssuedTokenIdentifierMismatch)));
}
}
catch (SerializationException e)
{
if (DebugTrace.Error)
DebugTrace.Trace(TraceLevel.Error,
"Issued token AppliesTo element could not be deserialized: {0}",
e.Message);
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new XmlException(e.Message, e));
}
return rstr;
}
}
if (DebugTrace.Verbose)
DebugTrace.Trace(TraceLevel.Verbose, "No matching issued token found in message");
return null;
}
//========================================================================================
public static void AddSupportingToken(Message message, RequestSecurityTokenResponse rstr)
{
// Currently, we only support a binary secret as the proof of RSTR
GenericXmlSecurityToken supportingToken = rstr.GetIssuedToken(null, null, SecurityKeyEntropyMode.ServerEntropy, null, null, null);
SecurityMessageProperty property = new SecurityMessageProperty();
SupportingTokenSpecification spec = new SupportingTokenSpecification(supportingToken, new List().AsReadOnly(), SecurityTokenAttachmentMode.Endorsing, SecurityContextSecurityTokenParameters);
property.OutgoingSupportingTokens.Add(spec);
message.Properties.Security = property;
if (DebugTrace.Verbose)
{
DebugTrace.Trace (TraceLevel.Verbose,
"Attached supporting token {0} to register message",
rstr.Context);
}
}
//
// Per-enlistment security
//
//========================================================================================
public static string GetSenderName (Message message)
{
return GetSenderName(message.Properties);
}
//=======================================================================================
public static string GetSenderName (MessageProperties messageProperties)
{
SecurityMessageProperty securityMessageProperty = messageProperties.Security;
if (securityMessageProperty == null)
{
return "anonymous";
}
ServiceSecurityContext securityContext = securityMessageProperty.ServiceSecurityContext;
if (securityContext == null || securityContext.IsAnonymous)
{
return "anonymous";
}
IIdentity identity = securityContext.PrimaryIdentity;
if (identity != null)
{
return identity.Name;
}
return securityContext.PrimaryIdentity.ToString();
}
//========================================================================================
public bool CheckIdentity(Proxy proxy, Message message)
{
EndpointAddress service = proxy.To;
bool access = this.identityVerifier.CheckAccess(service, message);
TraceCheckIdentityResult(access, service, message);
return access;
}
//=======================================================================================
void TraceCheckIdentityResult(bool access, EndpointAddress service, Message message)
{
if (DebugTrace.Verbose)
{
if (DebugTrace.Pii)
{
string sender = GetSenderName(message);
if (access)
{
DebugTrace.Trace(TraceLevel.Verbose,
"Access granted by identity verifier to {0}",
sender);
}
else
{
DebugTrace.Trace(TraceLevel.Verbose,
"Access denied by identity verifier to {0}, expected {1}",
sender,
service.Identity == null ? service.Uri.AbsoluteUri :
service.Identity.ToString());
}
}
else
{
if (access)
{
DebugTrace.Trace(TraceLevel.Verbose, "Access granted by identity verifier");
}
else
{
DebugTrace.Trace(TraceLevel.Verbose, "Access denied by identity verifier");
}
}
}
}
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
// Copyright (c) Microsoft Corporation. All rights reserved.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- Trigger.cs
- brushes.cs
- MatrixCamera.cs
- HMACSHA384.cs
- MenuItemAutomationPeer.cs
- NeutralResourcesLanguageAttribute.cs
- ContextMenu.cs
- WebDisplayNameAttribute.cs
- StrokeCollectionDefaultValueFactory.cs
- GiveFeedbackEventArgs.cs
- EnumBuilder.cs
- CharacterMetrics.cs
- BlockCollection.cs
- InkCanvasSelectionAdorner.cs
- SqlExpander.cs
- AsyncDataRequest.cs
- NonBatchDirectoryCompiler.cs
- CheckBoxList.cs
- EmptyReadOnlyDictionaryInternal.cs
- DataBinding.cs
- RsaSecurityToken.cs
- DataSetUtil.cs
- WebPartEditorCancelVerb.cs
- ConnectionConsumerAttribute.cs
- SamlAudienceRestrictionCondition.cs
- SiteMapProvider.cs
- RemoteArgument.cs
- PersonalizationProvider.cs
- UpDownEvent.cs
- XmlReflectionImporter.cs
- ButtonRenderer.cs
- StorageTypeMapping.cs
- ClientScriptItem.cs
- TransformConverter.cs
- FtpWebRequest.cs
- RequestFactory.cs
- TextEditorParagraphs.cs
- SingleAnimationBase.cs
- SqlBulkCopyColumnMapping.cs
- _CommandStream.cs
- RoleService.cs
- RedistVersionInfo.cs
- LicenseManager.cs
- Membership.cs
- DesigntimeLicenseContext.cs
- DataRowChangeEvent.cs
- PackagePart.cs
- ParameterToken.cs
- FamilyCollection.cs
- SparseMemoryStream.cs
- HebrewNumber.cs
- DefaultTypeArgumentAttribute.cs
- CallContext.cs
- DataComponentMethodGenerator.cs
- OutputScope.cs
- DbDataAdapter.cs
- BezierSegment.cs
- OptimizerPatterns.cs
- TypeDelegator.cs
- ResolveCompletedEventArgs.cs
- StateWorkerRequest.cs
- DictionarySectionHandler.cs
- NamespaceList.cs
- MediaTimeline.cs
- SafeWaitHandle.cs
- ExpandCollapsePattern.cs
- EvidenceTypeDescriptor.cs
- ConstraintCollection.cs
- TextEditorCharacters.cs
- EdmRelationshipNavigationPropertyAttribute.cs
- SessionIDManager.cs
- Marshal.cs
- FamilyTypefaceCollection.cs
- AssociationTypeEmitter.cs
- ToolStripPanelRow.cs
- ZipFileInfoCollection.cs
- UnicodeEncoding.cs
- XmlSerializer.cs
- UriExt.cs
- Exceptions.cs
- ParentQuery.cs
- ExtendedPropertyDescriptor.cs
- WebControlParameterProxy.cs
- CacheVirtualItemsEvent.cs
- IPCCacheManager.cs
- BadImageFormatException.cs
- SafeProcessHandle.cs
- Mapping.cs
- PerformanceCounterPermission.cs
- RbTree.cs
- SiteMapNode.cs
- followingsibling.cs
- QuaternionRotation3D.cs
- FactoryGenerator.cs
- DataGridTextBoxColumn.cs
- AssociationEndMember.cs
- HashRepartitionStream.cs
- FormViewPagerRow.cs
- WindowsNonControl.cs
- PieceDirectory.cs