Code:
/ WCF / WCF / 3.5.30729.1 / untmp / Orcas / SP / ndp / cdf / src / WCF / TransactionBridge / Microsoft / Transactions / Wsat / Messaging / Security.cs / 1 / Security.cs
//------------------------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //----------------------------------------------------------------------------- // Define some helper functions used for security using System; using System.ServiceModel; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Diagnostics; using System.DirectoryServices.ActiveDirectory; using System.Globalization; using System.Net; using System.Net.Security; using System.IdentityModel.Claims; using System.IdentityModel.Policy; using System.IdentityModel.Tokens; using System.IdentityModel.Selectors; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Security.Permissions; using System.Security.Principal; using System.Runtime.Serialization; using System.ServiceModel.Channels; using System.ServiceModel.Security; using System.ServiceModel.Security.Tokens; using System.ServiceModel.Transactions; using System.Text; using System.Transactions; using System.Xml; using DiagnosticUtility = Microsoft.Transactions.Bridge.DiagnosticUtility; using Microsoft.Transactions.Wsat.Protocol; namespace Microsoft.Transactions.Wsat.Messaging { class CoordinationServiceSecurity { IdentityVerifier identityVerifier = IdentityVerifier.CreateDefault(); static SecurityContextSecurityTokenParameters securityContextSecurityTokenParameters; public static SecurityContextSecurityTokenParameters SecurityContextSecurityTokenParameters { get { if (securityContextSecurityTokenParameters == null) securityContextSecurityTokenParameters = new SecurityContextSecurityTokenParameters(); return securityContextSecurityTokenParameters; } } static DataContractSerializer identifierElementSerializer10; static DataContractSerializer identifierElementSerializer11; static DataContractSerializer IdentifierElementSerializer(ProtocolVersion protocolVersion) { ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "IdentifierElementSerializer"); //assert valid protocol version switch (protocolVersion) { case ProtocolVersion.Version10 : if (identifierElementSerializer10 == null) identifierElementSerializer10 = new DataContractSerializer(typeof(IdentifierElement10)); return identifierElementSerializer10; case ProtocolVersion.Version11 : if (identifierElementSerializer11 == null) identifierElementSerializer11 = new DataContractSerializer(typeof(IdentifierElement11)); return identifierElementSerializer11; default: return null; // inaccessible path because we have asserted the protocol version } } // // Issued tokens / supporting tokens // static byte[] Label = Encoding.UTF8.GetBytes("WS-AT Supporting Token"); static SecurityStandardsManager SecurityStandardsManager2007 = CreateStandardsManager(MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12); static SecurityStandardsManager CreateStandardsManager(MessageSecurityVersion securityVersion) { return new SecurityStandardsManager( securityVersion, new WSSecurityTokenSerializer(securityVersion.SecurityVersion, securityVersion.TrustVersion, securityVersion.SecureConversationVersion, false, null, null, null)); } static SecurityStandardsManager CreateStandardsManager(ProtocolVersion protocolVersion) { ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "CreateStandardsManager"); switch (protocolVersion) { case ProtocolVersion.Version10: return SecurityStandardsManager.DefaultInstance; case ProtocolVersion.Version11: return CoordinationServiceSecurity.SecurityStandardsManager2007; default: return null; // inaccessible path because we have asserted the protocol version } } //======================================================================================= public static byte[] DeriveIssuedTokenKey(Guid transactionId, string sctId) { return Psha1DerivedKeyGeneratorHelper.GenerateDerivedKey(transactionId.ToByteArray(), Label, Encoding.UTF8.GetBytes(sctId), SecurityAlgorithmSuite.Default.DefaultSymmetricKeyLength, 0); } //======================================================================================= public static void CreateIssuedToken(Guid transactionId, string coordinationContextId, ProtocolVersion protocolVersion, out RequestSecurityTokenResponse issuedToken, out string sctId) { sctId = CoordinationContext.CreateNativeIdentifier(Guid.NewGuid()); byte[] derivedKey = DeriveIssuedTokenKey(transactionId, sctId); DateTime now = DateTime.UtcNow; SecurityContextSecurityToken sct = new SecurityContextSecurityToken(new UniqueId(sctId), derivedKey, now, now + TimeSpan.FromDays(100 * 365)); BinarySecretSecurityToken proof = new BinarySecretSecurityToken(derivedKey); SecurityStandardsManager standardsManager = CreateStandardsManager(protocolVersion); RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(standardsManager); rstr.TokenType = standardsManager.SecureConversationDriver.TokenTypeUri; rstr.RequestedUnattachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.External); rstr.RequestedAttachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.Internal); rstr.RequestedSecurityToken = sct; rstr.RequestedProofToken = proof; DataContractSerializer identifierElementSerializer = IdentifierElementSerializer(protocolVersion); ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "CreateIssuedToken"); //assert valid protocol version switch(protocolVersion) { case ProtocolVersion.Version10 : rstr.SetAppliesTo(new IdentifierElement10(coordinationContextId), identifierElementSerializer); break; case ProtocolVersion.Version11 : rstr.SetAppliesTo (new IdentifierElement11(coordinationContextId), identifierElementSerializer); break; default : break; // inaccessible path because we have asserted the protocol version } rstr.MakeReadOnly(); if (DebugTrace.Verbose) { DebugTrace.Trace(TraceLevel.Verbose, "Created issued token with id {0} for transaction {1}", sctId, transactionId); } issuedToken = rstr; } //======================================================================================== public static void AddIssuedToken(Message message, RequestSecurityTokenResponse rstr) { TransactionFlowProperty transactionFlowProp = TransactionFlowProperty.Ensure(message); transactionFlowProp.IssuedTokens.Add(rstr); if (DebugTrace.Verbose) { DebugTrace.Trace(TraceLevel.Verbose, "Added issued token to message"); } } //======================================================================================= // This function can throw XmlException public static RequestSecurityTokenResponse GetIssuedToken(Message message, string identifier, ProtocolVersion protocolVersion) { ICollection rstrCollection = TransactionFlowProperty.TryGetIssuedTokens(message); if (rstrCollection == null) { if (DebugTrace.Verbose) DebugTrace.Trace(TraceLevel.Verbose, "No issued tokens found in message"); return null; } string coordIdentifier = CoordinationStrings.Version(protocolVersion).Identifier; string coordNamespace = CoordinationStrings.Version(protocolVersion).Namespace; foreach (RequestSecurityTokenResponse rstr in rstrCollection) { string name, ns; rstr.GetAppliesToQName(out name, out ns); if (name == coordIdentifier && ns == coordNamespace) { if (DebugTrace.Verbose) DebugTrace.Trace(TraceLevel.Verbose, "Found issued token in message"); try { IdentifierElement id = null; DataContractSerializer identifierElementSerializer = IdentifierElementSerializer(protocolVersion); ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "GetIssuedToken"); //assert valid protocol version switch (protocolVersion) { case ProtocolVersion.Version10 : id = rstr.GetAppliesTo (identifierElementSerializer); break; case ProtocolVersion.Version11 : id = rstr.GetAppliesTo (identifierElementSerializer); break; // no default - we have asserted the protocol version } // Make sure the identifier matches the expected value if (id.Identifier != identifier) { if (DebugTrace.Error) DebugTrace.Trace(TraceLevel.Error, "Issued token identifier does not match expected {0}", identifier); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new XmlException(SR.GetString(SR.IssuedTokenIdentifierMismatch))); } } catch (SerializationException e) { if (DebugTrace.Error) DebugTrace.Trace(TraceLevel.Error, "Issued token AppliesTo element could not be deserialized: {0}", e.Message); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new XmlException(e.Message, e)); } return rstr; } } if (DebugTrace.Verbose) DebugTrace.Trace(TraceLevel.Verbose, "No matching issued token found in message"); return null; } //======================================================================================== public static void AddSupportingToken(Message message, RequestSecurityTokenResponse rstr) { // Currently, we only support a binary secret as the proof of RSTR GenericXmlSecurityToken supportingToken = rstr.GetIssuedToken(null, null, SecurityKeyEntropyMode.ServerEntropy, null, null, null); SecurityMessageProperty property = new SecurityMessageProperty(); SupportingTokenSpecification spec = new SupportingTokenSpecification(supportingToken, new List ().AsReadOnly(), SecurityTokenAttachmentMode.Endorsing, SecurityContextSecurityTokenParameters); property.OutgoingSupportingTokens.Add(spec); message.Properties.Security = property; if (DebugTrace.Verbose) { DebugTrace.Trace (TraceLevel.Verbose, "Attached supporting token {0} to register message", rstr.Context); } } // // Per-enlistment security // //======================================================================================== public static string GetSenderName (Message message) { return GetSenderName(message.Properties); } //======================================================================================= public static string GetSenderName (MessageProperties messageProperties) { SecurityMessageProperty securityMessageProperty = messageProperties.Security; if (securityMessageProperty == null) { return "anonymous"; } ServiceSecurityContext securityContext = securityMessageProperty.ServiceSecurityContext; if (securityContext == null || securityContext.IsAnonymous) { return "anonymous"; } IIdentity identity = securityContext.PrimaryIdentity; if (identity != null) { return identity.Name; } return securityContext.PrimaryIdentity.ToString(); } //======================================================================================== public bool CheckIdentity(Proxy proxy, Message message) { EndpointAddress service = proxy.To; bool access = this.identityVerifier.CheckAccess(service, message); TraceCheckIdentityResult(access, service, message); return access; } //======================================================================================= void TraceCheckIdentityResult(bool access, EndpointAddress service, Message message) { if (DebugTrace.Verbose) { if (DebugTrace.Pii) { string sender = GetSenderName(message); if (access) { DebugTrace.Trace(TraceLevel.Verbose, "Access granted by identity verifier to {0}", sender); } else { DebugTrace.Trace(TraceLevel.Verbose, "Access denied by identity verifier to {0}, expected {1}", sender, service.Identity == null ? service.Uri.AbsoluteUri : service.Identity.ToString()); } } else { if (access) { DebugTrace.Trace(TraceLevel.Verbose, "Access granted by identity verifier"); } else { DebugTrace.Trace(TraceLevel.Verbose, "Access denied by identity verifier"); } } } } } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007. // Copyright (c) Microsoft Corporation. All rights reserved.
Link Menu

This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- XmlSchemaAnyAttribute.cs
- DomainUpDown.cs
- SqlBuilder.cs
- UdpSocket.cs
- SqlDataSourceTableQuery.cs
- ZoneLinkButton.cs
- DesignerVerbCollection.cs
- SapiRecognizer.cs
- VirtualizingPanel.cs
- ping.cs
- ParameterCollection.cs
- ConditionCollection.cs
- WebMessageEncodingBindingElement.cs
- WebPartUtil.cs
- TextServicesDisplayAttribute.cs
- DiagnosticsConfigurationHandler.cs
- BoundsDrawingContextWalker.cs
- Fx.cs
- SemaphoreSecurity.cs
- InheritanceUI.cs
- FixedSOMPageConstructor.cs
- LayoutExceptionEventArgs.cs
- ObjectQuery_EntitySqlExtensions.cs
- BulletedListEventArgs.cs
- sitestring.cs
- TaskFactory.cs
- UnaryNode.cs
- ToolStripMenuItem.cs
- newinstructionaction.cs
- EntityDataSourceReferenceGroup.cs
- Classification.cs
- LogicalTreeHelper.cs
- ToolBarTray.cs
- DataRowExtensions.cs
- BaseParser.cs
- ResXBuildProvider.cs
- InputLanguageManager.cs
- PathSegment.cs
- WCFServiceClientProxyGenerator.cs
- filewebrequest.cs
- QueryStatement.cs
- XmlNamespaceMapping.cs
- _BufferOffsetSize.cs
- SemanticTag.cs
- FixedSOMImage.cs
- XmlIlTypeHelper.cs
- EncodingDataItem.cs
- _CommandStream.cs
- CustomLineCap.cs
- TreeView.cs
- JournalEntry.cs
- MenuTracker.cs
- TextBoxLine.cs
- RecordBuilder.cs
- UntypedNullExpression.cs
- RegexWriter.cs
- glyphs.cs
- ModifierKeysValueSerializer.cs
- SerialReceived.cs
- TouchFrameEventArgs.cs
- HiddenFieldDesigner.cs
- UncommonField.cs
- WCFServiceClientProxyGenerator.cs
- XmlReflectionImporter.cs
- NetworkStream.cs
- SizeF.cs
- DatagridviewDisplayedBandsData.cs
- KeyboardDevice.cs
- SqlNotificationRequest.cs
- ResourceAttributes.cs
- PartialArray.cs
- InternalResources.cs
- FormatConvertedBitmap.cs
- Sorting.cs
- dataSvcMapFileLoader.cs
- FixedTextContainer.cs
- XmlSerializer.cs
- ImmutableObjectAttribute.cs
- DataControlPagerLinkButton.cs
- CapiHashAlgorithm.cs
- HtmlUtf8RawTextWriter.cs
- KeyEventArgs.cs
- HierarchicalDataSourceConverter.cs
- StateRuntime.cs
- oledbmetadatacollectionnames.cs
- _DomainName.cs
- Collection.cs
- Module.cs
- SchemaExporter.cs
- PageAsyncTaskManager.cs
- CalendarSelectionChangedEventArgs.cs
- JournalEntry.cs
- MemoryStream.cs
- TimeManager.cs
- WebReferenceCollection.cs
- OptimizedTemplateContent.cs
- DrawingContextWalker.cs
- HashAlgorithm.cs
- WebScriptServiceHostFactory.cs
- SerialErrors.cs