1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
|
//-----------------------------------------------------------------------
// <copyright file="SecurityTokenHandler.cs" company="Microsoft">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
namespace System.IdentityModel.Tokens
{
using System.Collections.ObjectModel;
using System.IdentityModel.Configuration;
using System.IdentityModel.Diagnostics.Application;
using System.IdentityModel.Selectors;
using System.Runtime.Diagnostics;
using System.Security.Claims;
using System.Xml;
/// <summary>
/// Defines the interface for a Security Token Handler.
/// </summary>
public abstract class SecurityTokenHandler : ICustomIdentityConfiguration
{
private SecurityTokenHandlerCollection collection;
private SecurityTokenHandlerConfiguration configuration;
private EventTraceActivity eventTraceActivity;
/// <summary>
/// Creates an instance of <see cref="SecurityTokenHandler"/>
/// </summary>
protected SecurityTokenHandler()
{
}
private EventTraceActivity EventTraceActivity
{
get
{
if (this.eventTraceActivity == null)
{
this.eventTraceActivity = EventTraceActivity.GetFromThreadOrCreate();
}
return this.eventTraceActivity;
}
}
/// <summary>
/// Gets a value indicating whether this handler supports validation of tokens
/// handled by this instance.
/// </summary>v
/// <returns>'True' if the instance is capable of SecurityToken
/// validation.</returns>
public virtual bool CanValidateToken
{
get { return false; }
}
/// <summary>
/// Gets a value indicating whether the class provides serialization functionality to serialize token handled
/// by this instance.
/// </summary>
/// <returns>true if the WriteToken method can serialize this token.</returns>
public virtual bool CanWriteToken
{
get { return false; }
}
/// <summary>
/// Gets or sets the <see cref="SecurityTokenHandlerConfiguration" />
/// </summary>
public SecurityTokenHandlerConfiguration Configuration
{
get { return this.configuration; }
set { this.configuration = value; }
}
/// <summary>
/// Gets or sets the SecurityTokenHandlerCollection that this SecurityTokenHandler
/// is part of. This property should never be set directly. When the SecurityTokenHandler
/// is added to a collection this property is automatically set.
/// </summary>
public SecurityTokenHandlerCollection ContainingCollection
{
get
{
return this.collection;
}
internal set
{
this.collection = value;
}
}
/// <summary>
/// Gets the System.Type of the SecurityToken this instance handles.
/// </summary>
public abstract Type TokenType
{
get;
}
/// <summary>
/// Indicates whether the current XML element can be read as a token
/// of the type handled by this instance.
/// </summary>
/// <param name="reader">An XML reader positioned at a start
/// element. The reader should not be advanced.</param>
/// <returns>'True' if the ReadToken method can the element.</returns>
public virtual bool CanReadToken(XmlReader reader)
{
return false;
}
/// <summary>
/// Indicates whether the current token string can be read as a token
/// of the type handled by this instance.
/// </summary>
/// <param name="tokenString">The token string thats needs to be read.</param>
/// <returns>'True' if the ReadToken method can parse the token string.</returns>
public virtual bool CanReadToken(string tokenString)
{
return false;
}
/// <summary>
/// Deserializes from XML a token of the type handled by this instance.
/// </summary>
/// <param name="reader">An XML reader positioned at the token's start
/// element.</param>
/// <returns>SecurityToken instance.</returns>
public virtual SecurityToken ReadToken(XmlReader reader)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "ReadToken")));
}
/// <summary>
/// Deserializes from XML a token of the type handled by this instance.
/// </summary>
/// <param name="reader">An XML reader positioned at the token's start
/// element.</param>
/// <param name="tokenResolver">The SecrityTokenResolver that contains out-of-band and cached tokens.</param>
/// <returns>SecurityToken instance.</returns>
public virtual SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
{
// The default implementation ignores the SecurityTokenResolver and delegates the call to the
// ReadToken method that takes a XmlReader.
return this.ReadToken(reader);
}
/// <summary>
/// Deserializes from string a token of the type handled by this instance.
/// </summary>
/// <param name="tokenString">The string to be deserialized.</param>
/// <returns>SecurityToken instance which represents the serialized token.</returns>
public virtual SecurityToken ReadToken(string tokenString)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "ReadToken")));
}
/// <summary>
/// Serializes to XML a token of the type handled by this instance.
/// </summary>
/// <param name="writer">The XML writer.</param>
/// <param name="token">A token of type TokenType.</param>
public virtual void WriteToken(XmlWriter writer, SecurityToken token)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "WriteToken")));
}
/// <summary>
/// Serializes to string a token of the type handled by this instance.
/// </summary>
/// <param name="token">A token of type TokenType.</param>
/// <returns>The serialized token.</returns>
public virtual string WriteToken(SecurityToken token)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "WriteToken")));
}
/// <summary>
/// Indicates if the current XML element is pointing to a KeyIdentifierClause that
/// can be serialized by this instance.
/// </summary>
/// <param name="reader">An XML reader positioned at the start element.
/// The reader should not be advanced.</param>
/// <returns>true if the ReadKeyIdentifierClause can read the element.</returns>
public virtual bool CanReadKeyIdentifierClause(XmlReader reader)
{
return false;
}
/// <summary>
/// Deserializes the XML to a KeyIdentifierClause that references a token
/// handled by this instance.
/// </summary>
/// <param name="reader">An XML reader positioned at the KeyIdentifierClause start element.</param>
/// <returns>SecurityKeyIdentifierClause instance.</returns>
public virtual SecurityKeyIdentifierClause ReadKeyIdentifierClause(XmlReader reader)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "ReadKeyIdentifierClause")));
}
/// <summary>
/// Indicates if the given SecurityKeyIdentifierClause can be serialized by this
/// instance.
/// </summary>
/// <param name="securityKeyIdentifierClause">SecurityKeyIdentifierClause to be serialized.</param>
/// <returns>true if the given SecurityKeyIdentifierClause can be serialized.</returns>
public virtual bool CanWriteKeyIdentifierClause(SecurityKeyIdentifierClause securityKeyIdentifierClause)
{
return false;
}
/// <summary>
/// Serializes to XML a SecurityKeyIdentifierClause that this instance supports.
/// </summary>
/// <param name="writer">The XML writer.</param>
/// <param name="securityKeyIdentifierClause">The SecurityKeyIdentifierClause to be used to serialize the token.</param>
public virtual void WriteKeyIdentifierClause(XmlWriter writer, SecurityKeyIdentifierClause securityKeyIdentifierClause)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "WriteKeyIdentifierClause")));
}
/// <summary>
/// Called by the STS to create a token given a token descriptor.
/// </summary>
/// <param name="tokenDescriptor">Describes the token; properties such
/// as ValidFrom, AppliesTo, EncryptingCredentials, Claims, etc., are filled in
/// before the call to create token. </param>
/// <returns>A SecurityToken that matches the properties of the token descriptor.</returns>
public virtual SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "CreateToken")));
}
/// <summary>
/// Creates the security token reference for tokens handled by this instance.
/// </summary>
/// <param name="token">The SecurityToken instance for which the references needs to be
/// created.</param>
/// <param name="attached">Boolean that indicates if a attached or unattached
/// reference needs to be created.</param>
/// <returns>A SecurityKeyIdentifierClause that identifies the given token.</returns>
public virtual SecurityKeyIdentifierClause CreateSecurityTokenReference(SecurityToken token, bool attached)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "CreateSecurityTokenReference")));
}
/// <summary>
/// The URI used in requests to identify a token of the type handled
/// by this instance.
/// </summary>
/// <remarks>
/// For example, this should be the URI value used
/// in the RequestSecurityToken's TokenType element to request this
/// sort of token.
/// </remarks>
/// <returns>The set of URIs that identify the token this handler supports.</returns>
public abstract string[] GetTokenTypeIdentifiers();
/// <summary>
/// Validates a <see cref="SecurityToken"/>.
/// </summary>
/// <param name="token">The <see cref="SecurityToken"/> to validate.</param>
/// <returns>The <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
/// <remarks>Derived types will validate specific tokens.</remarks>
public virtual ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID4008, "SecurityTokenHandler", "ValidateToken")));
}
/// <summary>
/// Throws if a token is detected as being replayed.
/// Override this method in your derived class to detect replays.
/// </summary>
/// <param name="token">The token to check for replay.</param>
protected virtual void DetectReplayedToken(SecurityToken token)
{
}
/// <summary>
/// Load custom configuration from Xml
/// </summary>
/// <param name="nodelist">Custom configuration elements</param>
public virtual void LoadCustomConfiguration(XmlNodeList nodelist)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID0023, this.GetType().AssemblyQualifiedName)));
}
protected void TraceTokenValidationSuccess(SecurityToken token)
{
if (TD.TokenValidationSuccessIsEnabled())
{
TD.TokenValidationSuccess(this.EventTraceActivity, token.GetType().ToString(), token.Id);
}
}
protected void TraceTokenValidationFailure(SecurityToken token, string errorMessage)
{
if (TD.TokenValidationFailureIsEnabled())
{
TD.TokenValidationFailure(this.EventTraceActivity, token.GetType().ToString(), token.Id, errorMessage);
}
}
}
}
|
