public ValidateBeforeActivate ( |
||
context | ||
clientSignature | SignatureData | |
clientSoftwareCertificates | List |
|
userIdentityToken | ExtensionObject | |
userTokenSignature | SignatureData | |
localeIds | StringCollection | |
serverNonce | byte | |
identityToken | UserIdentityToken | |
userTokenPolicy | UserTokenPolicy | |
return | void |
public void ValidateBeforeActivate(
OperationContext context,
SignatureData clientSignature,
List<SoftwareCertificate> clientSoftwareCertificates,
ExtensionObject userIdentityToken,
SignatureData userTokenSignature,
StringCollection localeIds,
byte[] serverNonce,
out UserIdentityToken identityToken,
out UserTokenPolicy userTokenPolicy)
{
lock (m_lock)
{
// verify that a secure channel was specified.
if (context.ChannelContext == null)
{
throw new ServiceResultException(StatusCodes.BadSecureChannelIdInvalid);
}
// verify that the same security policy has been used.
EndpointDescription endpoint = context.ChannelContext.EndpointDescription;
if (endpoint.SecurityPolicyUri != m_endpoint.SecurityPolicyUri || endpoint.SecurityMode != m_endpoint.SecurityMode)
{
throw new ServiceResultException(StatusCodes.BadSecurityPolicyRejected);
}
// verify the client signature.
if (m_clientCertificate != null)
{
byte[] dataToSign = Utils.Append(m_serverCertificate.RawData, m_serverNonce);
//byte[] dataToSign = Utils.Append(m_serverCertificateChain, m_serverNonce);
if (!SecurityPolicies.Verify(m_clientCertificate, m_endpoint.SecurityPolicyUri, dataToSign, clientSignature))
{
throw new ServiceResultException(StatusCodes.BadApplicationSignatureInvalid);
}
}
if (!m_activated)
{
// must active the session on the channel that was used to create it.
if (m_secureChannelId != context.ChannelContext.SecureChannelId)
{
throw new ServiceResultException(StatusCodes.BadSecureChannelIdInvalid);
}
}
else
{
// cannot change the certificates after activation.
if (clientSoftwareCertificates != null && clientSoftwareCertificates.Count > 0)
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument);
}
}
// validate the user identity token.
identityToken = ValidateUserIdentityToken(userIdentityToken, userTokenSignature, out userTokenPolicy);
TraceState("VALIDATED");
}
}
/// <summary> /// Activates an existing session /// </summary> public virtual bool ActivateSession( OperationContext context, NodeId authenticationToken, SignatureData clientSignature, List <SoftwareCertificate> clientSoftwareCertificates, ExtensionObject userIdentityToken, SignatureData userTokenSignature, StringCollection localeIds, out byte[] serverNonce) { serverNonce = null; Session session = null; UserIdentityToken newIdentity = null; UserTokenPolicy userTokenPolicy = null; lock (m_lock) { // find session. if (!m_sessions.TryGetValue(authenticationToken, out session)) { throw new ServiceResultException(StatusCodes.BadSessionClosed); } // check if session timeout has expired. if (session.HasExpired) { m_server.CloseSession(null, session.Id, false); throw new ServiceResultException(StatusCodes.BadSessionClosed); } // create new server nonce. serverNonce = Utils.Nonce.CreateNonce((uint)m_minNonceLength); // validate before activation. session.ValidateBeforeActivate( context, clientSignature, clientSoftwareCertificates, userIdentityToken, userTokenSignature, localeIds, serverNonce, out newIdentity, out userTokenPolicy); } IUserIdentity identity = null; IUserIdentity effectiveIdentity = null; ServiceResult error = null; try { // check if the application has a callback which validates the identity tokens. lock (m_eventLock) { if (m_ImpersonateUser != null) { ImpersonateEventArgs args = new ImpersonateEventArgs(newIdentity, userTokenPolicy); m_ImpersonateUser(session, args); if (ServiceResult.IsBad(args.IdentityValidationError)) { error = args.IdentityValidationError; } else { identity = args.Identity; effectiveIdentity = args.EffectiveIdentity; } } } // parse the token manually if the identity is not provided. if (identity == null) { identity = new UserIdentity(newIdentity); } // use the identity as the effectiveIdentity if not provided. if (effectiveIdentity == null) { effectiveIdentity = identity; } } catch (Exception e) { if (e is ServiceResultException) { throw e; } throw ServiceResultException.Create( StatusCodes.BadIdentityTokenInvalid, e, "Could not validate user identity token: {0}", newIdentity); } // check for validation error. if (ServiceResult.IsBad(error)) { throw new ServiceResultException(error); } // activate session. bool contextChanged = session.Activate( context, clientSoftwareCertificates, newIdentity, identity, effectiveIdentity, localeIds, serverNonce); // raise session related event. if (contextChanged) { RaiseSessionEvent(session, SessionEventReason.Activated); } // indicates that the identity context for the session has changed. return(contextChanged); }