Author: bendewey
Date: Thu Jul 9 23:27:37 2009
New Revision: 792747
URL: http://svn.apache.org/viewvc?rev=792747&view=rev
Log:
commit for STONEHENGE-72
Added:
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
Modified:
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj
Added:
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
URL:
http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs?rev=792747&view=auto
==============================================================================
---
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
(added)
+++
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
Thu Jul 9 23:27:37 2009
@@ -0,0 +1,66 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Trade.Utility
+{
+
//======================================================================================================
+ //This class contains abstract classes that can be optionally used to
authenticate clients when using
+ //advanced Web Services security modes. Three abstract classes are
provided, such that any can be
+ //overridden and customized. The first ConfigCertificatePolicy, allows
the developer to set a custom
+ //policy for certificates. This is necessary to allow
test/dev/self-signed certificates, or else
+ //all WCF operations secured with such a cert would be rejected by WCf
clients. Note that the base
+ //SettingsBase class provides a stock instance of this class, which allows
all certs if the repository
+ //setting "Accept All Certificates for Development Testing" is set to
true. The base instance, which
+ //can be overridden itself within any Settings class (use the new keyword
to define the field certificatePolicy
+ //with your implementation class if you want.
+ //
+ //The next two classes are custom validators that are provided. The first
class (CustomUserNameValidator)
+ //works with message level security (which always requires a service X.509
certificate) and Username
+ //client credentials. It overrides the default Validate method of the
Windows UserNamePassWordValidator to
+ //instead validate against the ConfigService Users table. See StockTrader
Business Services for an example with
+ //Message security and Username client credentials.
+ //The second class (CustomCertificateValidator) overrides the Validate
method of the Windows X509CertificateValidator
+ //to only allow specified set of client certificates to have access to
secured endpoints.
+
//======================================================================================================
+
+ /// <summary>
+ /// This class is used when repository setting 'ACCEPT_ALL_CERTIFICATES'
is set to true, to allow service
+ /// connections via Test (dev-created) certificates. You can override the
CheckValidationResult as desired,
+ /// to add a more restrictive/custom policy.
+ /// </summary>
+ public abstract class ConfigCertificatePolicy
+ {
+ /// <summary>
+ /// As advertised, always OK. Do not have 'ACCEPT_ALL_CERTIFICATES'
set to true for production; or override for more restrictive,
+ /// custom policy.
+ /// </summary>
+ /// <param name="sender"></param>
+ /// <param name="certificate"></param>
+ /// <param name="chain"></param>
+ /// <param name="sslPolicyErrors"></param>
+ /// <returns></returns>
+ public virtual bool CheckValidationResult(object sender,
X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
+ {
+ bool validationResult = true;
+ //Optional add a more restrictive policy here.
+ return validationResult;
+ }
+ }
+}
\ No newline at end of file
Added:
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
URL:
http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs?rev=792747&view=auto
==============================================================================
---
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
(added)
+++
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
Thu Jul 9 23:27:37 2009
@@ -0,0 +1,100 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using System;
+using System.IdentityModel.Selectors;
+using System.IdentityModel.Tokens;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Trade.Utility
+{
+ /// <summary>
+ /// Provides a base class that allows customization of certificate
validation.
+ /// Specifically, enables certificates to be identified specifically based
on a list of
+ /// authorized cert thumbprints. See StockTrader Order Processor Service
for an example of
+ /// use, as this sample component uses it to ensure only clients using the
authorized
+ /// BSLClient certificate are accepted.
+ /// </summary>
+ public abstract class CustomCertificateValidator : X509CertificateValidator
+ {
+ /// <summary>
+ /// Override with a provided method that returns an array
+ /// of thumbprints as strings.
+ /// </summary>
+ /// <returns></returns>
+ protected abstract string[] getAllowedThumbprints();
+
+ public override void Validate(X509Certificate2 certificate)
+ {
+ // create chain and set validation options
+ X509Chain chain = new X509Chain();
+ SetValidationSettings(chain);
+
+ // optional check if cert is valid
+ if (!chain.Build(certificate))
+ {
+ throw new SecurityTokenValidationException("Client certificate
is not valid!");
+ }
+
+ // check if cert is from our trusted list
+ if (!isTrusted(chain, getAllowedThumbprints()))
+ {
+ throw new SecurityTokenValidationException("Client certificate
is not trusted!");
+ }
+ }
+
+ /// <summary>
+ /// The base goes with default settings, you could override this
method to change them, however.
+ /// </summary>
+ /// <param name="chain"></param>
+ protected virtual void SetValidationSettings(X509Chain chain)
+ {
+ //override to set customer settings.
+ }
+
+ /// <summary>
+ /// Determines if the end certificate in a chain is in the list of
trusted certs.
+ /// You could add logic to perform checks across the whole chain if
desired.
+ /// </summary>
+ /// <param name="chain"></param>
+ /// <param name="trustedThumbprints"></param>
+ /// <returns></returns>
+ protected virtual bool isTrusted(X509Chain chain, string[]
trustedThumbprints)
+ {
+ return CheckThumbprint(chain.ChainElements[0].Certificate,
trustedThumbprints);
+ }
+
+ /// <summary>
+ /// Check if a cert is in the trust list.
+ /// </summary>
+ /// <param name="certificate">Cert to check.</param>
+ /// <param name="trustedThumbprints">List of authorized certs'
thumbprints</param>
+ /// <returns></returns>
+ private bool CheckThumbprint(X509Certificate2 certificate, string[]
trustedThumbprints)
+ {
+ foreach (string thumbprint in trustedThumbprints)
+ {
+ if (string.Equals(certificate.Thumbprint, thumbprint,
StringComparison.OrdinalIgnoreCase))
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+ }
+}
\ No newline at end of file
Added:
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
URL:
http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs?rev=792747&view=auto
==============================================================================
---
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
(added)
+++
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
Thu Jul 9 23:27:37 2009
@@ -0,0 +1,38 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using System.IdentityModel.Selectors;
+
+namespace Trade.Utility
+{
+ /// <summary>
+ /// Note how this class is tied in via a ServiceBehavior, defined in
config, to override default Windows auth validation.
+ /// </summary>
+ public abstract class CustomUserNameValidator : UserNamePasswordValidator
+ {
+ /// <summary>
+ /// Overrides to instead validate the username/password against the
Configuration DB Users table.
+ /// </summary>
+ /// <param name="userName">User id coming in as UserName credentials
from client.</param>
+ /// <param name="password">Password coming in as UserName credentials
from client.</param>
+ public override void Validate(string userName, string password)
+ {
+ //Add custom user name validation if desired here. Will only be
activated if binding security is
+ //set for ClientCredentials = UserName.
+ }
+ }
+}
\ No newline at end of file
Modified:
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs
URL:
http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs?rev=792747&r1=792746&r2=792747&view=diff
==============================================================================
---
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs
(original)
+++
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs
Thu Jul 9 23:27:37 2009
@@ -34,15 +34,9 @@
using System;
using System.Collections.Generic;
-using System.Text;
using System.Diagnostics;
-using System.Net.Security;
using System.ServiceModel;
using System.ServiceModel.Description;
-using System.ServiceModel.Configuration;
-using System.IdentityModel.Tokens;
-using System.IdentityModel.Selectors;
-using System.Security.Cryptography.X509Certificates;
namespace Trade.Utility
{
@@ -198,7 +192,7 @@
/// <param name="message">String with message to display/log.</param>
/// <param name="messageType">Event Log entry type code</param>
/// <param name="logEntry">Whether to log entry. Entry will be logged
if configuration database is set for detailed logging and this parameter is
true</param>
- /// <param name="settingsInstance">Instance of the Settings class for
the service host. Used to determine if detailed logging is on and Event Log
Source name.</param>
+ /// <param name="eventLog">The event log source name</param>
public static void writeConsoleMessage(string message,
EventLogEntryType messageType, bool logEntry, string eventLog)
{
try
@@ -217,7 +211,7 @@
/// <param name="message">String with message to display/log.</param>
/// <param name="messageType">Event Log entry type code</param>
/// <param name="logEntry">Whether to log entry. Entry will be logged
if configuration database is set for detailed logging and this parameter is
true</param>
- /// <param name="settingsInstance">Instance of the Settings class for
the service host. Used to determine if detailed logging is on and Event Log
Source name.</param>
+ /// <param name="eventLog">The event log source name</param>
public static void writeErrorConsoleMessage(string message,
EventLogEntryType messageType, bool logEntry, string eventLog)
{
try
@@ -229,11 +223,11 @@
}
}
- /// <summary>Writes to event log. </summary>
+ /// <summary>Writes to event log.</summary>
/// <param name="message">String with message to display/log.</param>
/// <param name="messageType">Event Log entry type code</param>
/// <param name="logEntry">Whether to log entry. Entry will be logged
if configuration database is set for detailed logging and this parameter is
true</param>
- /// <param name="settingsInstance">Instance of the Settings class for
the service host. Used to determine if detailed logging is on and Event Log
Source name.</param>
+ /// <param name="eventLog">The event log source name</param>
public static void LogMessage(string message, EventLogEntryType
messageType, bool logEntry, string eventLog)
{
if (!logEntry)
@@ -323,153 +317,5 @@
Console.WriteLine();
}
}
-
-
-//======================================================================================================
-//This class contains abstract classes that can be optionally used to
authenticate clients when using
-//advanced Web Services security modes. Three abstract classes are provided,
such that any can be
-//overridden and customized. The first ConfigCertificatePolicy, allows the
developer to set a custom
-//policy for certificates. This is necessary to allow test/dev/self-signed
certificates, or else
-//all WCF operations secured with such a cert would be rejected by WCf
clients. Note that the base
-//SettingsBase class provides a stock instance of this class, which allows all
certs if the repository
-//setting "Accept All Certificates for Development Testing" is set to true.
The base instance, which
-//can be overridden itself within any Settings class (use the new keyword to
define the field certificatePolicy
-//with your implementation class if you want.
-//
-//The next two classes are custom validators that are provided. The first
class (CustomUserNameValidator)
-//works with message level security (which always requires a service X.509
certificate) and Username
-//client credentials. It overrides the default Validate method of the Windows
UserNamePassWordValidator to
-//instead validate against the ConfigService Users table. See StockTrader
Business Services for an example with
-//Message security and Username client credentials.
-//The second class (CustomCertificateValidator) overrides the Validate method
of the Windows X509CertificateValidator
-//to only allow specified set of client certificates to have access to secured
endpoints.
-//======================================================================================================
-
- /// <summary>
- /// This class is used when repository setting 'ACCEPT_ALL_CERTIFICATES'
is set to true, to allow service
- /// connections via Test (dev-created) certificates. You can override the
CheckValidationResult as desired,
- /// to add a more restrictive/custom policy.
- /// </summary>
- public abstract class ConfigCertificatePolicy
- {
- public ConfigCertificatePolicy()
- {
- }
-
- /// <summary>
- /// As advertised, always OK. Do not have 'ACCEPT_ALL_CERTIFICATES'
set to true for production; or override for more restrictive,
- /// custom policy.
- /// </summary>
- /// <param name="sender"></param>
- /// <param name="certificate"></param>
- /// <param name="chain"></param>
- /// <param name="sslPolicyErrors"></param>
- /// <returns></returns>
- public virtual bool CheckValidationResult(object sender,
X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
- {
- bool validationResult = true;
- //Optional add a more restrictive policy here.
- return validationResult;
- }
- }
-
-
- /// <summary>
- /// Note how this class is tied in via a ServiceBehavior, defined in
config, to override default Windows auth validation.
- /// </summary>
- public abstract class CustomUserNameValidator : UserNamePasswordValidator
- {
- /// <summary>
- /// Overrides to instead validate the username/password against the
Configuration DB Users table.
- /// </summary>
- /// <param name="userName">User id coming in as UserName credentials
from client.</param>
- /// <param name="password">Password coming in as UserName credentials
from client.</param>
- public override void Validate(string userName, string password)
- {
- //Add custom user name validation if desired here. Will only be
activated if binding security is
- //set for ClientCredentials = UserName.
- }
- }
-
- /// <summary>
- /// Provides a base class that allows customization of certificate
validation.
- /// Specifically, enables certificates to be identified specifically based
on a list of
- /// authorized cert thumbprints. See StockTrader Order Processor Service
for an example of
- /// use, as this sample component uses it to ensure only clients using the
authorized
- /// BSLClient certificate are accepted.
- /// </summary>
- public abstract class CustomCertificateValidator : X509CertificateValidator
- {
- /// <summary>
- /// Override with a provided method that returns an array
- /// of thumbprints as strings.
- /// </summary>
- /// <returns></returns>
- protected abstract string[] getAllowedThumbprints();
-
- public override void Validate(X509Certificate2 certificate)
- {
- // create chain and set validation options
- X509Chain chain = new X509Chain();
- SetValidationSettings(chain);
-
- // optional check if cert is valid
- if (!chain.Build(certificate))
- {
- throw new SecurityTokenValidationException("Client certificate
is not valid!");
- }
-
- // check if cert is from our trusted list
- if (!isTrusted(chain, getAllowedThumbprints()))
- {
- throw new SecurityTokenValidationException("Client certificate
is not trusted!");
- }
- }
-
- /// <summary>
- /// The base goes with default settings, you could override this
method to change them, however.
- /// </summary>
- /// <param name="chain"></param>
- protected virtual void SetValidationSettings(X509Chain chain)
- {
- //override to set customer settings.
- }
-
- /// <summary>
- /// Determines if the end certificate in a chain is in the list of
trusted certs.
- /// You could add logic to perform checks across the whole chain if
desired.
- /// </summary>
- /// <param name="chain"></param>
- /// <param name="trustedThumbprints"></param>
- /// <returns></returns>
- protected virtual bool isTrusted(X509Chain chain, string[]
trustedThumbprints)
- {
- return CheckThumbprint(chain.ChainElements[0].Certificate,
trustedThumbprints);
- }
-
- /// <summary>
- /// Check if a cert is in the trust list.
- /// </summary>
- /// <param name="certificate">Cert to check.</param>
- /// <param name="trustedThumbprints">List of authorized certs'
thumbprints</param>
- /// <returns></returns>
- private bool CheckThumbprint(X509Certificate2 certificate, string[]
trustedThumbprints)
- {
- foreach (string thumbprint in trustedThumbprints)
- {
- if (string.Equals(certificate.Thumbprint, thumbprint,
StringComparison.OrdinalIgnoreCase))
- {
- return true;
- }
- }
-
- return false;
- }
-
-
-
- }
-
-
}
Modified:
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj
URL:
http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj?rev=792747&r1=792746&r2=792747&view=diff
==============================================================================
---
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj
(original)
+++
incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj
Thu Jul 9 23:27:37 2009
@@ -61,6 +61,9 @@
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
+ <Compile Include="ConfigCertificatePolicy.cs" />
+ <Compile Include="CustomCertificateValidator.cs" />
+ <Compile Include="CustomUserNameValidator.cs" />
<Compile Include="SQLHelper.cs" />
<Compile Include="Utility.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
