Author: bendewey Date: Thu Jul 9 23:27:37 2009 New Revision: 792747 URL: http://svn.apache.org/viewvc?rev=792747&view=rev Log: commit for STONEHENGE-72
Added: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs Modified: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj Added: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs?rev=792747&view=auto ============================================================================== --- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs (added) +++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs Thu Jul 9 23:27:37 2009 @@ -0,0 +1,66 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +using System.Net.Security; +using System.Security.Cryptography.X509Certificates; + +namespace Trade.Utility +{ + //====================================================================================================== + //This class contains abstract classes that can be optionally used to authenticate clients when using + //advanced Web Services security modes. Three abstract classes are provided, such that any can be + //overridden and customized. The first ConfigCertificatePolicy, allows the developer to set a custom + //policy for certificates. This is necessary to allow test/dev/self-signed certificates, or else + //all WCF operations secured with such a cert would be rejected by WCf clients. Note that the base + //SettingsBase class provides a stock instance of this class, which allows all certs if the repository + //setting "Accept All Certificates for Development Testing" is set to true. The base instance, which + //can be overridden itself within any Settings class (use the new keyword to define the field certificatePolicy + //with your implementation class if you want. + // + //The next two classes are custom validators that are provided. The first class (CustomUserNameValidator) + //works with message level security (which always requires a service X.509 certificate) and Username + //client credentials. It overrides the default Validate method of the Windows UserNamePassWordValidator to + //instead validate against the ConfigService Users table. See StockTrader Business Services for an example with + //Message security and Username client credentials. + //The second class (CustomCertificateValidator) overrides the Validate method of the Windows X509CertificateValidator + //to only allow specified set of client certificates to have access to secured endpoints. + //====================================================================================================== + + /// <summary> + /// This class is used when repository setting 'ACCEPT_ALL_CERTIFICATES' is set to true, to allow service + /// connections via Test (dev-created) certificates. You can override the CheckValidationResult as desired, + /// to add a more restrictive/custom policy. + /// </summary> + public abstract class ConfigCertificatePolicy + { + /// <summary> + /// As advertised, always OK. Do not have 'ACCEPT_ALL_CERTIFICATES' set to true for production; or override for more restrictive, + /// custom policy. + /// </summary> + /// <param name="sender"></param> + /// <param name="certificate"></param> + /// <param name="chain"></param> + /// <param name="sslPolicyErrors"></param> + /// <returns></returns> + public virtual bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) + { + bool validationResult = true; + //Optional add a more restrictive policy here. + return validationResult; + } + } +} \ No newline at end of file Added: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs?rev=792747&view=auto ============================================================================== --- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs (added) +++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs Thu Jul 9 23:27:37 2009 @@ -0,0 +1,100 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +using System; +using System.IdentityModel.Selectors; +using System.IdentityModel.Tokens; +using System.Security.Cryptography.X509Certificates; + +namespace Trade.Utility +{ + /// <summary> + /// Provides a base class that allows customization of certificate validation. + /// Specifically, enables certificates to be identified specifically based on a list of + /// authorized cert thumbprints. See StockTrader Order Processor Service for an example of + /// use, as this sample component uses it to ensure only clients using the authorized + /// BSLClient certificate are accepted. + /// </summary> + public abstract class CustomCertificateValidator : X509CertificateValidator + { + /// <summary> + /// Override with a provided method that returns an array + /// of thumbprints as strings. + /// </summary> + /// <returns></returns> + protected abstract string[] getAllowedThumbprints(); + + public override void Validate(X509Certificate2 certificate) + { + // create chain and set validation options + X509Chain chain = new X509Chain(); + SetValidationSettings(chain); + + // optional check if cert is valid + if (!chain.Build(certificate)) + { + throw new SecurityTokenValidationException("Client certificate is not valid!"); + } + + // check if cert is from our trusted list + if (!isTrusted(chain, getAllowedThumbprints())) + { + throw new SecurityTokenValidationException("Client certificate is not trusted!"); + } + } + + /// <summary> + /// The base goes with default settings, you could override this method to change them, however. + /// </summary> + /// <param name="chain"></param> + protected virtual void SetValidationSettings(X509Chain chain) + { + //override to set customer settings. + } + + /// <summary> + /// Determines if the end certificate in a chain is in the list of trusted certs. + /// You could add logic to perform checks across the whole chain if desired. + /// </summary> + /// <param name="chain"></param> + /// <param name="trustedThumbprints"></param> + /// <returns></returns> + protected virtual bool isTrusted(X509Chain chain, string[] trustedThumbprints) + { + return CheckThumbprint(chain.ChainElements[0].Certificate, trustedThumbprints); + } + + /// <summary> + /// Check if a cert is in the trust list. + /// </summary> + /// <param name="certificate">Cert to check.</param> + /// <param name="trustedThumbprints">List of authorized certs' thumbprints</param> + /// <returns></returns> + private bool CheckThumbprint(X509Certificate2 certificate, string[] trustedThumbprints) + { + foreach (string thumbprint in trustedThumbprints) + { + if (string.Equals(certificate.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase)) + { + return true; + } + } + + return false; + } + } +} \ No newline at end of file Added: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs?rev=792747&view=auto ============================================================================== --- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs (added) +++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs Thu Jul 9 23:27:37 2009 @@ -0,0 +1,38 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +using System.IdentityModel.Selectors; + +namespace Trade.Utility +{ + /// <summary> + /// Note how this class is tied in via a ServiceBehavior, defined in config, to override default Windows auth validation. + /// </summary> + public abstract class CustomUserNameValidator : UserNamePasswordValidator + { + /// <summary> + /// Overrides to instead validate the username/password against the Configuration DB Users table. + /// </summary> + /// <param name="userName">User id coming in as UserName credentials from client.</param> + /// <param name="password">Password coming in as UserName credentials from client.</param> + public override void Validate(string userName, string password) + { + //Add custom user name validation if desired here. Will only be activated if binding security is + //set for ClientCredentials = UserName. + } + } +} \ No newline at end of file Modified: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs?rev=792747&r1=792746&r2=792747&view=diff ============================================================================== --- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs (original) +++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs Thu Jul 9 23:27:37 2009 @@ -34,15 +34,9 @@ using System; using System.Collections.Generic; -using System.Text; using System.Diagnostics; -using System.Net.Security; using System.ServiceModel; using System.ServiceModel.Description; -using System.ServiceModel.Configuration; -using System.IdentityModel.Tokens; -using System.IdentityModel.Selectors; -using System.Security.Cryptography.X509Certificates; namespace Trade.Utility { @@ -198,7 +192,7 @@ /// <param name="message">String with message to display/log.</param> /// <param name="messageType">Event Log entry type code</param> /// <param name="logEntry">Whether to log entry. Entry will be logged if configuration database is set for detailed logging and this parameter is true</param> - /// <param name="settingsInstance">Instance of the Settings class for the service host. Used to determine if detailed logging is on and Event Log Source name.</param> + /// <param name="eventLog">The event log source name</param> public static void writeConsoleMessage(string message, EventLogEntryType messageType, bool logEntry, string eventLog) { try @@ -217,7 +211,7 @@ /// <param name="message">String with message to display/log.</param> /// <param name="messageType">Event Log entry type code</param> /// <param name="logEntry">Whether to log entry. Entry will be logged if configuration database is set for detailed logging and this parameter is true</param> - /// <param name="settingsInstance">Instance of the Settings class for the service host. Used to determine if detailed logging is on and Event Log Source name.</param> + /// <param name="eventLog">The event log source name</param> public static void writeErrorConsoleMessage(string message, EventLogEntryType messageType, bool logEntry, string eventLog) { try @@ -229,11 +223,11 @@ } } - /// <summary>Writes to event log. </summary> + /// <summary>Writes to event log.</summary> /// <param name="message">String with message to display/log.</param> /// <param name="messageType">Event Log entry type code</param> /// <param name="logEntry">Whether to log entry. Entry will be logged if configuration database is set for detailed logging and this parameter is true</param> - /// <param name="settingsInstance">Instance of the Settings class for the service host. Used to determine if detailed logging is on and Event Log Source name.</param> + /// <param name="eventLog">The event log source name</param> public static void LogMessage(string message, EventLogEntryType messageType, bool logEntry, string eventLog) { if (!logEntry) @@ -323,153 +317,5 @@ Console.WriteLine(); } } - - -//====================================================================================================== -//This class contains abstract classes that can be optionally used to authenticate clients when using -//advanced Web Services security modes. Three abstract classes are provided, such that any can be -//overridden and customized. The first ConfigCertificatePolicy, allows the developer to set a custom -//policy for certificates. This is necessary to allow test/dev/self-signed certificates, or else -//all WCF operations secured with such a cert would be rejected by WCf clients. Note that the base -//SettingsBase class provides a stock instance of this class, which allows all certs if the repository -//setting "Accept All Certificates for Development Testing" is set to true. The base instance, which -//can be overridden itself within any Settings class (use the new keyword to define the field certificatePolicy -//with your implementation class if you want. -// -//The next two classes are custom validators that are provided. The first class (CustomUserNameValidator) -//works with message level security (which always requires a service X.509 certificate) and Username -//client credentials. It overrides the default Validate method of the Windows UserNamePassWordValidator to -//instead validate against the ConfigService Users table. See StockTrader Business Services for an example with -//Message security and Username client credentials. -//The second class (CustomCertificateValidator) overrides the Validate method of the Windows X509CertificateValidator -//to only allow specified set of client certificates to have access to secured endpoints. -//====================================================================================================== - - /// <summary> - /// This class is used when repository setting 'ACCEPT_ALL_CERTIFICATES' is set to true, to allow service - /// connections via Test (dev-created) certificates. You can override the CheckValidationResult as desired, - /// to add a more restrictive/custom policy. - /// </summary> - public abstract class ConfigCertificatePolicy - { - public ConfigCertificatePolicy() - { - } - - /// <summary> - /// As advertised, always OK. Do not have 'ACCEPT_ALL_CERTIFICATES' set to true for production; or override for more restrictive, - /// custom policy. - /// </summary> - /// <param name="sender"></param> - /// <param name="certificate"></param> - /// <param name="chain"></param> - /// <param name="sslPolicyErrors"></param> - /// <returns></returns> - public virtual bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) - { - bool validationResult = true; - //Optional add a more restrictive policy here. - return validationResult; - } - } - - - /// <summary> - /// Note how this class is tied in via a ServiceBehavior, defined in config, to override default Windows auth validation. - /// </summary> - public abstract class CustomUserNameValidator : UserNamePasswordValidator - { - /// <summary> - /// Overrides to instead validate the username/password against the Configuration DB Users table. - /// </summary> - /// <param name="userName">User id coming in as UserName credentials from client.</param> - /// <param name="password">Password coming in as UserName credentials from client.</param> - public override void Validate(string userName, string password) - { - //Add custom user name validation if desired here. Will only be activated if binding security is - //set for ClientCredentials = UserName. - } - } - - /// <summary> - /// Provides a base class that allows customization of certificate validation. - /// Specifically, enables certificates to be identified specifically based on a list of - /// authorized cert thumbprints. See StockTrader Order Processor Service for an example of - /// use, as this sample component uses it to ensure only clients using the authorized - /// BSLClient certificate are accepted. - /// </summary> - public abstract class CustomCertificateValidator : X509CertificateValidator - { - /// <summary> - /// Override with a provided method that returns an array - /// of thumbprints as strings. - /// </summary> - /// <returns></returns> - protected abstract string[] getAllowedThumbprints(); - - public override void Validate(X509Certificate2 certificate) - { - // create chain and set validation options - X509Chain chain = new X509Chain(); - SetValidationSettings(chain); - - // optional check if cert is valid - if (!chain.Build(certificate)) - { - throw new SecurityTokenValidationException("Client certificate is not valid!"); - } - - // check if cert is from our trusted list - if (!isTrusted(chain, getAllowedThumbprints())) - { - throw new SecurityTokenValidationException("Client certificate is not trusted!"); - } - } - - /// <summary> - /// The base goes with default settings, you could override this method to change them, however. - /// </summary> - /// <param name="chain"></param> - protected virtual void SetValidationSettings(X509Chain chain) - { - //override to set customer settings. - } - - /// <summary> - /// Determines if the end certificate in a chain is in the list of trusted certs. - /// You could add logic to perform checks across the whole chain if desired. - /// </summary> - /// <param name="chain"></param> - /// <param name="trustedThumbprints"></param> - /// <returns></returns> - protected virtual bool isTrusted(X509Chain chain, string[] trustedThumbprints) - { - return CheckThumbprint(chain.ChainElements[0].Certificate, trustedThumbprints); - } - - /// <summary> - /// Check if a cert is in the trust list. - /// </summary> - /// <param name="certificate">Cert to check.</param> - /// <param name="trustedThumbprints">List of authorized certs' thumbprints</param> - /// <returns></returns> - private bool CheckThumbprint(X509Certificate2 certificate, string[] trustedThumbprints) - { - foreach (string thumbprint in trustedThumbprints) - { - if (string.Equals(certificate.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase)) - { - return true; - } - } - - return false; - } - - - - } - - } Modified: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj?rev=792747&r1=792746&r2=792747&view=diff ============================================================================== --- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj (original) +++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj Thu Jul 9 23:27:37 2009 @@ -61,6 +61,9 @@ <Reference Include="System.Xml" /> </ItemGroup> <ItemGroup> + <Compile Include="ConfigCertificatePolicy.cs" /> + <Compile Include="CustomCertificateValidator.cs" /> + <Compile Include="CustomUserNameValidator.cs" /> <Compile Include="SQLHelper.cs" /> <Compile Include="Utility.cs" /> <Compile Include="Properties\AssemblyInfo.cs" />