We need you! We're working hard on the next version of Developer Fusion - Let us know what you think we should be up to!

The Labs \ Source Viewer \ SSCLI \ System.Net \ AuthenticationManager

SSCLI

//------------------------------------------------------------------------------
// <copyright file="AuthenticationManager.cs" company="Microsoft">
//
//
// The use and distribution terms for this software are contained in the file
// named license.txt, which can be found in the root of this distribution.
// By using this software in any fashion, you are agreeing to be bound by the
// terms of this license.
//
// You must not remove this notice, or any other, from this software.
//
// </copyright>
//------------------------------------------------------------------------------
namespace System.Net
{
using System.Collections;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Configuration;
using System.Globalization;
using System.Net.Configuration;
using System.Reflection;
using System.Security.Permissions;
using System;
using System.Threading;
//
// A contract that applications can use to restrict auth scenarios in current appDomain
//
public interface ICredentialPolicy
{
bool ShouldSendCredential(Uri challengeUri, WebRequest request, NetworkCredential credential, IAuthenticationModule authenticationModule);
}
/// <devdoc>
/// <para>Manages the authentication modules called during the client authentication
/// process.</para>
/// </devdoc>
public class AuthenticationManager
{
//also used as a lock object
private static PrefixLookup s_ModuleBinding = new PrefixLookup();
private static ArrayList s_ModuleList;
private static ICredentialPolicy s_ICredentialPolicy;
private static SpnDictionary m_SpnDictionary = new SpnDictionary();
// not creatable...
//
private AuthenticationManager()
{
}
//
//
//
public static ICredentialPolicy CredentialPolicy {
get { return s_ICredentialPolicy; }
set {
ExceptionHelper.ControlPolicyPermission.Demand();
s_ICredentialPolicy = value;
}
}
//
//
public static StringDictionary CustomTargetNameDictionary {
get { return m_SpnDictionary; }
}
//
// This will give access to some internal methods
//
static internal SpnDictionary SpnDictionary {
get { return m_SpnDictionary; }
}
//
//
static internal void EnsureConfigLoaded()
{
try {
object o = ModuleList;
}
catch (Exception e) {
if (e is ThreadAbortException || e is OutOfMemoryException || e is StackOverflowException)
throw;
// A Config System has circular dependency on HttpWebRequest so they call this method to
// trigger the config. For some reason they don't want any exceptions from here.
}
catch {
// A Config System has circular dependency on HttpWebRequest so they call this method to
// trigger the config. For some reason they don't want any exceptions from here.
}
}
//
// ModuleList - static initialized property -
// contains list of Modules used for Authentication
//
private static ArrayList ModuleList {
get {
//
// GetConfig() might use us, so we have a circular dependency issue,
// that causes us to nest here, we grab the lock, only
// if we haven't initialized, or another thread is busy in initialization
//
if (s_ModuleList == null) {
lock (s_ModuleBinding) {
if (s_ModuleList == null) {
GlobalLog.Print("AuthenticationManager::Initialize(): calling ConfigurationManager.GetSection()");
// This will never come back as null. Additionally, it will
// have the items the user wants available.
List<Type> authenticationModuleTypes = AuthenticationModulesSectionInternal.GetSection().AuthenticationModules;
//
// Should be registered in a growing list of encryption/algorithm strengths
// basically, walk through a list of Types, and create new Auth objects
// from them.
//
// order is meaningful here:
// load the registered list of auth types
// with growing level of encryption.
//
ArrayList moduleList = new ArrayList();
IAuthenticationModule moduleToRegister;
foreach (Type type in authenticationModuleTypes) {
try {
// Binder
// no arguments
moduleToRegister = Activator.CreateInstance(type, BindingFlags.CreateInstance | BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Public, null, new object[0], CultureInfo.InvariantCulture) as IAuthenticationModule;
if (moduleToRegister != null) {
GlobalLog.Print("WebRequest::Initialize(): Register:" + moduleToRegister.AuthenticationType);
RemoveAuthenticationType(moduleList, moduleToRegister.AuthenticationType);
moduleList.Add(moduleToRegister);
}
}
catch (Exception exception) {
//
// ignore failure (log exception for debugging)
//
GlobalLog.Print("AuthenticationManager::constructor failed to initialize: " + exception.ToString());
}
catch {
//
// ignore failure (log exception for debugging)
//
GlobalLog.Print("AuthenticationManager::constructor failed to initialize: Non-CLS Compliant Exception");
}
}
s_ModuleList = moduleList;
}
}
}
return s_ModuleList;
}
}
private static void RemoveAuthenticationType(ArrayList list, string typeToRemove)
{
for (int i = 0; i < list.Count; ++i) {
if (string.Compare(((IAuthenticationModule)list[i]).AuthenticationType, typeToRemove, StringComparison.OrdinalIgnoreCase) == 0) {
list.RemoveAt(i);
break;
}
}
}
/// <devdoc>
/// <para>Call each registered authentication module to determine the first module that
/// can respond to the authentication request.</para>
/// </devdoc>
public static Authorization Authenticate(string challenge, WebRequest request, ICredentials credentials)
{
//
// parameter validation
//
if (request == null) {
throw new ArgumentNullException("request");
}
if (credentials == null) {
throw new ArgumentNullException("credentials");
}
if (challenge == null) {
throw new ArgumentNullException("challenge");
}
GlobalLog.Print("AuthenticationManager::Authenticate() challenge:[" + challenge + "]");
Authorization response = null;
HttpWebRequest httpWebRequest = request as HttpWebRequest;
if (httpWebRequest != null && httpWebRequest.CurrentAuthenticationState.Module != null) {
response = httpWebRequest.CurrentAuthenticationState.Module.Authenticate(challenge, request, credentials);
}
else {
// This is the case where we would try to find the module on the first server challenge
lock (s_ModuleBinding) {
//
// fastest way of iterating on the ArryList
//
for (int i = 0; i < ModuleList.Count; i++) {
IAuthenticationModule authenticationModule = (IAuthenticationModule)ModuleList[i];
//
// the AuthenticationModule will
// 1) return a valid string on success
// 2) return null if it knows it cannot respond
// 3) throw if it could have responded but unexpectedly failed to do so
//
if (httpWebRequest != null) {
httpWebRequest.CurrentAuthenticationState.Module = authenticationModule;
}
response = authenticationModule.Authenticate(challenge, request, credentials);
if (response != null) {
//
// found the Authentication Module, return it
//
GlobalLog.Print("AuthenticationManager::Authenticate() found IAuthenticationModule:[" + authenticationModule.AuthenticationType + "]");
break;
}
}
}
}
return response;
}
/// <devdoc>
/// <para>Pre-authenticates a request.</para>
/// </devdoc>
public static Authorization PreAuthenticate(WebRequest request, ICredentials credentials)
{
GlobalLog.Print("AuthenticationManager::PreAuthenticate() request:" + ValidationHelper.HashString(request) + " credentials:" + ValidationHelper.HashString(credentials));
if (request == null) {
throw new ArgumentNullException("request");
}
if (credentials == null) {
return null;
}
HttpWebRequest httpWebRequest = request as HttpWebRequest;
IAuthenticationModule authenticationModule;
if (httpWebRequest == null)
return null;
//
// PrefixLookup is thread-safe
//
string moduleName = s_ModuleBinding.Lookup(httpWebRequest.ChallengedUri.AbsoluteUri) as string;
GlobalLog.Print("AuthenticationManager::PreAuthenticate() s_ModuleBinding.Lookup returns:" + ValidationHelper.ToString(moduleName));
if (moduleName == null)
return null;
authenticationModule = findModule(moduleName);
if (authenticationModule == null) {
// The module could have been unregistered
// No preauthentication is possible
return null;
}
// Otherwise invoke the PreAuthenticate method
// we're guaranteed that CanPreAuthenticate is true because we check before calling BindModule()
Authorization authorization = authenticationModule.PreAuthenticate(request, credentials);
if (authorization != null && !authorization.Complete && httpWebRequest != null)
httpWebRequest.CurrentAuthenticationState.Module = authenticationModule;
GlobalLog.Print("AuthenticationManager::PreAuthenticate() IAuthenticationModule.PreAuthenticate() returned authorization:" + ValidationHelper.HashString(authorization));
return authorization;
}
/// <devdoc>
/// <para>Registers an authentication module with the authentication manager.</para>
/// </devdoc>
public static void Register(IAuthenticationModule authenticationModule)
{
ExceptionHelper.UnmanagedPermission.Demand();
if (authenticationModule == null) {
throw new ArgumentNullException("authenticationModule");
}
GlobalLog.Print("AuthenticationManager::Register() registering :[" + authenticationModule.AuthenticationType + "]");
lock (s_ModuleBinding) {
IAuthenticationModule existentModule = findModule(authenticationModule.AuthenticationType);
if (existentModule != null) {
ModuleList.Remove(existentModule);
}
ModuleList.Add(authenticationModule);
}
}
/// <devdoc>
/// <para>Unregisters authentication modules for an authentication scheme.</para>
/// </devdoc>
public static void Unregister(IAuthenticationModule authenticationModule)
{
ExceptionHelper.UnmanagedPermission.Demand();
if (authenticationModule == null) {
throw new ArgumentNullException("authenticationModule");
}
GlobalLog.Print("AuthenticationManager::Unregister() unregistering :[" + authenticationModule.AuthenticationType + "]");
lock (s_ModuleBinding) {
if (!ModuleList.Contains(authenticationModule)) {
throw new InvalidOperationException(SR.GetString(SR.net_authmodulenotregistered));
}
ModuleList.Remove(authenticationModule);
}
}
/// <devdoc>
/// <para>Unregisters authentication modules for an authentication scheme.</para>
/// </devdoc>
public static void Unregister(string authenticationScheme)
{
ExceptionHelper.UnmanagedPermission.Demand();
if (authenticationScheme == null) {
throw new ArgumentNullException("authenticationScheme");
}
GlobalLog.Print("AuthenticationManager::Unregister() unregistering :[" + authenticationScheme + "]");
lock (s_ModuleBinding) {
IAuthenticationModule existentModule = findModule(authenticationScheme);
if (existentModule == null) {
throw new InvalidOperationException(SR.GetString(SR.net_authschemenotregistered));
}
ModuleList.Remove(existentModule);
}
}
/// <devdoc>
/// <para>
/// Returns a list of registered authentication modules.
/// </para>
/// </devdoc>
public static IEnumerator RegisteredModules {
get { return ModuleList.GetEnumerator(); }
}
/// <devdoc>
/// <para>
/// Binds an authentication response to a request for pre-authentication.
/// </para>
/// </devdoc>
// Create binding between an authorization response and the module
// generating that response
// This association is used for deciding which module to invoke
// for preauthentication purposes
static internal void BindModule(Uri uri, Authorization response, IAuthenticationModule module)
{
GlobalLog.Assert(module.CanPreAuthenticate, "AuthenticationManager::BindModule()|module.CanPreAuthenticate == false");
if (response.ProtectionRealm != null) {
// The authentication module specified which Uri prefixes
// will be preauthenticated
string[] prefix = response.ProtectionRealm;
for (int k = 0; k < prefix.Length; k++) {
//
// PrefixLookup is thread-safe
//
s_ModuleBinding.Add(prefix[k], module.AuthenticationType);
}
}
else {
// Otherwise use the default policy for "fabricating"
// some protection realm generalizing the particular Uri
string prefix = generalize(uri);
//
// PrefixLookup is thread-safe
//
s_ModuleBinding.Add(prefix, module.AuthenticationType);
}
}
//
// Lookup module by AuthenticationType
//
private static IAuthenticationModule findModule(string authenticationType)
{
IAuthenticationModule returnAuthenticationModule = null;
ArrayList moduleList = ModuleList;
IAuthenticationModule authenticationModule;
for (int k = 0; k < moduleList.Count; k++) {
authenticationModule = (IAuthenticationModule)moduleList[k];
if (string.Compare(authenticationModule.AuthenticationType, authenticationType, StringComparison.OrdinalIgnoreCase) == 0) {
returnAuthenticationModule = authenticationModule;
break;
}
}
return returnAuthenticationModule;
}
// This function returns a prefix of the given absolute Uri
// which will be used for associating authentication information
// The purpose is to associate the module-binding not with a single
// Uri but some collection generalizing that Uri to the loosely-defined
// notion of "protection realm"
private static string generalize(Uri location)
{
string completeUri = location.AbsoluteUri;
int lastFwdSlash = completeUri.LastIndexOf('/');
if (lastFwdSlash < 0) {
return completeUri;
}
return completeUri.Substring(0, lastFwdSlash + 1);
}
//
// The method will extract the blob that does correspond to the moduled with the name passed in signature parameter
// The method avoids confusion arisen from the parameters passed in a quoted string, such as:
// WWW-Authenticate: Digest username="NTLM", realm="wit", NTLM ...
//
static internal int FindSubstringNotInQuotes(string challenge, string signature)
{
int index = -1;
if (challenge != null && signature != null && challenge.Length >= signature.Length) {
int firstQuote = -1;
int secondQuote = -1;
for (int i = 0; i < challenge.Length; i++) {
if (challenge[i] == '"') {
if (firstQuote <= secondQuote)
firstQuote = i;
else
secondQuote = i;
}
if (i == challenge.Length - 1 || (challenge[i] == '"' && firstQuote > secondQuote)) {
// see if the portion of challenge out of the quotes contains
// the signature of the IAuthenticationModule
if (i == challenge.Length - 1)
firstQuote = challenge.Length;