incubator-stonehenge-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bende...@apache.org
Subject svn commit: r792747 - in /incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility: ConfigCertificatePolicy.cs CustomCertificateValidator.cs CustomUserNameValidator.cs Utility.cs Utility.csproj
Date Thu, 09 Jul 2009 23:27:37 GMT
Author: bendewey
Date: Thu Jul  9 23:27:37 2009
New Revision: 792747

URL: http://svn.apache.org/viewvc?rev=792747&view=rev
Log:
commit for STONEHENGE-72

Added:
    incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
    incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
    incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
Modified:
    incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs
    incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj

Added: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs?rev=792747&view=auto
==============================================================================
--- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
(added)
+++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/ConfigCertificatePolicy.cs
Thu Jul  9 23:27:37 2009
@@ -0,0 +1,66 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Trade.Utility
+{
+    //======================================================================================================
+    //This class contains abstract classes that can be optionally used to authenticate clients
when using
+    //advanced Web Services security modes.  Three abstract classes are provided, such that
any can be
+    //overridden and customized.  The first ConfigCertificatePolicy, allows the developer
to set a custom
+    //policy for certificates.  This is necessary to allow test/dev/self-signed certificates,
or else
+    //all WCF operations secured with such a cert would be rejected by WCf clients.  Note
that the base
+    //SettingsBase class provides a stock instance of this class, which allows all certs
if the repository
+    //setting "Accept All Certificates for Development Testing" is set to true.  The base
instance, which
+    //can be overridden itself within any Settings class (use the new keyword to define the
field certificatePolicy
+    //with your implementation class if you want. 
+    //
+    //The next two classes are custom validators that are provided.  The first class (CustomUserNameValidator)
+    //works with message level security (which always requires a service X.509 certificate)
and Username
+    //client credentials.  It overrides the default Validate method of the Windows UserNamePassWordValidator
to
+    //instead validate against the ConfigService Users table. See StockTrader Business Services
for an example with
+    //Message security and Username client credentials. 
+    //The second class (CustomCertificateValidator) overrides the Validate method of the
Windows X509CertificateValidator 
+    //to only allow specified set of client certificates to have access to secured endpoints.
+    //======================================================================================================
+
+    /// <summary>
+    /// This class is used when repository setting 'ACCEPT_ALL_CERTIFICATES' is set to true,
to allow service
+    /// connections via Test (dev-created) certificates.  You can override the CheckValidationResult
as desired,
+    /// to add a more restrictive/custom policy.
+    /// </summary>
+    public abstract class ConfigCertificatePolicy
+    {
+        /// <summary>
+        /// As advertised, always OK.  Do not have 'ACCEPT_ALL_CERTIFICATES' set to true
for production; or override for more restrictive,
+        /// custom policy.
+        /// </summary>
+        /// <param name="sender"></param>
+        /// <param name="certificate"></param>
+        /// <param name="chain"></param>
+        /// <param name="sslPolicyErrors"></param>
+        /// <returns></returns>
+        public virtual bool CheckValidationResult(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
+        {
+            bool validationResult = true;
+            //Optional add a more restrictive policy here.
+            return validationResult;
+        }
+    }
+}
\ No newline at end of file

Added: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs?rev=792747&view=auto
==============================================================================
--- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
(added)
+++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomCertificateValidator.cs
Thu Jul  9 23:27:37 2009
@@ -0,0 +1,100 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using System;
+using System.IdentityModel.Selectors;
+using System.IdentityModel.Tokens;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Trade.Utility
+{
+    /// <summary>
+    /// Provides a base class that allows customization of certificate validation.
+    /// Specifically, enables certificates to be identified specifically based on a list
of
+    /// authorized cert thumbprints.  See StockTrader Order Processor Service for an example
of
+    /// use, as this sample component uses it to ensure only clients using the authorized

+    /// BSLClient certificate are accepted.
+    /// </summary>
+    public abstract class CustomCertificateValidator : X509CertificateValidator
+    {
+        /// <summary>
+        /// Override with a provided method that returns an array 
+        /// of thumbprints as strings.
+        /// </summary>
+        /// <returns></returns>
+        protected abstract string[] getAllowedThumbprints();
+
+        public override void Validate(X509Certificate2 certificate)
+        {
+            // create chain and set validation options
+            X509Chain chain = new X509Chain();
+            SetValidationSettings(chain);
+
+            // optional check if cert is valid 
+            if (!chain.Build(certificate))
+            {
+                throw new SecurityTokenValidationException("Client certificate is not valid!");
+            }
+
+            // check if cert is from our trusted list
+            if (!isTrusted(chain, getAllowedThumbprints()))
+            {
+                throw new SecurityTokenValidationException("Client certificate is not trusted!");
+            }
+        }
+
+        /// <summary>
+        /// The base goes with default settings, you could override this method to change
them, however.
+        /// </summary>
+        /// <param name="chain"></param>
+        protected virtual void SetValidationSettings(X509Chain chain)
+        {
+            //override to set customer settings.
+        }
+
+        /// <summary>
+        /// Determines if the end certificate in a chain is in the list of trusted certs.
+        /// You could add logic to perform checks across the whole chain if desired.
+        /// </summary>
+        /// <param name="chain"></param>
+        /// <param name="trustedThumbprints"></param>
+        /// <returns></returns>
+        protected virtual bool isTrusted(X509Chain chain, string[] trustedThumbprints)
+        {
+            return CheckThumbprint(chain.ChainElements[0].Certificate, trustedThumbprints);
+        }
+
+        /// <summary>
+        /// Check if a cert is in the trust list.
+        /// </summary>
+        /// <param name="certificate">Cert to check.</param>
+        /// <param name="trustedThumbprints">List of authorized certs' thumbprints</param>
+        /// <returns></returns>
+        private bool CheckThumbprint(X509Certificate2 certificate, string[] trustedThumbprints)
+        {
+            foreach (string thumbprint in trustedThumbprints)
+            {
+                if (string.Equals(certificate.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase))
+                {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+    }
+}
\ No newline at end of file

Added: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs?rev=792747&view=auto
==============================================================================
--- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
(added)
+++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/CustomUserNameValidator.cs
Thu Jul  9 23:27:37 2009
@@ -0,0 +1,38 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using System.IdentityModel.Selectors;
+
+namespace Trade.Utility
+{
+    /// <summary>
+    /// Note how this class is tied in via a ServiceBehavior, defined in config, to override
default Windows auth validation.
+    /// </summary>
+    public abstract class CustomUserNameValidator : UserNamePasswordValidator
+    {
+        /// <summary>
+        /// Overrides to instead validate the username/password against the Configuration
DB Users table.
+        /// </summary>
+        /// <param name="userName">User id coming in as UserName credentials from client.</param>
+        /// <param name="password">Password coming in as UserName credentials from
client.</param>
+        public override void Validate(string userName, string password)
+        {
+            //Add custom user name validation if desired here.  Will only be activated if
binding security is
+            //set for ClientCredentials = UserName.
+        }
+    }
+}
\ No newline at end of file

Modified: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs
URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs?rev=792747&r1=792746&r2=792747&view=diff
==============================================================================
--- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs (original)
+++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.cs Thu
Jul  9 23:27:37 2009
@@ -34,15 +34,9 @@
 
 using System;
 using System.Collections.Generic;
-using System.Text;
 using System.Diagnostics;
-using System.Net.Security;
 using System.ServiceModel;
 using System.ServiceModel.Description;
-using System.ServiceModel.Configuration;
-using System.IdentityModel.Tokens;
-using System.IdentityModel.Selectors;
-using System.Security.Cryptography.X509Certificates;
 
 namespace Trade.Utility
 {
@@ -198,7 +192,7 @@
         /// <param name="message">String with message to display/log.</param>

         /// <param name="messageType">Event Log entry type code</param> 
         /// <param name="logEntry">Whether to log entry.  Entry will be logged if configuration
database is set for detailed logging and this parameter is true</param> 
-        /// <param name="settingsInstance">Instance of the Settings class for the service
host. Used to determine if detailed logging is on and Event Log Source name.</param>

+        /// <param name="eventLog">The event log source name</param> 
         public static void writeConsoleMessage(string message, EventLogEntryType messageType,
bool logEntry, string eventLog)
         {
             try
@@ -217,7 +211,7 @@
         /// <param name="message">String with message to display/log.</param>

         /// <param name="messageType">Event Log entry type code</param> 
         /// <param name="logEntry">Whether to log entry.  Entry will be logged if configuration
database is set for detailed logging and this parameter is true</param> 
-        /// <param name="settingsInstance">Instance of the Settings class for the service
host. Used to determine if detailed logging is on and Event Log Source name.</param>

+        /// <param name="eventLog">The event log source name</param>
         public static void writeErrorConsoleMessage(string message, EventLogEntryType messageType,
bool logEntry, string eventLog)
         {
             try
@@ -229,11 +223,11 @@
             }
         }
 
-        /// <summary>Writes to event log. </summary>
+        /// <summary>Writes to event log.</summary>
         /// <param name="message">String with message to display/log.</param>

         /// <param name="messageType">Event Log entry type code</param> 
         /// <param name="logEntry">Whether to log entry.  Entry will be logged if configuration
database is set for detailed logging and this parameter is true</param> 
-        /// <param name="settingsInstance">Instance of the Settings class for the service
host. Used to determine if detailed logging is on and Event Log Source name.</param>

+        /// <param name="eventLog">The event log source name</param>
         public static void LogMessage(string message, EventLogEntryType messageType, bool
logEntry, string eventLog)
         {
             if (!logEntry)
@@ -323,153 +317,5 @@
             Console.WriteLine();
         }
     }
-
-
-//======================================================================================================
-//This class contains abstract classes that can be optionally used to authenticate clients
when using
-//advanced Web Services security modes.  Three abstract classes are provided, such that any
can be
-//overridden and customized.  The first ConfigCertificatePolicy, allows the developer to
set a custom
-//policy for certificates.  This is necessary to allow test/dev/self-signed certificates,
or else
-//all WCF operations secured with such a cert would be rejected by WCf clients.  Note that
the base
-//SettingsBase class provides a stock instance of this class, which allows all certs if the
repository
-//setting "Accept All Certificates for Development Testing" is set to true.  The base instance,
which
-//can be overridden itself within any Settings class (use the new keyword to define the field
certificatePolicy
-//with your implementation class if you want. 
-//
-//The next two classes are custom validators that are provided.  The first class (CustomUserNameValidator)
-//works with message level security (which always requires a service X.509 certificate) and
Username
-//client credentials.  It overrides the default Validate method of the Windows UserNamePassWordValidator
to
-//instead validate against the ConfigService Users table. See StockTrader Business Services
for an example with
-//Message security and Username client credentials. 
-//The second class (CustomCertificateValidator) overrides the Validate method of the Windows
X509CertificateValidator 
-//to only allow specified set of client certificates to have access to secured endpoints.
-//======================================================================================================
-
-    /// <summary>
-    /// This class is used when repository setting 'ACCEPT_ALL_CERTIFICATES' is set to true,
to allow service
-    /// connections via Test (dev-created) certificates.  You can override the CheckValidationResult
as desired,
-    /// to add a more restrictive/custom policy.
-    /// </summary>
-    public abstract class ConfigCertificatePolicy
-    {
-        public ConfigCertificatePolicy()
-        {
-        }
-
-        /// <summary>
-        /// As advertised, always OK.  Do not have 'ACCEPT_ALL_CERTIFICATES' set to true
for production; or override for more restrictive,
-        /// custom policy.
-        /// </summary>
-        /// <param name="sender"></param>
-        /// <param name="certificate"></param>
-        /// <param name="chain"></param>
-        /// <param name="sslPolicyErrors"></param>
-        /// <returns></returns>
-        public virtual bool CheckValidationResult(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
-        {
-            bool validationResult = true;
-            //Optional add a more restrictive policy here.
-            return validationResult;
-        }
-    }
-
-
-    /// <summary>
-    /// Note how this class is tied in via a ServiceBehavior, defined in config, to override
default Windows auth validation.
-    /// </summary>
-    public abstract class CustomUserNameValidator : UserNamePasswordValidator
-    {
-        /// <summary>
-        /// Overrides to instead validate the username/password against the Configuration
DB Users table.
-        /// </summary>
-        /// <param name="userName">User id coming in as UserName credentials from client.</param>
-        /// <param name="password">Password coming in as UserName credentials from
client.</param>
-        public override void Validate(string userName, string password)
-        {
-            //Add custom user name validation if desired here.  Will only be activated if
binding security is
-            //set for ClientCredentials = UserName.
-        }
-    }
-
-    /// <summary>
-    /// Provides a base class that allows customization of certificate validation.
-    /// Specifically, enables certificates to be identified specifically based on a list
of
-    /// authorized cert thumbprints.  See StockTrader Order Processor Service for an example
of
-    /// use, as this sample component uses it to ensure only clients using the authorized

-    /// BSLClient certificate are accepted.
-    /// </summary>
-    public abstract class CustomCertificateValidator : X509CertificateValidator
-    {
-        /// <summary>
-        /// Override with a provided method that returns an array 
-        /// of thumbprints as strings.
-        /// </summary>
-        /// <returns></returns>
-        protected abstract string[] getAllowedThumbprints();
-
-        public override void Validate(X509Certificate2 certificate)
-        {
-            // create chain and set validation options
-            X509Chain chain = new X509Chain();
-            SetValidationSettings(chain);
-
-            // optional check if cert is valid 
-            if (!chain.Build(certificate))
-            {
-                throw new SecurityTokenValidationException("Client certificate is not valid!");
-            }
-
-            // check if cert is from our trusted list
-            if (!isTrusted(chain, getAllowedThumbprints()))
-            {
-                throw new SecurityTokenValidationException("Client certificate is not trusted!");
-            }
-        }
-
-        /// <summary>
-        /// The base goes with default settings, you could override this method to change
them, however.
-        /// </summary>
-        /// <param name="chain"></param>
-        protected virtual void SetValidationSettings(X509Chain chain)
-        {
-            //override to set customer settings.
-        }
-
-        /// <summary>
-        /// Determines if the end certificate in a chain is in the list of trusted certs.
-        /// You could add logic to perform checks across the whole chain if desired.
-        /// </summary>
-        /// <param name="chain"></param>
-        /// <param name="trustedThumbprints"></param>
-        /// <returns></returns>
-        protected virtual bool isTrusted(X509Chain chain, string[] trustedThumbprints)
-        {
-            return CheckThumbprint(chain.ChainElements[0].Certificate, trustedThumbprints);
-        }
-
-        /// <summary>
-        /// Check if a cert is in the trust list.
-        /// </summary>
-        /// <param name="certificate">Cert to check.</param>
-        /// <param name="trustedThumbprints">List of authorized certs' thumbprints</param>
-        /// <returns></returns>
-        private bool CheckThumbprint(X509Certificate2 certificate, string[] trustedThumbprints)
-        {
-            foreach (string thumbprint in trustedThumbprints)
-            {
-                if (string.Equals(certificate.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase))
-                {
-                    return true;
-                }
-            }
-
-            return false;
-        }
-
- 
-
-    }
-
- 
 }
 

Modified: incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj
URL: http://svn.apache.org/viewvc/incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj?rev=792747&r1=792746&r2=792747&view=diff
==============================================================================
--- incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj
(original)
+++ incubator/stonehenge/trunk/stocktrader/dotnet/common/StockTraderUtility/Utility.csproj
Thu Jul  9 23:27:37 2009
@@ -61,6 +61,9 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="ConfigCertificatePolicy.cs" />
+    <Compile Include="CustomCertificateValidator.cs" />
+    <Compile Include="CustomUserNameValidator.cs" />
     <Compile Include="SQLHelper.cs" />
     <Compile Include="Utility.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />



Mime
View raw message