1 //------------------------------------------------------------------------------
2 // <copyright file="AuthenticationManager.cs" company="Microsoft">
3 // Copyright (c) Microsoft Corporation. All rights reserved.
5 //------------------------------------------------------------------------------
9 using System.Collections;
10 using System.Collections.Generic;
11 using System.Collections.Specialized;
12 using System.Configuration;
13 using System.Globalization;
14 using System.Net.Configuration;
15 using System.Reflection;
16 using System.Security.Authentication.ExtendedProtection;
17 using System.Security.Permissions;
19 using System.Threading;
20 using System.Diagnostics;
21 using System.Diagnostics.CodeAnalysis;
24 // A contract that applications can use to restrict auth scenarios in current appDomain
26 public interface ICredentialPolicy
28 bool ShouldSendCredential(
31 NetworkCredential credential,
32 IAuthenticationModule authenticationModule);
36 /// <para>Manages the authentication modules called during the client authentication
39 public class AuthenticationManager
41 private static object instanceLock = new object();
42 private static IAuthenticationManager internalInstance = null;
43 internal const string authenticationManagerRoot = "System.Net.AuthenticationManager";
45 // Following names are used both as a per-app key as a global setting
46 internal const string configHighPerformance = authenticationManagerRoot + ".HighPerformance";
47 internal const string configPrefixLookupMaxCount = authenticationManagerRoot + ".PrefixLookupMaxCount";
49 private AuthenticationManager()
53 private static IAuthenticationManager Instance
57 if (internalInstance == null)
61 if (internalInstance == null)
63 internalInstance = SelectAuthenticationManagerInstance();
68 return internalInstance;
72 private static IAuthenticationManager SelectAuthenticationManagerInstance()
74 bool highPerformance = false;
78 if (RegistryConfiguration.GlobalConfigReadInt(configHighPerformance, 0) == 1)
80 highPerformance = true;
82 else if (RegistryConfiguration.AppConfigReadInt(configHighPerformance, 0) == 1)
84 highPerformance = true;
89 int? maxPrefixLookupEntries = ReadPrefixLookupMaxEntriesConfig();
90 if ((maxPrefixLookupEntries != null) && (maxPrefixLookupEntries > 0))
92 return new AuthenticationManager2((int)maxPrefixLookupEntries);
96 return new AuthenticationManager2();
102 if (e is ThreadAbortException || e is StackOverflowException || e is OutOfMemoryException)
108 return new AuthenticationManagerDefault();
111 private static int? ReadPrefixLookupMaxEntriesConfig()
113 int? maxPrefixLookupEntries = null;
115 int configuredMaxPrefixLookupEntries =
116 RegistryConfiguration.GlobalConfigReadInt(configPrefixLookupMaxCount, -1);
118 if (configuredMaxPrefixLookupEntries > 0)
120 maxPrefixLookupEntries = configuredMaxPrefixLookupEntries;
123 // Per-process setting will override global configuration.
124 configuredMaxPrefixLookupEntries =
125 RegistryConfiguration.AppConfigReadInt(configPrefixLookupMaxCount, -1);
127 if (configuredMaxPrefixLookupEntries > 0)
129 maxPrefixLookupEntries = configuredMaxPrefixLookupEntries;
131 return maxPrefixLookupEntries;
134 public static ICredentialPolicy CredentialPolicy {
137 return Instance.CredentialPolicy;
143 ExceptionHelper.ControlPolicyPermission.Demand();
145 Instance.CredentialPolicy = value;
149 public static StringDictionary CustomTargetNameDictionary
153 return Instance.CustomTargetNameDictionary;
157 internal static SpnDictionary SpnDictionary
161 return Instance.SpnDictionary;
165 internal static void EnsureConfigLoaded()
167 Instance.EnsureConfigLoaded();
170 internal static bool OSSupportsExtendedProtection
174 return Instance.OSSupportsExtendedProtection;
178 internal static bool SspSupportsExtendedProtection
182 return Instance.SspSupportsExtendedProtection;
187 /// <para>Call each registered authentication module to determine the first module that
188 /// can respond to the authentication request.</para>
190 public static Authorization Authenticate(string challenge, WebRequest request, ICredentials credentials)
192 return Instance.Authenticate(challenge, request, credentials);
196 /// <para>Pre-authenticates a request.</para>
198 public static Authorization PreAuthenticate(WebRequest request, ICredentials credentials)
200 return Instance.PreAuthenticate(request, credentials);
204 /// <para>Registers an authentication module with the authentication manager.</para>
206 public static void Register(IAuthenticationModule authenticationModule)
209 ExceptionHelper.UnmanagedPermission.Demand();
211 Instance.Register(authenticationModule);
215 /// <para>Unregisters authentication modules for an authentication scheme.</para>
217 public static void Unregister(IAuthenticationModule authenticationModule)
220 ExceptionHelper.UnmanagedPermission.Demand();
222 Instance.Unregister(authenticationModule);
226 /// <para>Unregisters authentication modules for an authentication scheme.</para>
228 public static void Unregister(string authenticationScheme)
231 ExceptionHelper.UnmanagedPermission.Demand();
233 Instance.Unregister(authenticationScheme);
238 /// Returns a list of registered authentication modules.
241 public static IEnumerator RegisteredModules
245 return Instance.RegisteredModules;
251 /// Binds an authentication response to a request for pre-authentication.
254 // Create binding between an authorization response and the module
255 // generating that response
256 // This association is used for deciding which module to invoke
257 // for preauthentication purposes
258 internal static void BindModule(Uri uri, Authorization response, IAuthenticationModule module)
260 Instance.BindModule(uri, response, module);
264 // The method will extract the blob that does correspond to the moduled with the name passed in signature
265 // parameter. The method avoids confusion arisen from the parameters passed in a quoted string, such as:
266 // WWW-Authenticate: Digest username="NTLM", realm="wit", NTLM ...
269 "Microsoft.Globalization", "CA1308", Justification = "Assert-only by check for lower-case signature")]
270 internal static int FindSubstringNotInQuotes(string challenge, string signature)
273 Debug.Assert(signature.ToLowerInvariant().Equals(signature, StringComparison.Ordinal),
274 "'signature' parameter must be lower case");
275 if (challenge != null && signature != null && challenge.Length >= signature.Length)
277 int firstQuote = -1, secondQuote = -1;
278 for (int i = 0; i < challenge.Length && index < 0; i++)
280 // Search for the quotes
281 if (challenge[i] == '\"')
283 if (firstQuote <= secondQuote)
288 // We've found both ends of an unquoted segment (could be whole challenge), search inside for the signature.
289 if (i == challenge.Length - 1 || (challenge[i] == '\"' && firstQuote > secondQuote))
291 // see if the portion of challenge out of the quotes contains
292 // the signature of the IAuthenticationModule
293 if (i == challenge.Length - 1)
294 firstQuote = challenge.Length;
295 // unquoted segment is too small to hold a scheme name, ie: scheme param="value",a=""
296 if (firstQuote < secondQuote + 3)
299 int checkstart = secondQuote + 1;
300 int checkLength = firstQuote - secondQuote - 1;
303 // Search for the next (partial match) occurance of the signature
304 index = IndexOf(challenge, signature, checkstart, checkLength);
308 // Verify the signature is a full scheme name match, not a partial match or a parameter name:
309 if ((index == 0 || challenge[index - 1] == ' ' || challenge[index - 1] == ',') &&
310 (index + signature.Length == challenge.Length || challenge[index + signature.Length] == ' ' || challenge[index + signature.Length] == ','))
314 // Only a partial match / param name, but maybe there is another occurance of the signature later?
315 checkLength -= index - checkstart + 1;
316 checkstart = index + 1;
318 } while (index >= 0);
322 GlobalLog.Print("AuthenticationManager::FindSubstringNotInQuotes(" + challenge + ", " + signature + ")=" + index.ToString());
327 // Helper for FindSubstringNotInQuotes
328 // Find the FIRST possible index of a signature.
329 private static int IndexOf(string challenge, string lwrCaseSignature, int start, int count)
331 count += start + 1 - lwrCaseSignature.Length;
332 for (; start < count; ++start)
335 for (; i < lwrCaseSignature.Length; ++i)
337 // force a challenge char to lowecase (safe assuming it works on trusted ASCII source)
338 if ((challenge[start + i] | 0x20) != lwrCaseSignature[i])
341 if (i == lwrCaseSignature.Length)
348 // this method is called by the IAuthenticationModule implementations
349 // (mainly Digest) to safely find their list of parameters in a challenge.
350 // it returns the index of the first ',' that is not included in quotes,
351 // -1 is returned on error or end of string. on return offset contains the
352 // index of the first '=' that is not included in quotes, -1 if no '=' was found.
354 internal static int SplitNoQuotes(string challenge, ref int offset)
356 // GlobalLog.Print("SplitNoQuotes([" + challenge + "], " + offset.ToString() + ")");
360 int realOffset = offset;
362 // default is not found
366 if (challenge != null && realOffset < challenge.Length)
368 int firstQuote = -1, secondQuote = -1;
370 for (int i = realOffset; i < challenge.Length; i++)
373 // firstQuote>secondQuote means we are in a quoted string
375 if (firstQuote > secondQuote && challenge[i] == '\\' && i + 1 < challenge.Length && challenge[i + 1] == '\"')
378 // skip <\"> when in a quoted string
382 else if (challenge[i] == '\"')
384 if (firstQuote <= secondQuote)
393 else if (challenge[i] == '=' && firstQuote <= secondQuote && offset < 0)
397 else if (challenge[i] == ',' && firstQuote <= secondQuote)
408 internal static Authorization GetGroupAuthorization(
409 IAuthenticationModule thisModule,
412 NTAuthentication authSession,
413 bool shareAuthenticatedConnections,
416 return new Authorization(
419 (shareAuthenticatedConnections) ? null
420 : (thisModule.GetType().FullName + "/" + authSession.UniqueUserId),
423 #endif // !FEATURE_PAL
425 } // class AuthenticationManager
427 } // namespace System.Net
projects / mono.git / blob