Estoy tomando el laboratorio de Azure LoadBalancing con WCF y reconozco que lo que me han dicho es malo de una perspectiva de seguridad, pero no estoy seguro de si se aplica aquí.
¿Alguien puede mirar este código y decirme si se deben usar certificados diferentes en el código de producción?
public class RsaSessionSecurityTokenHandler : SessionSecurityTokenHandler
{
public RsaSessionSecurityTokenHandler(X509Certificate2 certificate)
{
List<CookieTransform> transforms = new List<CookieTransform>();
transforms.Add(new DeflateCookieTransform());
transforms.Add(new RsaEncryptionCookieTransform(certificate));
transforms.Add(new RsaSignatureCookieTransform(certificate));
this.SetTransforms(transforms);
}
public override ClaimsIdentityCollection ValidateToken(SessionSecurityToken token, string endpointId)
{
if (token == null)
{
throw new ArgumentNullException("token");
}
if (String.IsNullOrEmpty(endpointId))
{
throw new ArgumentException("endpointId");
}
// in active cases where absolute uris are used check the all parts of the token's
// endpoint id and this endpoint's id for equality except the port number
Uri listenerEndpointId;
bool listenerHasUri = Uri.TryCreate(endpointId, UriKind.Absolute, out listenerEndpointId);
Uri tokenEndpointId;
bool tokenHasUri = Uri.TryCreate(token.EndpointId, UriKind.Absolute, out tokenEndpointId);
if (listenerHasUri && tokenHasUri)
{
if (listenerEndpointId.Scheme != tokenEndpointId.Scheme ||
listenerEndpointId.DnsSafeHost != tokenEndpointId.DnsSafeHost ||
listenerEndpointId.AbsolutePath != tokenEndpointId.AbsolutePath)
{
throw new SecurityTokenValidationException(String.Format("The incoming token for '{0}' is not scoped to the endpoint '{1}'.", tokenEndpointId, listenerEndpointId));
}
}
// in all other cases, fall back to string comparison
else if (String.Equals(endpointId, token.EndpointId, StringComparison.Ordinal) == false)
{
throw new SecurityTokenValidationException(String.Format("The incoming token for '{0}' is not scoped to the endpoint '{1}'.", token.EndpointId, endpointId));
}
return this.ValidateToken(token);
}
}