mono/mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/SecuritySessionSecurityTokenAuthenticator.cs

//-----------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.  All rights reserved.
//-----------------------------------------------------------------------------
namespace System.ServiceModel.Security
{
    using System.Collections.Generic;
    using System.Collections.ObjectModel;
    using System.Globalization;
    using System.IdentityModel.Claims;
    using System.IdentityModel.Policy;
    using System.IdentityModel.Selectors;
    using System.IdentityModel.Tokens;
    using System.Runtime;
    using System.Runtime.Serialization;
    using System.ServiceModel;
    using System.ServiceModel.Channels;
    using System.ServiceModel.Description;
    using System.ServiceModel.Diagnostics;
    using System.ServiceModel.Dispatcher;
    using System.ServiceModel.Security.Tokens;
    using System.Xml;

    class SecuritySessionSecurityTokenAuthenticator : CommunicationObjectSecurityTokenAuthenticator, IIssuanceSecurityTokenAuthenticator, ILogonTokenCacheManager
    {
        internal static readonly TimeSpan defaultSessionTokenLifetime = TimeSpan.MaxValue;
        internal const int defaultMaxCachedSessionTokens = Int32.MaxValue;
        internal static readonly SecurityStandardsManager defaultStandardsManager = SecurityStandardsManager.DefaultInstance;

        bool isClientAnonymous;
        TimeSpan sessionTokenLifetime;
        ISecurityContextSecurityTokenCache issuedTokenCache;
        SecurityContextSecurityTokenAuthenticator sessionTokenAuthenticator;
        ServiceHostBase rstListener;
        SecurityBindingElement bootstrapSecurityBindingElement;
        BindingContext issuerBindingContext;
        SecurityStandardsManager standardsManager;
        SecurityAlgorithmSuite securityAlgorithmSuite;
        SecurityKeyEntropyMode keyEntropyMode;
        TimeSpan keyRenewalInterval;
        SecurityTokenParameters issuedTokenParameters;
        Uri listenUri;
        string sctUri;
        IMessageFilterTable<EndpointAddress> endpointFilterTable;
        bool shouldMatchRstWithEndpointFilter;
        int maximumConcurrentNegotiations;
        TimeSpan negotiationTimeout;
        Object thisLock = new Object();
        bool preserveBootstrapTokens;

        IssuedSecurityTokenHandler issuedSecurityTokenHandler;
        RenewedSecurityTokenHandler renewedSecurityTokenHandler;

        public SecuritySessionSecurityTokenAuthenticator()
            : base()
        {
            this.sessionTokenAuthenticator = new SecurityContextSecurityTokenAuthenticator();
            this.sessionTokenLifetime = defaultSessionTokenLifetime;
            this.isClientAnonymous = false;
            this.standardsManager = defaultStandardsManager;
            this.keyEntropyMode = AcceleratedTokenProvider.defaultKeyEntropyMode;
            this.maximumConcurrentNegotiations = AcceleratedTokenAuthenticator.defaultServerMaxActiveNegotiations;
            this.negotiationTimeout = AcceleratedTokenAuthenticator.defaultServerMaxNegotiationLifetime;
        }

        public IssuedSecurityTokenHandler IssuedSecurityTokenHandler
        {
            get
            {
                return this.issuedSecurityTokenHandler;
            }
            set
            {
                this.issuedSecurityTokenHandler = value;
            }
        }

        public RenewedSecurityTokenHandler RenewedSecurityTokenHandler
        {
            get
            {
                return this.renewedSecurityTokenHandler;
            }
            set
            {
                this.renewedSecurityTokenHandler = value;
            }
        }

        public SecurityAlgorithmSuite SecurityAlgorithmSuite
        {
            get
            {
                return this.securityAlgorithmSuite;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                this.securityAlgorithmSuite = value;
            }
        }

        public SecurityKeyEntropyMode KeyEntropyMode
        {
            get
            {
                return this.keyEntropyMode;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                SecurityKeyEntropyModeHelper.Validate(value);
                this.keyEntropyMode = value;
            }
        }

        public bool IsClientAnonymous
        {
            get
            {
                return this.isClientAnonymous;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                this.isClientAnonymous = value;
            }
        }

        public TimeSpan SessionTokenLifetime
        {
            get
            {
                return this.sessionTokenLifetime;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                if (value <= TimeSpan.Zero)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", SR.GetString(SR.TimeSpanMustbeGreaterThanTimeSpanZero)));
                }

                if (TimeoutHelper.IsTooLarge(value))
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", value,
                        SR.GetString(SR.SFxTimeoutOutOfRangeTooBig)));
                }
                this.sessionTokenLifetime = value;
            }
        }

        public TimeSpan KeyRenewalInterval
        {
            get
            {
                return this.keyRenewalInterval;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                if (value <= TimeSpan.Zero)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", SR.GetString(SR.TimeSpanMustbeGreaterThanTimeSpanZero)));
                }

                if (TimeoutHelper.IsTooLarge(value))
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", value,
                        SR.GetString(SR.SFxTimeoutOutOfRangeTooBig)));
                }
                this.keyRenewalInterval = value;
            }
        }

        public int MaximumConcurrentNegotiations
        {
            get
            {
                return this.maximumConcurrentNegotiations;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                if (value < 0)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", SR.GetString(SR.ValueMustBeNonNegative)));
                }
                this.maximumConcurrentNegotiations = value;
            }
        }

        public TimeSpan NegotiationTimeout
        {
            get
            {
                return this.negotiationTimeout;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                if (value <= TimeSpan.Zero)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));
                }
                this.negotiationTimeout = value;
            }
        }

        public SecurityContextSecurityTokenAuthenticator SessionTokenAuthenticator
        {
            get
            {
                return this.sessionTokenAuthenticator;
            }
        }

        public ISecurityContextSecurityTokenCache IssuedTokenCache
        {
            get
            {
                return this.issuedTokenCache;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                this.issuedTokenCache = value;
            }
        }

        public SecurityStandardsManager StandardsManager
        {
            get
            {
                return this.standardsManager;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                if (value == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("value"));
                }
                if (!value.TrustDriver.IsSessionSupported)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.TrustDriverVersionDoesNotSupportSession), "value"));
                }
                if (!value.SecureConversationDriver.IsSessionSupported)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(SR.GetString(SR.SecureConversationDriverVersionDoesNotSupportSession), "value"));
                }
                this.standardsManager = value;
            }
        }

        public SecurityTokenParameters IssuedSecurityTokenParameters
        {
            get
            {
                return this.issuedTokenParameters;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                this.issuedTokenParameters = value;
            }
        }

        public BindingContext IssuerBindingContext
        {
            get
            {
                return this.issuerBindingContext;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                if (value == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");
                }
                this.issuerBindingContext = value.Clone();
            }
        }

        public SecurityBindingElement BootstrapSecurityBindingElement
        {
            get { return this.bootstrapSecurityBindingElement; }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                if (value == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");
                }
                this.bootstrapSecurityBindingElement = (SecurityBindingElement)value.Clone();
            }
        }

        public IMessageFilterTable<EndpointAddress> EndpointFilterTable
        {
            get
            {
                return this.endpointFilterTable;
            }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                this.endpointFilterTable = value;
            }
        }

        public Uri ListenUri
        {
            get { return this.listenUri; }
            set
            {
                this.CommunicationObject.ThrowIfDisposedOrImmutable();
                this.listenUri = value;
            }
        }

        public virtual XmlDictionaryString IssueAction
        {
            get
            {
                return standardsManager.SecureConversationDriver.IssueAction;
            }
        }

        public virtual XmlDictionaryString IssueResponseAction
        {
            get
            {
                return standardsManager.SecureConversationDriver.IssueResponseAction;
            }
        }

        public bool PreserveBootstrapTokens
        {
            get
            {
                return this.preserveBootstrapTokens;
            }
            set
            {
                this.preserveBootstrapTokens = value;
            }
        }

        public virtual XmlDictionaryString RenewAction
        {
            get
            {
                return standardsManager.SecureConversationDriver.RenewAction;
            }
        }

        public virtual XmlDictionaryString RenewResponseAction
        {
            get
            {
                return standardsManager.SecureConversationDriver.RenewResponseAction;
            }
        }

        public virtual XmlDictionaryString CloseAction
        {
            get
            {
                return standardsManager.SecureConversationDriver.CloseAction;
            }
        }

        public virtual XmlDictionaryString CloseResponseAction
        {
            get
            {
                return standardsManager.SecureConversationDriver.CloseResponseAction;
            }
        }

        public bool RemoveCachedLogonToken(string username)
        {
            if (this.RequestSecurityTokenListener != null)
            {
                //
                // this is the SCT case, delegate to the RST's listener list
                //
                IChannelListener listener = null;
                ILogonTokenCacheManager manager = null;

                for (int i = 0; i < this.RequestSecurityTokenListener.ChannelDispatchers.Count; i++)
                {
                    listener = this.RequestSecurityTokenListener.ChannelDispatchers[i].Listener;

                    if (listener != null)
                    {
                        manager = listener.GetProperty<ILogonTokenCacheManager>();

                        if (manager != null)
                            return manager.RemoveCachedLogonToken(username);
                    }
                }
            }
            return false;
        }

        public void FlushLogonTokenCache()
        {
            if (this.RequestSecurityTokenListener != null && this.RequestSecurityTokenListener.ChannelDispatchers.Count > 0)
            {
                //
                // this is the SCT case, delegate to the RST's listener list
                //
                IChannelListener listener = null;
                ILogonTokenCacheManager manager = null;

                for (int i = 0; i < this.RequestSecurityTokenListener.ChannelDispatchers.Count; i++)
                {
                    listener = this.RequestSecurityTokenListener.ChannelDispatchers[i].Listener;

                    if (listener != null)
                    {
                        manager = listener.GetProperty<ILogonTokenCacheManager>();

                        if (manager != null)
                            manager.FlushLogonTokenCache();
                    }
                }
            }

        }

        Message HandleOperationException(SecuritySessionOperation operation, Message request, Exception e)
        {
            SecurityTraceRecordHelper.TraceServerSessionOperationException(operation, e, this.ListenUri);
            return CreateFault(request, e);
        }

        Message CreateFault(Message request, Exception e)
        {
            FaultCode subCode;
            FaultReason reason;
            bool isSenderFault;
            if (e is QuotaExceededException)
            {
                // send a receiver fault so that the sender can retry
                subCode = new FaultCode(DotNetSecurityStrings.SecurityServerTooBusyFault, DotNetSecurityStrings.Namespace);
                reason = new FaultReason(SR.GetString(SR.PendingSessionsExceededFaultReason), CultureInfo.CurrentCulture);
                isSenderFault = false;
            }
            else if (e is EndpointNotFoundException)
            {
                // send a receiver fault so that the sender can retry
                subCode = new FaultCode(AddressingStrings.EndpointUnavailable, request.Version.Addressing.Namespace);
                reason = new FaultReason(SR.GetString(SR.SecurityListenerClosingFaultReason), CultureInfo.CurrentCulture);
                isSenderFault = false;
            }
            else
            {
                subCode = new FaultCode(TrustApr2004Strings.InvalidRequestFaultCode, TrustFeb2005Strings.Namespace);
                reason = new FaultReason(SR.GetString(SR.InvalidRequestTrustFaultCode), CultureInfo.CurrentCulture);
                isSenderFault = true;
            }
            FaultCode faultCode;
            if (isSenderFault)
            {
                faultCode = FaultCode.CreateSenderFaultCode(subCode);
            }
            else
            {
                faultCode = FaultCode.CreateReceiverFaultCode(subCode);
            }
            MessageFault fault = MessageFault.CreateFault(faultCode, reason);
            Message faultReply = Message.CreateMessage(request.Version, fault, request.Version.Addressing.DefaultFaultAction);
            faultReply.Headers.RelatesTo = request.Headers.MessageId;
            return faultReply;
        }

        void NotifyOperationCompletion(SecuritySessionOperation operation, SecurityContextSecurityToken newSessionToken, SecurityContextSecurityToken previousSessionToken, EndpointAddress remoteAddress)
        {
            if (operation == SecuritySessionOperation.Issue)
            {
                if (this.issuedSecurityTokenHandler != null)
                {
                    this.issuedSecurityTokenHandler(newSessionToken, remoteAddress);
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.IssueSessionTokenHandlerNotSet));
                }
            }
            else if (operation == SecuritySessionOperation.Renew)
            {
                if (this.renewedSecurityTokenHandler != null)
                {
                    this.renewedSecurityTokenHandler(newSessionToken, previousSessionToken);
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.RenewSessionTokenHandlerNotSet));
                }
            }
            else
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException());
            }
        }

        public override void OnAbort()
        {
            if (this.rstListener != null)
            {
                this.rstListener.Abort();
                this.rstListener = null;
            }
          
            base.OnAbort();
        }

        public override void OnClose(TimeSpan timeout)
        {
            TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
            if (this.rstListener != null)
            {
                this.rstListener.Close(timeoutHelper.RemainingTime());
                this.rstListener = null;
            }
           
            base.OnClose(timeoutHelper.RemainingTime());
        }

        public override void OnOpen(TimeSpan timeout)
        {
            if (this.BootstrapSecurityBindingElement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BootstrapSecurityBindingElementNotSet, this.GetType())));
            }
            if (this.IssuerBindingContext == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.IssuerBuildContextNotSet, this.GetType())));
            }
            if (this.IssuedSecurityTokenParameters == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.IssuedSecurityTokenParametersNotSet, this.GetType())));
            }
            if (this.SecurityAlgorithmSuite == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecurityAlgorithmSuiteNotSet, this.GetType())));
            }
            if (this.IssuedTokenCache == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.IssuedTokenCacheNotSet, this.GetType())));
            }
            TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
            SetupSessionListener();
            this.rstListener.Open(timeoutHelper.RemainingTime());
            this.sctUri = this.StandardsManager.SecureConversationDriver.TokenTypeUri;
            base.OnOpen(timeoutHelper.RemainingTime());
        }

        protected override bool CanValidateTokenCore(SecurityToken token)
        {
            return (token is SecurityContextSecurityToken);
        }

        protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
        {
            SecurityContextSecurityToken sct = (SecurityContextSecurityToken)token;
            return sct.AuthorizationPolicies;
        }

        static bool IsSameIdentity(ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies, ServiceSecurityContext incomingContext)
        {
            Claim identityClaim = SecurityUtils.GetPrimaryIdentityClaim(authorizationPolicies);

            if (identityClaim == null)
            {
                return incomingContext.IsAnonymous;
            }
            else
            {
                return Claim.DefaultComparer.Equals(incomingContext.IdentityClaim, identityClaim);
            }
        }

        DateTime GetKeyExpirationTime(SecurityToken currentToken, DateTime keyEffectiveTime)
        {
            DateTime keyExpirationTime = TimeoutHelper.Add(keyEffectiveTime, this.keyRenewalInterval);
            DateTime tokenExpirationTime = (currentToken != null) ? currentToken.ValidTo : TimeoutHelper.Add(keyEffectiveTime, this.sessionTokenLifetime);
            if (keyExpirationTime > tokenExpirationTime)
            {
                keyExpirationTime = tokenExpirationTime;
            }
            return keyExpirationTime;
        }

        internal static ReadOnlyCollection<IAuthorizationPolicy> CreateSecureConversationPolicies(SecurityMessageProperty security, DateTime expirationTime)
        {
            return CreateSecureConversationPolicies(security, null, expirationTime);
        }

        static ReadOnlyCollection<IAuthorizationPolicy> CreateSecureConversationPolicies(SecurityMessageProperty security, ReadOnlyCollection<IAuthorizationPolicy> currentTokenPolicies, DateTime expirationTime)
        {
            if (security == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("security");
            }

            List<IAuthorizationPolicy> authorizationPolicies = new List<IAuthorizationPolicy>();
            if ((security.ServiceSecurityContext != null) &&
                (security.ServiceSecurityContext.AuthorizationPolicies != null))
            {
                authorizationPolicies.AddRange(security.ServiceSecurityContext.AuthorizationPolicies);

                // Remove any Transport token policies. We do not include
                // these in the SCT as these policies will be available with
                // the application messages as well.
                if ((security.TransportToken != null) &&
                    (security.TransportToken.SecurityTokenPolicies != null) &&
                    (security.TransportToken.SecurityTokenPolicies.Count > 0))
                {
                    foreach (IAuthorizationPolicy policy in security.TransportToken.SecurityTokenPolicies)
                    {
                        if (authorizationPolicies.Contains(policy))
                        {
                            authorizationPolicies.Remove(policy);
                        }
                    }
                }

                if (currentTokenPolicies != null)
                {
                    for (int i = 0; i < currentTokenPolicies.Count; ++i)
                    {
                        if (authorizationPolicies.Contains(currentTokenPolicies[i]))
                        {
                            authorizationPolicies.Remove(currentTokenPolicies[i]);
                        }
                    }
                }

                UnconditionalPolicy sctPolicy;
                for (int i = 0; i < authorizationPolicies.Count; i++)
                {
                    if (authorizationPolicies[i].GetType() == typeof(UnconditionalPolicy))
                    {
                        UnconditionalPolicy bootstrapPolicy = (UnconditionalPolicy)authorizationPolicies[i];
                        sctPolicy = new UnconditionalPolicy(bootstrapPolicy.PrimaryIdentity, bootstrapPolicy.Issuances, expirationTime);
                        authorizationPolicies[i] = sctPolicy;
                    }
                }
            }

            return authorizationPolicies.AsReadOnly();
        }

        SecurityContextSecurityToken IssueToken(RequestSecurityToken rst, Message request, SecurityContextSecurityToken currentToken, ReadOnlyCollection<IAuthorizationPolicy> currentTokenPolicies, out RequestSecurityTokenResponse rstr)
        {
            if (rst.TokenType != null && rst.TokenType != this.sctUri)
            {
                throw TraceUtility.ThrowHelperWarning(new InvalidOperationException(SR.GetString(SR.CannotIssueRstTokenType, rst.TokenType)), request);
            }
            // ensure that a SecurityContext is present in the message
            ServiceSecurityContext clientContext;
            SecurityMessageProperty securityProperty = request.Properties.Security;
            if (securityProperty != null)
            {
                clientContext = securityProperty.ServiceSecurityContext;
            }
            else
            {
                clientContext = ServiceSecurityContext.Anonymous;
            }
            if (clientContext == null)
            {
                throw TraceUtility.ThrowHelperWarning(new InvalidOperationException(SR.GetString(SR.SecurityContextMissing, request.Headers.Action)), request);
            }
            if (currentToken != null)
            {
                // ensure that the same party is renewing the token
                if (!IsSameIdentity(currentToken.AuthorizationPolicies, clientContext))
                {
                    throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.WrongIdentityRenewingToken)), request);
                }
            }

            // check if the client specified entropy
            byte[] proofKey;
            byte[] issuerEntropy;
            int issuedKeySize;
            SecurityToken proofToken;
            WSTrust.Driver.ProcessRstAndIssueKey(rst, null, this.KeyEntropyMode, this.SecurityAlgorithmSuite, out issuedKeySize,
                out issuerEntropy, out proofKey, out proofToken);
            SecurityContextSecurityToken newToken;
            DateTime keyEffectiveTime = DateTime.UtcNow;
            DateTime keyExpirationTime = GetKeyExpirationTime(currentToken, keyEffectiveTime);
            ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = (securityProperty != null) ?
                    CreateSecureConversationPolicies(securityProperty, currentTokenPolicies, keyExpirationTime) : EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
            if (currentToken != null)
            {
                newToken = new SecurityContextSecurityToken(currentToken, SecurityUtils.GenerateId(), proofKey,
                    SecurityUtils.GenerateUniqueId(), keyEffectiveTime, keyExpirationTime, authorizationPolicies);
            }
            else
            {
                UniqueId contextId = SecurityUtils.GenerateUniqueId();
                string id = SecurityUtils.GenerateId();
                DateTime tokenEffectiveTime = keyEffectiveTime;
                DateTime tokenExpirationTime = TimeoutHelper.Add(tokenEffectiveTime, this.sessionTokenLifetime);
                newToken = new SecurityContextSecurityToken(contextId, id, proofKey, tokenEffectiveTime, tokenExpirationTime, null, keyEffectiveTime,
                    keyExpirationTime, authorizationPolicies);
                if (this.preserveBootstrapTokens)
                {
                    newToken.BootstrapMessageProperty = (securityProperty == null) ? null : (SecurityMessageProperty)securityProperty.CreateCopy();
                    SecurityUtils.ErasePasswordInUsernameTokenIfPresent(newToken.BootstrapMessageProperty);
                }
            }

            rstr = new RequestSecurityTokenResponse(this.standardsManager);
            rstr.Context = rst.Context;
            rstr.KeySize = issuedKeySize;
            rstr.RequestedUnattachedReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(newToken, SecurityTokenReferenceStyle.External);
            rstr.RequestedAttachedReference = this.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(newToken, SecurityTokenReferenceStyle.Internal);
            rstr.TokenType = this.sctUri;
            rstr.RequestedSecurityToken = newToken;
            if (issuerEntropy != null)
            {
                rstr.SetIssuerEntropy(issuerEntropy);
                rstr.ComputeKey = true;
            }
            if (proofToken != null)
            {
                rstr.RequestedProofToken = proofToken;
            }
            rstr.SetLifetime(keyEffectiveTime, keyExpirationTime);
            return newToken;
        }

        static SecurityTokenSpecification GetMatchingEndorsingSct(SecurityContextKeyIdentifierClause sctSkiClause, SecurityMessageProperty supportingTokenProperty)
        {
            if (sctSkiClause == null)
            {
                return null;
            }
            for (int i = 0; i < supportingTokenProperty.IncomingSupportingTokens.Count; ++i)
            {
                if (supportingTokenProperty.IncomingSupportingTokens[i].SecurityTokenAttachmentMode != SecurityTokenAttachmentMode.Endorsing
                    && supportingTokenProperty.IncomingSupportingTokens[i].SecurityTokenAttachmentMode != SecurityTokenAttachmentMode.SignedEndorsing)
                {
                    continue;
                }
                SecurityContextSecurityToken sct = supportingTokenProperty.IncomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken;
                if (sct != null && sctSkiClause.Matches(sct.ContextId, sct.KeyGeneration))
                {
                    return supportingTokenProperty.IncomingSupportingTokens[i];
                }
            }
            return null;
        }

        protected virtual Message ProcessRenewRequest(Message request)
        {
            this.CommunicationObject.ThrowIfClosedOrNotOpen();
            try
            {
                // first verify that the session token being renewed is present as a supportingToken
                SecurityMessageProperty supportingTokenProperty = request.Properties.Security;
                if (supportingTokenProperty == null || !supportingTokenProperty.HasIncomingSupportingTokens)
                {
                    throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.RenewSessionMissingSupportingToken)), request);
                }

                RequestSecurityToken rst;
                XmlDictionaryReader bodyReader = request.GetReaderAtBodyContents();
                using (bodyReader)
                {
                    rst = this.StandardsManager.TrustDriver.CreateRequestSecurityToken(bodyReader);
                    request.ReadFromBodyContentsToEnd(bodyReader);
                }
                if (rst.RequestType != this.StandardsManager.TrustDriver.RequestTypeRenew)
                {
                    throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidRstRequestType, rst.RequestType)), request);
                }
                if (rst.RenewTarget == null)
                {
                    throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.NoRenewTargetSpecified)), request);
                }
                SecurityContextKeyIdentifierClause sctSkiClause = rst.RenewTarget as SecurityContextKeyIdentifierClause;
                SecurityTokenSpecification sessionToken = GetMatchingEndorsingSct(sctSkiClause, supportingTokenProperty);
                if (sctSkiClause == null || sessionToken == null)
                {
                    throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.BadRenewTarget, rst.RenewTarget)), request);
                }
                RequestSecurityTokenResponse rstr;
                SecurityContextSecurityToken newToken = this.IssueToken(rst, request, (SecurityContextSecurityToken)sessionToken.SecurityToken, sessionToken.SecurityTokenPolicies, out rstr);
                rstr.MakeReadOnly();
                BodyWriter replyMessage = rstr;
                if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrust13)
                {
                    List<RequestSecurityTokenResponse> rstrList = new List<RequestSecurityTokenResponse>(1);
                    rstrList.Add(rstr);
                    RequestSecurityTokenResponseCollection rstrc = new RequestSecurityTokenResponseCollection(rstrList, this.StandardsManager);
                    replyMessage = rstrc;
                }
                this.NotifyOperationCompletion(SecuritySessionOperation.Renew, newToken, (SecurityContextSecurityToken)sessionToken.SecurityToken, request.Headers.ReplyTo);
                Message response = CreateReply(request, this.RenewResponseAction, replyMessage);

                if (!newToken.IsCookieMode)
                {
                    this.issuedTokenCache.AddContext(newToken);
                }
                return response;
            }
            finally
            {
                RemoveCachedTokensIfRequired(request.Properties.Security);
            }
        }

        static void AddTokenToRemoveIfRequired(SecurityToken token, Collection<SecurityContextSecurityToken> sctsToRemove)
        {
            SecurityContextSecurityToken sct = token as SecurityContextSecurityToken;
            if (sct != null)
            {
                sctsToRemove.Add(sct);
            }
        }

        internal static void RemoveCachedTokensIfRequired(SecurityMessageProperty security)
        {
            if (security == null)
            {
                return;
            }
            ILogonTokenCacheManager logonManager = OperationContext.Current.EndpointDispatcher.ChannelDispatcher.Listener.GetProperty<ILogonTokenCacheManager>();
            Collection<ISecurityContextSecurityTokenCache> sctCaches = OperationContext.Current.EndpointDispatcher.ChannelDispatcher.Listener.GetProperty<Collection<ISecurityContextSecurityTokenCache>>();
            if (logonManager == null && (sctCaches == null || sctCaches.Count == 0))
            {
                return;
            }
            Collection<SecurityContextSecurityToken> securityContextTokensToRemove = new Collection<SecurityContextSecurityToken>();
            if (security.ProtectionToken != null)
            {
                AddTokenToRemoveIfRequired(security.ProtectionToken.SecurityToken, securityContextTokensToRemove);
            }
            if (security.InitiatorToken != null)
            {
                AddTokenToRemoveIfRequired(security.InitiatorToken.SecurityToken, securityContextTokensToRemove);
            }
            if (security.HasIncomingSupportingTokens)
            {
                for (int i = 0; i < security.IncomingSupportingTokens.Count; ++i)
                {
                    if (security.IncomingSupportingTokens[i].SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing
                        || security.IncomingSupportingTokens[i].SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEncrypted
                        || security.IncomingSupportingTokens[i].SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
                    {
                        AddTokenToRemoveIfRequired(security.IncomingSupportingTokens[i].SecurityToken, securityContextTokensToRemove);
                    }
                }
            }
            if (sctCaches != null)
            {
                for (int i = 0; i < securityContextTokensToRemove.Count; ++i)
                {
                    for (int j = 0; j < sctCaches.Count; ++j)
                    {
                        sctCaches[j].RemoveContext(securityContextTokensToRemove[i].ContextId, securityContextTokensToRemove[i].KeyGeneration);
                    }
                }
            }
        }

        protected virtual Message ProcessIssueRequest(Message request)
        {
            this.CommunicationObject.ThrowIfClosedOrNotOpen();
            try
            {
                RequestSecurityToken rst;
                using (XmlDictionaryReader bodyReader = request.GetReaderAtBodyContents())
                {
                    rst = this.StandardsManager.TrustDriver.CreateRequestSecurityToken(bodyReader);
                    request.ReadFromBodyContentsToEnd(bodyReader);
                }
                if (rst.RequestType != null && rst.RequestType != this.StandardsManager.TrustDriver.RequestTypeIssue)
                {
                    throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidRstRequestType, rst.RequestType)), request);
                }
                // echo the AppliesTo in the reply if it is an issue request
                EndpointAddress appliesTo;
                DataContractSerializer appliesToSerializer;
                string appliesToName;
                string appliesToNamespace;
                rst.GetAppliesToQName(out appliesToName, out appliesToNamespace);
                if (appliesToName == AddressingStrings.EndpointReference && appliesToNamespace == request.Version.Addressing.Namespace)
                {
                    if (request.Version.Addressing == AddressingVersion.WSAddressing10)
                    {
                        appliesToSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddress10), DataContractSerializerDefaults.MaxItemsInObjectGraph);
                        appliesTo = rst.GetAppliesTo<EndpointAddress10>(appliesToSerializer).ToEndpointAddress();
                    }
                    else if (request.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
                    {
                        appliesToSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(EndpointAddressAugust2004), DataContractSerializerDefaults.MaxItemsInObjectGraph);
                        appliesTo = rst.GetAppliesTo<EndpointAddressAugust2004>(appliesToSerializer).ToEndpointAddress();
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                            new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, request.Version.Addressing)));
                    }
                }
                else
                {
                    appliesTo = null;
                    appliesToSerializer = null;
                }
                if (this.shouldMatchRstWithEndpointFilter)
                {
                    SecurityUtils.MatchRstWithEndpointFilter(request, this.endpointFilterTable, this.listenUri);
                }
                RequestSecurityTokenResponse rstr;
                SecurityContextSecurityToken issuedToken = this.IssueToken(rst, request, null, null, out rstr);
                if (appliesTo != null)
                {
                    if (request.Version.Addressing == AddressingVersion.WSAddressing10)
                    {
                        rstr.SetAppliesTo<EndpointAddress10>(EndpointAddress10.FromEndpointAddress(appliesTo), appliesToSerializer);
                    }
                    else if (request.Version.Addressing == AddressingVersion.WSAddressingAugust2004)
                    {
                        rstr.SetAppliesTo<EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress(appliesTo), appliesToSerializer);
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
                            new ProtocolException(SR.GetString(SR.AddressingVersionNotSupported, request.Version.Addressing)));
                    }
                }
                rstr.MakeReadOnly();
                BodyWriter replyMessage = rstr;
                if (this.StandardsManager.MessageSecurityVersion.TrustVersion == TrustVersion.WSTrust13)
                {
                    List<RequestSecurityTokenResponse> rstrList = new List<RequestSecurityTokenResponse>(1);
                    rstrList.Add(rstr);
                    RequestSecurityTokenResponseCollection rstrc = new RequestSecurityTokenResponseCollection(rstrList, this.StandardsManager);
                    replyMessage = rstrc;
                }
                this.NotifyOperationCompletion(SecuritySessionOperation.Issue, issuedToken, null, request.Headers.ReplyTo);
                Message response = CreateReply(request, this.IssueResponseAction, replyMessage);
                if (!issuedToken.IsCookieMode)
                {
                    this.issuedTokenCache.AddContext(issuedToken);
                }
                return response;
            }
            finally
            {
                RemoveCachedTokensIfRequired(request.Properties.Security);
            }
        }

        internal static bool DoesSkiClauseMatchSigningToken(SecurityContextKeyIdentifierClause skiClause, Message request)
        {
            SecurityMessageProperty securityProperty = request.Properties.Security;
            if (securityProperty == null)
            {
                throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.SFxSecurityContextPropertyMissingFromRequestMessage)), request);
            }
            SecurityContextSecurityToken sct = (securityProperty.ProtectionToken != null) ? (securityProperty.ProtectionToken.SecurityToken as SecurityContextSecurityToken) : null;
            if (sct != null && skiClause.Matches(sct.ContextId, sct.KeyGeneration))
            {
                return true;
            }

            if (securityProperty.HasIncomingSupportingTokens)
            {
                for (int i = 0; i < securityProperty.IncomingSupportingTokens.Count; ++i)
                {
                    if (securityProperty.IncomingSupportingTokens[i].SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing)
                    {
                        sct = securityProperty.IncomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken;
                        if (sct != null && skiClause.Matches(sct.ContextId, sct.KeyGeneration))
                        {
                            return true;
                        }
                    }
                }
            }
            return false;
        }

        static Message CreateReply(Message request, XmlDictionaryString action, BodyWriter body)
        {
            if (request.Headers.MessageId != null)
            {
                Message reply = Message.CreateMessage(request.Version, ActionHeader.Create(action, request.Version.Addressing), body);
                reply.InitializeReply(request);
                return reply;
            }
            else
            {
                // the message id may not be present if MapToHttp is true
                return Message.CreateMessage(request.Version, ActionHeader.Create(action, request.Version.Addressing), body);
            }
        }

        Message ProcessRequest(Message request)
        {
            SecuritySessionOperation operation = SecuritySessionOperation.None;
            try
            {
                if (request == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request");
                }
                if (request.Headers.Action == this.IssueAction.Value)
                {
                    operation = SecuritySessionOperation.Issue;
                    return this.ProcessIssueRequest(request);
                }
                else if (request.Headers.Action == this.RenewAction.Value)
                {
                    operation = SecuritySessionOperation.Renew;
                    return this.ProcessRenewRequest(request);
                }
                else
                {
                    throw TraceUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidActionForNegotiationMessage, request.Headers.Action)), request);
                }
            }
            catch (Exception e)
            {
                if (Fx.IsFatal(e))
                {
                    throw;
                }

                return this.HandleOperationException(operation, request, e);
            }
        }

        internal ServiceHostBase RequestSecurityTokenListener
        {
            get
            {
                return this.rstListener;
            }
        }

        void SetupSessionListener()
        {
            ChannelBuilder channelBuilder = new ChannelBuilder(this.IssuerBindingContext, true);
            channelBuilder.Binding.Elements.Insert(0, new ReplyAdapterBindingElement());
            channelBuilder.Binding.Elements.Insert(0, new SecuritySessionAuthenticatorBindingElement(this));

            List<string> supportedMessageActions = new List<string>();
            supportedMessageActions.Add(this.IssueAction.Value);
            supportedMessageActions.Add(this.RenewAction.Value);

            SecurityBindingElement securityBindingElement = this.IssuerBindingContext.Binding.Elements.Find<SecurityBindingElement>();
            foreach (SecurityTokenParameters stp in new SecurityTokenParametersEnumerable(securityBindingElement))
            {
                if (stp is SecureConversationSecurityTokenParameters)
                {
                    SecureConversationSecurityTokenParameters scstp = (SecureConversationSecurityTokenParameters)stp;
                    if (!scstp.CanRenewSession)
                    {
                        supportedMessageActions.Remove(this.RenewAction.Value);
                        break;
                    }
                }
            }

            MessageFilter issueAndRenewFilter = new SessionActionFilter(this.standardsManager, supportedMessageActions.ToArray());
            SecuritySessionHost sessionListener = new SecuritySessionHost(this, issueAndRenewFilter, this.ListenUri, channelBuilder);
            this.rstListener = sessionListener;
        }

        internal IChannelListener<TChannel> BuildResponderChannelListener<TChannel>(BindingContext context)
            where TChannel : class, IChannel
        {
            SecurityCredentialsManager securityCredentials = this.IssuerBindingContext.BindingParameters.Find<SecurityCredentialsManager>();
            if (securityCredentials == null)
            {
                securityCredentials = ServiceCredentials.CreateDefaultCredentials();
            }
            this.bootstrapSecurityBindingElement.ReaderQuotas = this.IssuerBindingContext.GetInnerProperty<XmlDictionaryReaderQuotas>();
            if (this.bootstrapSecurityBindingElement.ReaderQuotas == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.EncodingBindingElementDoesNotHandleReaderQuotas)));
            }

            TransportBindingElement transportBindingElement = context.RemainingBindingElements.Find<TransportBindingElement>();
            if (transportBindingElement != null)
                this.bootstrapSecurityBindingElement.MaxReceivedMessageSize = transportBindingElement.MaxReceivedMessageSize;

            SecurityProtocolFactory bootstrapSecurityProtocolFactory = this.bootstrapSecurityBindingElement.CreateSecurityProtocolFactory<TChannel>(this.IssuerBindingContext.Clone(), securityCredentials, true, this.IssuerBindingContext.Clone());
            if (bootstrapSecurityProtocolFactory is MessageSecurityProtocolFactory)
            {
                MessageSecurityProtocolFactory soapBindingFactory = (MessageSecurityProtocolFactory)bootstrapSecurityProtocolFactory;
                soapBindingFactory.ApplyConfidentiality = soapBindingFactory.ApplyIntegrity
                = soapBindingFactory.RequireConfidentiality = soapBindingFactory.RequireIntegrity = true;

                soapBindingFactory.ProtectionRequirements.IncomingSignatureParts.ChannelParts.IsBodyIncluded = true;
                soapBindingFactory.ProtectionRequirements.OutgoingSignatureParts.ChannelParts.IsBodyIncluded = true;

                MessagePartSpecification bodyPart = new MessagePartSpecification(true);
                soapBindingFactory.ProtectionRequirements.OutgoingSignatureParts.AddParts(bodyPart, this.IssueResponseAction);
                soapBindingFactory.ProtectionRequirements.OutgoingEncryptionParts.AddParts(bodyPart, this.IssueResponseAction);
                soapBindingFactory.ProtectionRequirements.OutgoingSignatureParts.AddParts(bodyPart, this.RenewResponseAction);
                soapBindingFactory.ProtectionRequirements.OutgoingEncryptionParts.AddParts(bodyPart, this.RenewResponseAction);

                soapBindingFactory.ProtectionRequirements.IncomingSignatureParts.AddParts(bodyPart, this.IssueAction);
                soapBindingFactory.ProtectionRequirements.IncomingEncryptionParts.AddParts(bodyPart, this.IssueAction);
                soapBindingFactory.ProtectionRequirements.IncomingSignatureParts.AddParts(bodyPart, this.RenewAction);
                soapBindingFactory.ProtectionRequirements.IncomingEncryptionParts.AddParts(bodyPart, this.RenewAction);
            }

            SupportingTokenParameters renewSupportingTokenParameters = new SupportingTokenParameters();
            SecurityContextSecurityTokenParameters sctParameters = new SecurityContextSecurityTokenParameters();
            sctParameters.RequireDerivedKeys = this.IssuedSecurityTokenParameters.RequireDerivedKeys;
            renewSupportingTokenParameters.Endorsing.Add(sctParameters);
            bootstrapSecurityProtocolFactory.SecurityBindingElement.OperationSupportingTokenParameters.Add(this.RenewAction.Value, renewSupportingTokenParameters);
            bootstrapSecurityProtocolFactory.SecurityTokenManager = new SessionRenewSecurityTokenManager(bootstrapSecurityProtocolFactory.SecurityTokenManager, this.sessionTokenAuthenticator, (SecurityTokenResolver)this.IssuedTokenCache);

            SecurityChannelListener<TChannel> securityChannelListener = new SecurityChannelListener<TChannel>(
                this.bootstrapSecurityBindingElement, this.IssuerBindingContext);
            securityChannelListener.SecurityProtocolFactory = bootstrapSecurityProtocolFactory;
            securityChannelListener.SendUnsecuredFaults = !SecurityUtils.IsCompositeDuplexBinding(context);

            ChannelBuilder channelBuilder = new ChannelBuilder(context, true);
            securityChannelListener.InitializeListener(channelBuilder);
            this.shouldMatchRstWithEndpointFilter = SecurityUtils.ShouldMatchRstWithEndpointFilter(this.bootstrapSecurityBindingElement);
            return securityChannelListener;
        }

        class SecuritySessionHost : ServiceHostBase
        {
            ChannelBuilder channelBuilder;
            MessageFilter filter;
            Uri listenUri;
            SecuritySessionSecurityTokenAuthenticator authenticator;

            public SecuritySessionHost(SecuritySessionSecurityTokenAuthenticator authenticator, MessageFilter filter, Uri listenUri, ChannelBuilder channelBuilder)
            {
                this.authenticator = authenticator;
                this.filter = filter;
                this.listenUri = listenUri;
                this.channelBuilder = channelBuilder;
            }

            protected override ServiceDescription CreateDescription(out IDictionary<string, ContractDescription> implementedContracts)
            {
                implementedContracts = null;
                return null;
            }

            protected override void InitializeRuntime()
            {
                MessageFilter contractFilter = this.filter;
                int filterPriority = Int32.MaxValue - 10;
                Type[] endpointChannelTypes = new Type[] { typeof(IReplyChannel),
                                                           typeof(IDuplexChannel),
                                                           typeof(IReplySessionChannel),
                                                           typeof(IDuplexSessionChannel) };

                IChannelListener listener = null;
                BindingParameterCollection parameters = new BindingParameterCollection(this.channelBuilder.BindingParameters);
                Binding binding = this.channelBuilder.Binding;
                binding.ReceiveTimeout = this.authenticator.NegotiationTimeout;
                parameters.Add(new ChannelDemuxerFilter(contractFilter, filterPriority));
                DispatcherBuilder.MaybeCreateListener(true, endpointChannelTypes, binding, parameters,
                                                      this.listenUri, "", ListenUriMode.Explicit, this.ServiceThrottle, out listener);
                if (listener == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.CannotCreateTwoWayListenerForNegotiation)));
                }
                ChannelDispatcher channelDispatcher = new ChannelDispatcher(listener, null, binding);
                channelDispatcher.MessageVersion = binding.MessageVersion;
                channelDispatcher.ManualAddressing = true;
                channelDispatcher.ServiceThrottle = new ServiceThrottle(this);
                channelDispatcher.ServiceThrottle.MaxConcurrentCalls = this.authenticator.MaximumConcurrentNegotiations;
                channelDispatcher.ServiceThrottle.MaxConcurrentSessions = this.authenticator.MaximumConcurrentNegotiations;

                EndpointDispatcher endpointDispatcher = new EndpointDispatcher(new EndpointAddress(this.listenUri), "IssueAndRenewSession", NamingHelper.DefaultNamespace, true);
                endpointDispatcher.DispatchRuntime.SingletonInstanceContext = new InstanceContext(null, this.authenticator, false);
                endpointDispatcher.DispatchRuntime.ConcurrencyMode = ConcurrencyMode.Multiple;
                endpointDispatcher.AddressFilter = new MatchAllMessageFilter();
                endpointDispatcher.ContractFilter = contractFilter;
                endpointDispatcher.FilterPriority = filterPriority;
                endpointDispatcher.DispatchRuntime.PrincipalPermissionMode = PrincipalPermissionMode.None;
                endpointDispatcher.DispatchRuntime.InstanceContextProvider = new SingletonInstanceContextProvider(endpointDispatcher.DispatchRuntime);
                endpointDispatcher.DispatchRuntime.SynchronizationContext = null;

                if (this.authenticator.IssuerBindingContext != null && this.authenticator.IssuerBindingContext.BindingParameters != null)
                {
                    ServiceAuthenticationManager serviceAuthenticationManager = this.authenticator.IssuerBindingContext.BindingParameters.Find<ServiceAuthenticationManager>();
                    if (serviceAuthenticationManager != null)
                    {
                        endpointDispatcher.DispatchRuntime.ServiceAuthenticationManager = new SCTServiceAuthenticationManagerWrapper(serviceAuthenticationManager);
                    }
                }

                DispatchOperation operation = new DispatchOperation(endpointDispatcher.DispatchRuntime, "*", MessageHeaders.WildcardAction, MessageHeaders.WildcardAction);
                operation.Formatter = new MessageOperationFormatter();
                operation.Invoker = new SecuritySessionAuthenticatorInvoker(this.authenticator);

                endpointDispatcher.DispatchRuntime.UnhandledDispatchOperation = operation;
                channelDispatcher.Endpoints.Add(endpointDispatcher);
                this.ChannelDispatchers.Add(channelDispatcher);
            }

            class SecuritySessionAuthenticatorInvoker : IOperationInvoker
            {
                SecuritySessionSecurityTokenAuthenticator parent;

                internal SecuritySessionAuthenticatorInvoker(SecuritySessionSecurityTokenAuthenticator parent)
                {
                    this.parent = parent;
                }

                public bool IsSynchronous { get { return true; } }

                public object[] AllocateInputs()
                {
                    return EmptyArray<object>.Allocate(1);
                }

                public object Invoke(object instance, object[] inputs, out object[] outputs)
                {
                    outputs = EmptyArray<object>.Allocate(0);
                    return parent.ProcessRequest((Message)inputs[0]);
                }

                public IAsyncResult InvokeBegin(object instance, object[] inputs, AsyncCallback callback, object state)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException());
                }

                public object InvokeEnd(object instance, out object[] outputs, IAsyncResult result)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException());
                }
            }
        }


        class SecuritySessionAuthenticatorBindingElement : BindingElement
        {
            SecuritySessionSecurityTokenAuthenticator authenticator;

            public SecuritySessionAuthenticatorBindingElement(SecuritySessionSecurityTokenAuthenticator authenticator)
            {
                this.authenticator = authenticator;
            }

            public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
            {
                if (context == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("context");
                }

                return authenticator.BuildResponderChannelListener<TChannel>(context);
            }

            public override BindingElement Clone()
            {
                return new SecuritySessionAuthenticatorBindingElement(this.authenticator);
            }

            public override T GetProperty<T>(BindingContext context)
            {
                if (typeof(T) == typeof(ISecurityCapabilities))
                {
                    return (T)(object)authenticator.BootstrapSecurityBindingElement.GetProperty<ISecurityCapabilities>(context);
                }

                return context.GetInnerProperty<T>();
            }
        }

        public class SessionRenewSecurityTokenManager : SecurityTokenManager
        {
            SecurityTokenManager innerTokenManager;
            SecurityTokenAuthenticator renewTokenAuthenticator;
            SecurityTokenResolver renewTokenResolver;

            public SessionRenewSecurityTokenManager(SecurityTokenManager innerTokenManager, SecurityTokenAuthenticator renewTokenAuthenticator,
                SecurityTokenResolver renewTokenResolver)
            {
                this.innerTokenManager = innerTokenManager;
                this.renewTokenAuthenticator = renewTokenAuthenticator;
                this.renewTokenResolver = renewTokenResolver;
            }

            public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
            {
                if (tokenRequirement == null)
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");

                if (tokenRequirement.TokenType == ServiceModelSecurityTokenTypes.SecurityContext)
                {
                    outOfBandTokenResolver = this.renewTokenResolver;
                    return this.renewTokenAuthenticator;
                }
                else
                {
                    return this.innerTokenManager.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver);
                }
            }

            public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
            {
                return this.innerTokenManager.CreateSecurityTokenProvider(requirement);
            }

            public override SecurityTokenSerializer CreateSecurityTokenSerializer(SecurityTokenVersion version)
            {
                return this.innerTokenManager.CreateSecurityTokenSerializer(version);
            }


        }
    }

    class SessionActionFilter : HeaderFilter
    {
        SecurityStandardsManager standardsManager;
        string[] actions;

        public SessionActionFilter(SecurityStandardsManager standardsManager, params string[] actions)
        {
            this.actions = actions;
            this.standardsManager = standardsManager;
        }

        public override bool Match(Message message)
        {
            for (int i = 0; i < this.actions.Length; ++i)
            {
                if (message.Headers.Action == this.actions[i])
                {
                    return this.standardsManager.DoesMessageContainSecurityHeader(message);
                }
            }
            return false;
        }
    }
}