2 * Copyright 2001-2005 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * shib-target.cpp -- The ShibTarget class, a superclass for general
21 * Created by: Derek Atkins <derek@ihtfp.com>
34 #include <saml/SAMLConfig.h>
35 #include <xercesc/util/Base64.hpp>
36 #include <shibsp/AccessControl.h>
37 #include <shibsp/RequestMapper.h>
38 #include <xmltooling/util/NDC.h>
39 #include <xmltooling/util/TemplateEngine.h>
40 #include <xmltooling/util/XMLHelper.h>
42 #ifndef HAVE_STRCASECMP
43 # define strcasecmp stricmp
46 using namespace shibsp;
47 using namespace shibtarget;
48 using namespace shibboleth;
50 using namespace opensaml::saml2md;
51 using namespace log4cpp;
54 using xmltooling::TemplateEngine;
55 using xmltooling::XMLToolingException;
56 using xmltooling::XMLToolingConfig;
57 using xmltooling::XMLHelper;
59 namespace shibtarget {
61 class ExtTemplateParameters : public TemplateEngine::TemplateParameters
63 const PropertySet* m_props;
65 ExtTemplateParameters() : m_props(NULL) {}
66 ~ExtTemplateParameters() {}
68 void setPropertySet(const PropertySet* props) {
71 // Create a timestamp.
72 time_t now = time(NULL);
75 m_map["now"] = ctime_r(&now,timebuf);
77 m_map["now"] = ctime(&now);
81 const char* getParameter(const char* name) const {
82 const char* pch = TemplateParameters::getParameter(name);
85 pair<bool,const char*> p = m_props->getString(name);
86 return p.first ? p.second : NULL;
97 void get_application(ShibTarget* st, const string& protocol, const string& hostname, int port, const string& uri);
98 long sendError(ShibTarget* st, const char* page, ExtTemplateParameters& tp, const XMLToolingException* ex=NULL);
99 void clearHeaders(ShibTarget* st);
102 friend class ShibTarget;
103 RequestMapper::Settings m_settings;
104 const IApplication *m_app;
106 ISessionCacheEntry* m_cacheEntry;
108 ShibTargetConfig* m_Config;
111 RequestMapper* m_mapper;
114 static const XMLCh SessionInitiator[] = UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r);
115 static const XMLCh DiagnosticService[] = UNICODE_LITERAL_17(D,i,a,g,n,o,s,t,i,c,S,e,r,v,i,c,e);
119 /*************************************************************************
120 * Shib Target implementation
123 ShibTarget::ShibTarget() : m_priv(new ShibTargetPriv()) {}
125 ShibTarget::ShibTarget(const IApplication *app) : m_priv(new ShibTargetPriv())
130 ShibTarget::~ShibTarget(void)
135 void ShibTarget::init(
137 const char* hostname,
143 throw XMLToolingException("Request initialization occurred twice!");
145 m_priv->m_Config = &ShibTargetConfig::getConfig();
146 m_priv->get_application(this, scheme, hostname, port, uri);
147 AbstractSPRequest::m_app = m_priv->m_app;
151 // These functions implement the server-agnostic shibboleth engine
152 // The web server modules implement a subclass and then call into
153 // these methods once they instantiate their request object.
155 pair<bool,long> ShibTarget::doCheckAuthN(bool handler)
158 xmltooling::NDC ndc("doCheckAuthN");
161 const char* procState = "Request Processing Error";
162 const char* targetURL = m_url.c_str();
163 ExtTemplateParameters tp;
167 throw ConfigurationException("System uninitialized, application did not supply request information.");
169 // If not SSL, check to see if we should block or redirect it.
170 if (!strcmp("http",getScheme())) {
171 pair<bool,const char*> redirectToSSL = m_priv->m_settings.first->getString("redirectToSSL");
172 if (redirectToSSL.first) {
173 if (!strcasecmp("GET",getMethod()) || !strcasecmp("HEAD",getMethod())) {
174 // Compute the new target URL
175 string redirectURL = string("https://") + getHostname();
176 if (strcmp(redirectToSSL.second,"443")) {
177 redirectURL = redirectURL + ':' + redirectToSSL.second;
179 redirectURL += getRequestURI();
180 return make_pair(true, sendRedirect(redirectURL.c_str()));
183 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
184 return make_pair(true,m_priv->sendError(this,"ssl", tp));
189 string hURL = getHandlerURL(targetURL);
190 const char* handlerURL=hURL.c_str();
192 throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
194 // If the request URL contains the handler base URL for this application, either dispatch
195 // directly (mainly Apache 2.0) or just pass back control.
196 if (strstr(targetURL,handlerURL)) {
200 return make_pair(true, returnOK());
203 // Three settings dictate how to proceed.
204 pair<bool,const char*> authType = m_priv->m_settings.first->getString("authType");
205 pair<bool,bool> requireSession = m_priv->m_settings.first->getBool("requireSession");
206 pair<bool,const char*> requireSessionWith = m_priv->m_settings.first->getString("requireSessionWith");
208 // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
209 // then we ignore this request and consider it unprotected. Apache might lie to us if
210 // ShibBasicHijack is on, but that's up to it.
211 if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
212 #ifdef HAVE_STRCASECMP
213 (!authType.first || strcasecmp(authType.second,"shibboleth")))
215 (!authType.first || _stricmp(authType.second,"shibboleth")))
217 return make_pair(true,returnDecline());
219 // Fix for secadv 20050901
220 m_priv->clearHeaders(this);
222 pair<string,const char*> shib_cookie = m_priv->m_app->getCookieNameProps("_shibsession_");
223 const char* session_id = getCookie(shib_cookie.first.c_str());
224 if (!session_id || !*session_id) {
225 // No session. Maybe that's acceptable?
226 if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first)
227 return make_pair(true,returnOK());
229 // No cookie, but we require a session. Initiate a new session using the indicated method.
230 procState = "Session Initiator Error";
231 const IHandler* initiator=NULL;
232 if (requireSessionWith.first) {
233 initiator=m_priv->m_app->getSessionInitiatorById(requireSessionWith.second);
235 throw ConfigurationException(
236 "No session initiator found with id ($1), check requireSessionWith command.",
237 xmltooling::params(1,requireSessionWith.second)
241 initiator=m_priv->m_app->getDefaultSessionInitiator();
243 throw ConfigurationException("No default session initiator found, check configuration.");
246 return initiator->run(this,false);
249 procState = "Session Processing Error";
251 m_priv->m_cacheEntry=m_priv->m_conf->getSessionCache()->find(
254 getRemoteAddr().c_str()
256 // Make a localized exception throw if the session isn't valid.
257 if (!m_priv->m_cacheEntry)
258 throw RetryableProfileException("Session no longer valid.");
260 catch (exception& e) {
261 log(SPError, string("session processing failed: ") + e.what());
263 // If no session is required, bail now.
264 if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first)
265 // Has to be OK because DECLINED will just cause Apache
266 // to fail when it can't locate anything to process the
267 // AuthType. No session plus requireSession false means
268 // do not authenticate the user at this time.
269 return make_pair(true, returnOK());
271 // Try and cast down.
272 exception* base = &e;
273 RetryableProfileException* trycast=dynamic_cast<RetryableProfileException*>(base);
275 // Session is invalid but we can retry -- initiate a new session.
276 procState = "Session Initiator Error";
277 const IHandler* initiator=NULL;
278 if (requireSessionWith.first) {
279 initiator=m_priv->m_app->getSessionInitiatorById(requireSessionWith.second);
281 throw ConfigurationException(
282 "No session initiator found with id ($1), check requireSessionWith command.",
283 xmltooling::params(1,requireSessionWith.second)
287 initiator=m_priv->m_app->getDefaultSessionInitiator();
289 throw ConfigurationException("No default session initiator found, check configuration.");
291 return initiator->run(this,false);
293 throw; // send it to the outer handler
296 // We're done. Everything is okay. Nothing to report. Nothing to do..
297 // Let the caller decide how to proceed.
298 log(SPDebug, "doCheckAuthN succeeded");
299 return make_pair(false,0);
301 catch (XMLToolingException& e) {
302 tp.m_map["errorType"] = procState;
303 tp.m_map["errorText"] = e.what();
305 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
306 return make_pair(true,m_priv->sendError(this, "session", tp, &e));
310 tp.m_map["errorType"] = procState;
311 tp.m_map["errorText"] = "Caught an unknown exception.";
313 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
314 return make_pair(true,m_priv->sendError(this, "session", tp));
319 pair<bool,long> ShibTarget::doHandler(void)
322 xmltooling::NDC ndc("doHandler");
325 ExtTemplateParameters tp;
326 const char* procState = "Shibboleth Handler Error";
327 const char* targetURL = m_url.c_str();
331 throw ConfigurationException("System uninitialized, application did not supply request information.");
333 string hURL = getHandlerURL(targetURL);
334 const char* handlerURL=hURL.c_str();
336 throw ConfigurationException("Cannot determine handler from resource URL, check configuration.");
338 // Make sure we only process handler requests.
339 if (!strstr(targetURL,handlerURL))
340 return make_pair(true, returnDecline());
342 const PropertySet* sessionProps=m_priv->m_app->getPropertySet("Sessions");
344 throw ConfigurationException("Unable to map request to application session settings, check configuration.");
346 // Process incoming request.
347 pair<bool,bool> handlerSSL=sessionProps->getBool("handlerSSL");
349 // Make sure this is SSL, if it should be
350 if ((!handlerSSL.first || handlerSSL.second) && strcmp(getScheme(),"https"))
351 throw FatalProfileException("Blocked non-SSL access to Shibboleth handler.");
353 // We dispatch based on our path info. We know the request URL begins with or equals the handler URL,
354 // so the path info is the next character (or null).
355 const IHandler* handler=m_priv->m_app->getHandler(targetURL + strlen(handlerURL));
357 throw opensaml::BindingException("Shibboleth handler invoked at an unconfigured location.");
359 if (XMLHelper::isNodeNamed(handler->getProperties()->getElement(),samlconstants::SAML20MD_NS,AssertionConsumerService::LOCAL_NAME))
360 procState = "Session Creation Error";
361 else if (XMLString::equals(handler->getProperties()->getElement()->getLocalName(),SessionInitiator))
362 procState = "Session Initiator Error";
363 else if (XMLHelper::isNodeNamed(handler->getProperties()->getElement(),samlconstants::SAML20MD_NS,SingleLogoutService::LOCAL_NAME))
364 procState = "Session Termination Error";
365 else if (XMLString::equals(handler->getProperties()->getElement()->getLocalName(),DiagnosticService))
366 procState = "Diagnostics Error";
368 procState = "Extension Service Error";
369 pair<bool,long> hret=handler->run(this);
371 // Did the handler run successfully?
375 throw opensaml::BindingException("Configured Shibboleth handler failed to process the request.");
377 catch (MetadataException& e) {
378 tp.m_map["errorText"] = e.what();
379 // See if a metadata error page is installed.
380 const PropertySet* props=m_priv->m_app->getPropertySet("Errors");
382 pair<bool,const char*> p=props->getString("metadata");
384 tp.m_map["errorType"] = procState;
386 tp.m_map["requestURL"] = targetURL;
387 return make_pair(true,m_priv->sendError(this, "metadata", tp));
392 catch (XMLToolingException& e) {
393 tp.m_map["errorType"] = procState;
394 tp.m_map["errorText"] = e.what();
396 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
397 return make_pair(true,m_priv->sendError(this, "session", tp, &e));
401 tp.m_map["errorType"] = procState;
402 tp.m_map["errorText"] = "Caught an unknown exception.";
404 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
405 return make_pair(true,m_priv->sendError(this, "session", tp));
410 pair<bool,long> ShibTarget::doCheckAuthZ(void)
413 xmltooling::NDC ndc("doCheckAuthZ");
416 ExtTemplateParameters tp;
417 const char* procState = "Authorization Processing Error";
418 const char* targetURL = m_url.c_str();
422 throw ConfigurationException("System uninitialized, application did not supply request information.");
424 // Three settings dictate how to proceed.
425 pair<bool,const char*> authType = m_priv->m_settings.first->getString("authType");
426 pair<bool,bool> requireSession = m_priv->m_settings.first->getBool("requireSession");
427 pair<bool,const char*> requireSessionWith = m_priv->m_settings.first->getString("requireSessionWith");
429 // If no session is required AND the AuthType (an Apache-derived concept) isn't shibboleth,
430 // then we ignore this request and consider it unprotected. Apache might lie to us if
431 // ShibBasicHijack is on, but that's up to it.
432 if ((!requireSession.first || !requireSession.second) && !requireSessionWith.first &&
433 #ifdef HAVE_STRCASECMP
434 (!authType.first || strcasecmp(authType.second,"shibboleth")))
436 (!authType.first || _stricmp(authType.second,"shibboleth")))
438 return make_pair(true,returnDecline());
440 // Do we have an access control plugin?
441 if (m_priv->m_settings.second) {
443 if (!m_priv->m_cacheEntry) {
444 // No data yet, so we may need to try and get the session.
445 pair<string,const char*> shib_cookie=m_priv->m_app->getCookieNameProps("_shibsession_");
446 const char *session_id = getCookie(shib_cookie.first.c_str());
448 if (session_id && *session_id) {
449 m_priv->m_cacheEntry=m_priv->m_conf->getSessionCache()->find(
452 getRemoteAddr().c_str()
457 log(SPError, "doCheckAuthZ: unable to obtain session information to pass to access control provider");
461 xmltooling::Locker acllock(m_priv->m_settings.second);
463 if (m_priv->m_settings.second->authorized(this,m_priv->m_cacheEntry)) {
464 // Let the caller decide how to proceed.
465 log(LogLevelDebug, "doCheckAuthZ: access control provider granted access");
466 return make_pair(false,0);
469 log(LogLevelWarn, "doCheckAuthZ: access control provider denied access");
471 tp.m_map["requestURL"] = targetURL;
472 return make_pair(true,m_priv->sendError(this, "access", tp));
475 return make_pair(false,0);
478 return make_pair(true,returnDecline());
480 catch (exception& e) {
481 tp.m_map["errorType"] = procState;
482 tp.m_map["errorText"] = e.what();
484 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
485 return make_pair(true,m_priv->sendError(this, "access", tp));
489 tp.m_map["errorType"] = procState;
490 tp.m_map["errorText"] = "Caught an unknown exception.";
492 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
493 return make_pair(true,m_priv->sendError(this, "access", tp));
498 pair<bool,long> ShibTarget::doExportAssertions(bool requireSession)
501 xmltooling::NDC ndc("doExportAssertions");
504 ExtTemplateParameters tp;
505 const char* procState = "Attribute Processing Error";
506 const char* targetURL = m_url.c_str();
510 throw ConfigurationException("System uninitialized, application did not supply request information.");
512 if (!m_priv->m_cacheEntry) {
513 // No data yet, so we need to get the session. This can only happen
514 // if the call to doCheckAuthn doesn't happen in the same object lifetime.
515 pair<string,const char*> shib_cookie=m_priv->m_app->getCookieNameProps("_shibsession_");
516 const char *session_id = getCookie(shib_cookie.first.c_str());
518 if (session_id && *session_id) {
519 m_priv->m_cacheEntry=m_priv->m_conf->getSessionCache()->find(
522 getRemoteAddr().c_str()
527 log(SPError, "unable to obtain session information to export into request headers");
528 // If we have to have a session, then this is a fatal error.
535 if (!m_priv->m_cacheEntry) {
537 throw RetryableProfileException("Unable to obtain session information for request.");
539 return make_pair(false,0); // just bail silently
542 // Extract data from session.
543 pair<const char*,const SAMLSubject*> sub=m_priv->m_cacheEntry->getSubject(false,true);
544 pair<const char*,const SAMLResponse*> unfiltered=m_priv->m_cacheEntry->getTokens(true,false);
545 pair<const char*,const SAMLResponse*> filtered=m_priv->m_cacheEntry->getTokens(false,true);
547 // Maybe export the tokens.
548 pair<bool,bool> exp=m_priv->m_settings.first->getBool("exportAssertion");
549 if (exp.first && exp.second && unfiltered.first && *unfiltered.first) {
551 XMLByte* serialized =
552 Base64::encode(reinterpret_cast<XMLByte*>((char*)unfiltered.first), XMLString::stringLen(unfiltered.first), &outlen);
554 for (pos=serialized, pos2=serialized; *pos2; pos2++)
558 setHeader("Shib-Attributes", reinterpret_cast<char*>(serialized));
559 XMLString::release(&serialized);
562 // Export the SAML AuthnMethod and the origin site name, and possibly the NameIdentifier.
563 setHeader("Shib-Origin-Site", m_priv->m_cacheEntry->getProviderId());
564 setHeader("Shib-Identity-Provider", m_priv->m_cacheEntry->getProviderId());
565 setHeader("Shib-Authentication-Method", m_priv->m_cacheEntry->getAuthnContext());
567 // Get the AAP providers, which contain the attribute policy info.
568 Iterator<IAAP*> provs=m_priv->m_app->getAAPProviders();
571 while (provs.hasNext()) {
572 IAAP* aap=provs.next();
573 xmltooling::Locker locker(aap);
574 const XMLCh* format = sub.second->getNameIdentifier()->getFormat();
575 const IAttributeRule* rule=aap->lookup(format ? format : SAMLNameIdentifier::UNSPECIFIED);
576 if (rule && rule->getHeader()) {
577 auto_ptr_char form(format ? format : SAMLNameIdentifier::UNSPECIFIED);
578 auto_ptr_char nameid(sub.second->getNameIdentifier()->getName());
579 setHeader("Shib-NameIdentifier-Format", form.get());
580 if (!strcmp(rule->getHeader(),"REMOTE_USER"))
581 setRemoteUser(nameid.get());
583 setHeader(rule->getHeader(), nameid.get());
587 setHeader("Shib-Application-ID", m_priv->m_app->getId());
589 // Export the attributes.
590 Iterator<SAMLAssertion*> a_iter(filtered.second ? filtered.second->getAssertions() : EMPTY(SAMLAssertion*));
591 while (a_iter.hasNext()) {
592 SAMLAssertion* assert=a_iter.next();
593 Iterator<SAMLStatement*> statements=assert->getStatements();
594 while (statements.hasNext()) {
595 SAMLAttributeStatement* astate=dynamic_cast<SAMLAttributeStatement*>(statements.next());
598 Iterator<SAMLAttribute*> attrs=astate->getAttributes();
599 while (attrs.hasNext()) {
600 SAMLAttribute* attr=attrs.next();
602 // Are we supposed to export it?
604 while (provs.hasNext()) {
605 IAAP* aap=provs.next();
606 xmltooling::Locker locker(aap);
607 const IAttributeRule* rule=aap->lookup(attr->getName(),attr->getNamespace());
608 if (!rule || !rule->getHeader())
611 Iterator<string> vals=attr->getSingleByteValues();
612 if (!strcmp(rule->getHeader(),"REMOTE_USER") && vals.hasNext())
613 setRemoteUser(vals.next().c_str());
616 string header = getSecureHeader(rule->getHeader());
619 for (; vals.hasNext(); it++) {
620 string value = vals.next();
621 for (string::size_type pos = value.find_first_of(";", string::size_type(0));
623 pos = value.find_first_of(";", pos)) {
624 value.insert(pos, "\\");
631 setHeader(rule->getHeader(), header.c_str());
638 return make_pair(false,0);
640 catch (XMLToolingException& e) {
641 tp.m_map["errorType"] = procState;
642 tp.m_map["errorText"] = e.what();
644 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
645 return make_pair(true,m_priv->sendError(this, "rm", tp, &e));
649 tp.m_map["errorType"] = procState;
650 tp.m_map["errorText"] = "Caught an unknown exception.";
652 tp.m_map["requestURL"] = m_url.substr(0,m_url.find('?'));
653 return make_pair(true,m_priv->sendError(this, "rm", tp));
658 const IApplication* ShibTarget::getApplication() const
660 return m_priv->m_app;
663 const IConfig* ShibTarget::getConfig() const
665 return m_priv->m_conf;
668 long ShibTarget::returnDecline(void)
673 long ShibTarget::returnOK(void)
678 /*************************************************************************
679 * Shib Target Private implementation
682 ShibTargetPriv::ShibTargetPriv()
683 : m_app(NULL), m_mapper(NULL), m_conf(NULL), m_Config(NULL), m_cacheEntry(NULL) {}
685 ShibTargetPriv::~ShibTargetPriv()
688 m_cacheEntry->unlock();
706 void ShibTargetPriv::get_application(ShibTarget* st, const string& protocol, const string& hostname, int port, const string& uri)
711 // XXX: Do we need to keep conf and mapper locked while we hold m_app?
712 // TODO: No, should be able to hold the conf but release the mapper.
714 // We lock the configuration system for the duration.
715 m_conf=m_Config->getINI();
718 // Map request to application and content settings.
719 m_mapper=m_conf->getRequestMapper();
722 // Obtain the application settings from the parsed URL
723 m_settings = m_mapper->getSettings(*st);
725 // Now find the application from the URL settings
726 pair<bool,const char*> application_id=m_settings.first->getString("applicationId");
727 m_app=dynamic_cast<const IApplication*>(m_conf->getApplication(application_id.second));
733 throw ConfigurationException("Unable to map request to application settings, check configuration.");
736 // Compute the full target URL
737 st->m_url = protocol + "://" + hostname;
738 if ((protocol == "http" && port != 80) || (protocol == "https" && port != 443)) {
739 ostringstream portstr;
741 st->m_url += ":" + portstr.str();
746 long ShibTargetPriv::sendError(
747 ShibTarget* st, const char* page, ExtTemplateParameters& tp, const XMLToolingException* ex
750 st->setContentType("text/html");
751 st->setResponseHeader("Expires","01-Jan-1997 12:00:00 GMT");
752 st->setResponseHeader("Cache-Control","private,no-store,no-cache");
754 TemplateEngine* engine = XMLToolingConfig::getConfig().getTemplateEngine();
755 const PropertySet* props=m_app->getPropertySet("Errors");
757 pair<bool,const char*> p=props->getString(page);
759 ifstream infile(p.second);
761 tp.setPropertySet(props);
763 engine->run(infile, str, tp, ex);
764 return st->sendResponse(str);
767 else if (!strcmp(page,"access")) {
768 istringstream msg("Access Denied");
769 return static_cast<opensaml::GenericResponse*>(st)->sendResponse(msg, opensaml::HTTPResponse::SAML_HTTP_STATUS_FORBIDDEN);
773 string errstr = string("sendError could not process error template (") + page + ") for application (";
774 errstr += m_app->getId();
776 st->log(SPRequest::SPError, errstr);
777 istringstream msg("Internal Server Error. Please contact the site administrator.");
778 return st->sendError(msg);
781 void ShibTargetPriv::clearHeaders(ShibTarget* st)
783 // Clear invariant stuff.
784 st->clearHeader("Shib-Origin-Site");
785 st->clearHeader("Shib-Identity-Provider");
786 st->clearHeader("Shib-Authentication-Method");
787 st->clearHeader("Shib-NameIdentifier-Format");
788 st->clearHeader("Shib-Attributes");
789 st->clearHeader("Shib-Application-ID");
791 // Clear out the list of mapped attributes
792 Iterator<IAAP*> provs=m_app->getAAPProviders();
793 while (provs.hasNext()) {
794 IAAP* aap=provs.next();
795 xmltooling::Locker locker(aap);
796 Iterator<const IAttributeRule*> rules=aap->getAttributeRules();
797 while (rules.hasNext()) {
798 const char* header=rules.next()->getHeader();
800 st->clearHeader(header);