shibsp/impl/XMLServiceProvider.cpp

   1 /*\r
   2  *  Copyright 2001-2007 Internet2\r
   3  * \r
   4  * Licensed under the Apache License, Version 2.0 (the "License");\r
   5  * you may not use this file except in compliance with the License.\r
   6  * You may obtain a copy of the License at\r
   7  *\r
   8  *     http://www.apache.org/licenses/LICENSE-2.0\r
   9  *\r
  10  * Unless required by applicable law or agreed to in writing, software\r
  11  * distributed under the License is distributed on an "AS IS" BASIS,\r
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  13  * See the License for the specific language governing permissions and\r
  14  * limitations under the License.\r
  15  */\r
  16 \r
  17 /**\r
  18  * XMLServiceProvider.cpp\r
  19  *\r
  20  * XML-based SP configuration and mgmt\r
  21  */\r
  22 \r
  23 #include "internal.h"\r
  24 #include "exceptions.h"\r
  25 #include "AccessControl.h"\r
  26 #include "Application.h"\r
  27 #include "Handler.h"\r
  28 #include "RequestMapper.h"\r
  29 #include "ServiceProvider.h"\r
  30 #include "SessionCache.h"\r
  31 #include "SPConfig.h"\r
  32 #include "SPRequest.h"\r
  33 #include "TransactionLog.h"\r
  34 #include "attribute/Attribute.h"\r
  35 #include "remoting/ListenerService.h"\r
  36 #include "security/PKIXTrustEngine.h"\r
  37 #include "util/DOMPropertySet.h"\r
  38 #include "util/SPConstants.h"\r
  39 \r
  40 #include <sys/types.h>\r
  41 #include <sys/stat.h>\r
  42 #include <log4cpp/Category.hh>\r
  43 #include <log4cpp/PropertyConfigurator.hh>\r
  44 #include <saml/SAMLConfig.h>\r
  45 #include <saml/saml1/core/Assertions.h>\r
  46 #include <saml/saml2/metadata/ChainingMetadataProvider.h>\r
  47 #include <xmltooling/XMLToolingConfig.h>\r
  48 #include <xmltooling/security/ChainingTrustEngine.h>\r
  49 #include <xmltooling/util/NDC.h>\r
  50 #include <xmltooling/util/ReloadableXMLFile.h>\r
  51 #include <xmltooling/util/ReplayCache.h>\r
  52 \r
  53 using namespace shibsp;\r
  54 using namespace opensaml::saml2;\r
  55 using namespace opensaml::saml2md;\r
  56 using namespace opensaml;\r
  57 using namespace xmltooling;\r
  58 using namespace log4cpp;\r
  59 using namespace std;\r
  60 using xmlsignature::CredentialResolver;\r
  61 \r
  62 namespace {\r
  63 \r
  64 #if defined (_MSC_VER)\r
  65     #pragma warning( push )\r
  66     #pragma warning( disable : 4250 )\r
  67 #endif\r
  68 \r
  69     static vector<const Handler*> g_noHandlers;\r
  70 \r
  71     // Application configuration wrapper\r
  72     class SHIBSP_DLLLOCAL XMLApplication : public virtual Application, public DOMPropertySet, public DOMNodeFilter\r
  73     {\r
  74     public:\r
  75         XMLApplication(const ServiceProvider*, const DOMElement* e, const XMLApplication* base=NULL);\r
  76         ~XMLApplication() { cleanup(); }\r
  77     \r
  78         // PropertySet\r
  79         pair<bool,bool> getBool(const char* name, const char* ns=NULL) const;\r
  80         pair<bool,const char*> getString(const char* name, const char* ns=NULL) const;\r
  81         pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const;\r
  82         pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const;\r
  83         pair<bool,int> getInt(const char* name, const char* ns=NULL) const;\r
  84         const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:target:config:1.0") const;\r
  85 \r
  86         // Application\r
  87         const char* getId() const {return getString("id").second;}\r
  88         const char* getHash() const {return m_hash.c_str();}\r
  89         MetadataProvider* getMetadataProvider() const;\r
  90         TrustEngine* getTrustEngine() const;\r
  91         const vector<const XMLCh*>& getAudiences() const;\r
  92         const PropertySet* getCredentialUse(const EntityDescriptor* provider) const;\r
  93 \r
  94         const Handler* getDefaultSessionInitiator() const;\r
  95         const Handler* getSessionInitiatorById(const char* id) const;\r
  96         const Handler* getDefaultAssertionConsumerService() const;\r
  97         const Handler* getAssertionConsumerServiceByIndex(unsigned short index) const;\r
  98         const vector<const Handler*>& getAssertionConsumerServicesByBinding(const XMLCh* binding) const;\r
  99         const Handler* getHandler(const char* path) const;\r
 100         \r
 101         // Provides filter to exclude special config elements.\r
 102         short acceptNode(const DOMNode* node) const;\r
 103     \r
 104     private:\r
 105         void cleanup();\r
 106         const ServiceProvider* m_sp;   // this is ok because its locking scope includes us\r
 107         const XMLApplication* m_base;\r
 108         string m_hash;\r
 109         MetadataProvider* m_metadata;\r
 110         TrustEngine* m_trust;\r
 111         vector<const XMLCh*> m_audiences;\r
 112 \r
 113         // manage handler objects\r
 114         vector<Handler*> m_handlers;\r
 115 \r
 116         // maps location (path info) to applicable handlers\r
 117         map<string,const Handler*> m_handlerMap;\r
 118 \r
 119         // maps unique indexes to consumer services\r
 120         map<unsigned int,const Handler*> m_acsIndexMap;\r
 121         \r
 122         // pointer to default consumer service\r
 123         const Handler* m_acsDefault;\r
 124 \r
 125         // maps binding strings to supporting consumer service(s)\r
 126 #ifdef HAVE_GOOD_STL\r
 127         typedef map<xstring,vector<const Handler*> > ACSBindingMap;\r
 128 #else\r
 129         typedef map<string,vector<const Handler*> > ACSBindingMap;\r
 130 #endif\r
 131         ACSBindingMap m_acsBindingMap;\r
 132 \r
 133         // maps unique ID strings to session initiators\r
 134         map<string,const Handler*> m_sessionInitMap;\r
 135 \r
 136         // pointer to default session initiator\r
 137         const Handler* m_sessionInitDefault;\r
 138 \r
 139         DOMPropertySet* m_credDefault;\r
 140 #ifdef HAVE_GOOD_STL\r
 141         map<xstring,PropertySet*> m_credMap;\r
 142 #else\r
 143         map<const XMLCh*,PropertySet*> m_credMap;\r
 144 #endif\r
 145     };\r
 146 \r
 147     // Top-level configuration implementation\r
 148     class SHIBSP_DLLLOCAL XMLConfig;\r
 149     class SHIBSP_DLLLOCAL XMLConfigImpl : public DOMPropertySet, public DOMNodeFilter\r
 150     {\r
 151     public:\r
 152         XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer);\r
 153         ~XMLConfigImpl();\r
 154         \r
 155         RequestMapper* m_requestMapper;\r
 156         map<string,Application*> m_appmap;\r
 157         map<string,CredentialResolver*> m_credResolverMap;\r
 158         map< string,vector<const SecurityPolicyRule*> > m_policyMap;\r
 159         string m_policyDefault;\r
 160         \r
 161         // Provides filter to exclude special config elements.\r
 162         short acceptNode(const DOMNode* node) const;\r
 163 \r
 164         void setDocument(DOMDocument* doc) {\r
 165             m_document = doc;\r
 166         }\r
 167 \r
 168     private:\r
 169         void doExtensions(const DOMElement* e, const char* label, Category& log);\r
 170 \r
 171         const XMLConfig* m_outer;\r
 172         DOMDocument* m_document;\r
 173     };\r
 174 \r
 175     class SHIBSP_DLLLOCAL XMLConfig : public ServiceProvider, public ReloadableXMLFile\r
 176     {\r
 177     public:\r
 178         XMLConfig(const DOMElement* e)\r
 179             : ReloadableXMLFile(e), m_impl(NULL), m_listener(NULL), m_sessionCache(NULL), m_tranLog(NULL) {\r
 180         }\r
 181         \r
 182         void init() {\r
 183             load();\r
 184         }\r
 185 \r
 186         ~XMLConfig() {\r
 187             delete m_impl;\r
 188             delete m_sessionCache;\r
 189             delete m_listener;\r
 190             delete m_tranLog;\r
 191             XMLToolingConfig::getConfig().setReplayCache(NULL);\r
 192             for_each(m_storage.begin(), m_storage.end(), cleanup_pair<string,StorageService>());\r
 193         }\r
 194 \r
 195         // PropertySet\r
 196         pair<bool,bool> getBool(const char* name, const char* ns=NULL) const {return m_impl->getBool(name,ns);}\r
 197         pair<bool,const char*> getString(const char* name, const char* ns=NULL) const {return m_impl->getString(name,ns);}\r
 198         pair<bool,const XMLCh*> getXMLString(const char* name, const char* ns=NULL) const {return m_impl->getXMLString(name,ns);}\r
 199         pair<bool,unsigned int> getUnsignedInt(const char* name, const char* ns=NULL) const {return m_impl->getUnsignedInt(name,ns);}\r
 200         pair<bool,int> getInt(const char* name, const char* ns=NULL) const {return m_impl->getInt(name,ns);}\r
 201         const PropertySet* getPropertySet(const char* name, const char* ns="urn:mace:shibboleth:sp:config:2.0") const {return m_impl->getPropertySet(name,ns);}\r
 202         const DOMElement* getElement() const {return m_impl->getElement();}\r
 203 \r
 204         // ServiceProvider\r
 205         TransactionLog* getTransactionLog() const {\r
 206             if (m_tranLog)\r
 207                 return m_tranLog;\r
 208             throw ConfigurationException("No TransactionLog available.");\r
 209         }\r
 210 \r
 211         StorageService* getStorageService(const char* id) const {\r
 212             if (id) {\r
 213                 map<string,StorageService*>::const_iterator i=m_storage.find(id);\r
 214                 if (i!=m_storage.end())\r
 215                     return i->second;\r
 216             }\r
 217             return NULL;\r
 218         }\r
 219 \r
 220         ListenerService* getListenerService(bool required=true) const {\r
 221             if (required && !m_listener)\r
 222                 throw ConfigurationException("No ListenerService available.");\r
 223             return m_listener;\r
 224         }\r
 225 \r
 226         SessionCache* getSessionCache(bool required=true) const {\r
 227             if (required && !m_sessionCache)\r
 228                 throw ConfigurationException("No SessionCache available.");\r
 229             return m_sessionCache;\r
 230         }\r
 231 \r
 232         RequestMapper* getRequestMapper(bool required=true) const {\r
 233             if (required && !m_impl->m_requestMapper)\r
 234                 throw ConfigurationException("No RequestMapper available.");\r
 235             return m_impl->m_requestMapper;\r
 236         }\r
 237 \r
 238         const Application* getApplication(const char* applicationId) const {\r
 239             map<string,Application*>::const_iterator i=m_impl->m_appmap.find(applicationId);\r
 240             return (i!=m_impl->m_appmap.end()) ? i->second : NULL;\r
 241         }\r
 242 \r
 243         CredentialResolver* getCredentialResolver(const char* id) const {\r
 244             if (id) {\r
 245                 map<string,CredentialResolver*>::const_iterator i=m_impl->m_credResolverMap.find(id);\r
 246                 if (i!=m_impl->m_credResolverMap.end())\r
 247                     return i->second;\r
 248             }\r
 249             return NULL;\r
 250         }\r
 251 \r
 252         vector<const SecurityPolicyRule*>& getPolicyRules(const Handler& handler) const {\r
 253             pair<bool,const char*> pid = handler.getString("policyId", "urn:mace:shibboleth:sp:config:2.0");\r
 254             if (!pid.first)\r
 255                 pid.second = m_impl->m_policyDefault.c_str();\r
 256             if (m_impl->m_policyMap.count(pid.second))\r
 257                 return m_impl->m_policyMap[pid.second];\r
 258             throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,pid.second));\r
 259         }\r
 260 \r
 261     protected:\r
 262         pair<bool,DOMElement*> load();\r
 263 \r
 264     private:\r
 265         friend class XMLConfigImpl;\r
 266         XMLConfigImpl* m_impl;\r
 267         mutable ListenerService* m_listener;\r
 268         mutable SessionCache* m_sessionCache;\r
 269         mutable TransactionLog* m_tranLog;\r
 270         mutable map<string,StorageService*> m_storage;\r
 271     };\r
 272 \r
 273 #if defined (_MSC_VER)\r
 274     #pragma warning( pop )\r
 275 #endif\r
 276 \r
 277     static const XMLCh _Application[] =         UNICODE_LITERAL_11(A,p,p,l,i,c,a,t,i,o,n);\r
 278     static const XMLCh Applications[] =         UNICODE_LITERAL_12(A,p,p,l,i,c,a,t,i,o,n,s);\r
 279     static const XMLCh Credentials[] =          UNICODE_LITERAL_11(C,r,e,d,e,n,t,i,a,l,s);\r
 280     static const XMLCh CredentialUse[] =        UNICODE_LITERAL_13(C,r,e,d,e,n,t,i,a,l,U,s,e);\r
 281     static const XMLCh _default[] =             UNICODE_LITERAL_7(d,e,f,a,u,l,t);\r
 282     static const XMLCh fatal[] =                UNICODE_LITERAL_5(f,a,t,a,l);\r
 283     static const XMLCh _Handler[] =             UNICODE_LITERAL_7(H,a,n,d,l,e,r);\r
 284     static const XMLCh _id[] =                  UNICODE_LITERAL_2(i,d);\r
 285     static const XMLCh Implementation[] =       UNICODE_LITERAL_14(I,m,p,l,e,m,e,n,t,a,t,i,o,n);\r
 286     static const XMLCh InProcess[] =            UNICODE_LITERAL_9(I,n,P,r,o,c,e,s,s);\r
 287     static const XMLCh Library[] =              UNICODE_LITERAL_7(L,i,b,r,a,r,y);\r
 288     static const XMLCh Listener[] =             UNICODE_LITERAL_8(L,i,s,t,e,n,e,r);\r
 289     static const XMLCh logger[] =               UNICODE_LITERAL_6(l,o,g,g,e,r);\r
 290     static const XMLCh MemoryListener[] =       UNICODE_LITERAL_14(M,e,m,o,r,y,L,i,s,t,e,n,e,r);\r
 291     static const XMLCh Policy[] =               UNICODE_LITERAL_6(P,o,l,i,c,y);\r
 292     static const XMLCh RelyingParty[] =         UNICODE_LITERAL_12(R,e,l,y,i,n,g,P,a,r,t,y);\r
 293     static const XMLCh _ReplayCache[] =         UNICODE_LITERAL_11(R,e,p,l,a,y,C,a,c,h,e);\r
 294     static const XMLCh _RequestMapper[] =       UNICODE_LITERAL_13(R,e,q,u,e,s,t,M,a,p,p,e,r);\r
 295     static const XMLCh Rule[] =                 UNICODE_LITERAL_4(R,u,l,e);\r
 296     static const XMLCh SecurityPolicies[] =     UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);\r
 297     static const XMLCh _SessionCache[] =        UNICODE_LITERAL_12(S,e,s,s,i,o,n,C,a,c,h,e);\r
 298     static const XMLCh SessionInitiator[] =     UNICODE_LITERAL_16(S,e,s,s,i,o,n,I,n,i,t,i,a,t,o,r);\r
 299     static const XMLCh _StorageService[] =      UNICODE_LITERAL_14(S,t,o,r,a,g,e,S,e,r,v,i,c,e);\r
 300     static const XMLCh OutOfProcess[] =         UNICODE_LITERAL_12(O,u,t,O,f,P,r,o,c,e,s,s);\r
 301     static const XMLCh TCPListener[] =          UNICODE_LITERAL_11(T,C,P,L,i,s,t,e,n,e,r);\r
 302     static const XMLCh _TrustEngine[] =         UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);\r
 303     static const XMLCh UnixListener[] =         UNICODE_LITERAL_12(U,n,i,x,L,i,s,t,e,n,e,r);\r
 304     static const XMLCh _MetadataProvider[] =    UNICODE_LITERAL_16(M,e,t,a,d,a,t,a,P,r,o,v,i,d,e,r);\r
 305     static const XMLCh _path[] =                UNICODE_LITERAL_4(p,a,t,h);\r
 306     static const XMLCh _type[] =                UNICODE_LITERAL_4(t,y,p,e);\r
 307 };\r
 308 \r
 309 namespace shibsp {\r
 310     ServiceProvider* XMLServiceProviderFactory(const DOMElement* const & e)\r
 311     {\r
 312         return new XMLConfig(e);\r
 313     }\r
 314 };\r
 315 \r
 316 XMLApplication::XMLApplication(\r
 317     const ServiceProvider* sp,\r
 318     const DOMElement* e,\r
 319     const XMLApplication* base\r
 320     ) : m_sp(sp), m_base(base), m_metadata(NULL), m_trust(NULL),\r
 321         m_credDefault(NULL), m_sessionInitDefault(NULL), m_acsDefault(NULL)\r
 322 {\r
 323 #ifdef _DEBUG\r
 324     xmltooling::NDC ndc("XMLApplication");\r
 325 #endif\r
 326     Category& log=Category::getInstance(SHIBSP_LOGCAT".Application");\r
 327 \r
 328     try {\r
 329         // First load any property sets.\r
 330         load(e,log,this);\r
 331 \r
 332         SPConfig& conf=SPConfig::getConfig();\r
 333         SAMLConfig& samlConf=SAMLConfig::getConfig();\r
 334         XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
 335 \r
 336         m_hash=getId();\r
 337         m_hash+=getString("providerId").second;\r
 338         m_hash=samlConf.hashSHA1(m_hash.c_str(), true);\r
 339 \r
 340         const PropertySet* sessions = getPropertySet("Sessions");\r
 341 \r
 342         // Process handlers.\r
 343         Handler* handler=NULL;\r
 344         bool hardACS=false, hardSessionInit=false;\r
 345         const DOMElement* child = sessions ? XMLHelper::getFirstChildElement(sessions->getElement()) : NULL;\r
 346         while (child) {\r
 347             try {\r
 348                 // A handler is based on the Binding property in conjunction with the element name.\r
 349                 // If it's an ACS or SI, also handle index/id mappings and defaulting.\r
 350                 if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,AssertionConsumerService::LOCAL_NAME)) {\r
 351                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 352                     if (!bindprop.get() || !*(bindprop.get())) {\r
 353                         log.warn("md:AssertionConsumerService element has no Binding attribute, skipping it...");\r
 354                         child = XMLHelper::getNextSiblingElement(child);\r
 355                         continue;\r
 356                     }\r
 357                     handler=conf.AssertionConsumerServiceManager.newPlugin(bindprop.get(),child);\r
 358                     // Map by binding (may be > 1 per binding, e.g. SAML 1.0 vs 1.1)\r
 359 #ifdef HAVE_GOOD_STL\r
 360                     m_acsBindingMap[handler->getXMLString("Binding").second].push_back(handler);\r
 361 #else\r
 362                     m_acsBindingMap[handler->getString("Binding").second].push_back(handler);\r
 363 #endif\r
 364                     m_acsIndexMap[handler->getUnsignedInt("index").second]=handler;\r
 365                     \r
 366                     if (!hardACS) {\r
 367                         pair<bool,bool> defprop=handler->getBool("isDefault");\r
 368                         if (defprop.first) {\r
 369                             if (defprop.second) {\r
 370                                 hardACS=true;\r
 371                                 m_acsDefault=handler;\r
 372                             }\r
 373                         }\r
 374                         else if (!m_acsDefault)\r
 375                             m_acsDefault=handler;\r
 376                     }\r
 377                 }\r
 378                 else if (XMLString::equals(child->getLocalName(),SessionInitiator)) {\r
 379                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 380                     if (!bindprop.get() || !*(bindprop.get())) {\r
 381                         log.warn("SessionInitiator element has no Binding attribute, skipping it...");\r
 382                         child = XMLHelper::getNextSiblingElement(child);\r
 383                         continue;\r
 384                     }\r
 385                     handler=conf.SessionInitiatorManager.newPlugin(bindprop.get(),child);\r
 386                     pair<bool,const char*> si_id=handler->getString("id");\r
 387                     if (si_id.first && si_id.second)\r
 388                         m_sessionInitMap[si_id.second]=handler;\r
 389                     if (!hardSessionInit) {\r
 390                         pair<bool,bool> defprop=handler->getBool("isDefault");\r
 391                         if (defprop.first) {\r
 392                             if (defprop.second) {\r
 393                                 hardSessionInit=true;\r
 394                                 m_sessionInitDefault=handler;\r
 395                             }\r
 396                         }\r
 397                         else if (!m_sessionInitDefault)\r
 398                             m_sessionInitDefault=handler;\r
 399                     }\r
 400                 }\r
 401                 else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,SingleLogoutService::LOCAL_NAME)) {\r
 402                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 403                     if (!bindprop.get() || !*(bindprop.get())) {\r
 404                         log.warn("md:SingleLogoutService element has no Binding attribute, skipping it...");\r
 405                         child = XMLHelper::getNextSiblingElement(child);\r
 406                         continue;\r
 407                     }\r
 408                     handler=conf.SingleLogoutServiceManager.newPlugin(bindprop.get(),child);\r
 409                 }\r
 410                 else if (XMLHelper::isNodeNamed(child,samlconstants::SAML20MD_NS,ManageNameIDService::LOCAL_NAME)) {\r
 411                     auto_ptr_char bindprop(child->getAttributeNS(NULL,EndpointType::BINDING_ATTRIB_NAME));\r
 412                     if (!bindprop.get() || !*(bindprop.get())) {\r
 413                         log.warn("md:ManageNameIDService element has no Binding attribute, skipping it...");\r
 414                         child = XMLHelper::getNextSiblingElement(child);\r
 415                         continue;\r
 416                     }\r
 417                     handler=conf.ManageNameIDServiceManager.newPlugin(bindprop.get(),child);\r
 418                 }\r
 419                 else {\r
 420                     auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 421                     if (!type.get() || !*(type.get())) {\r
 422                         log.warn("Handler element has no type attribute, skipping it...");\r
 423                         child = XMLHelper::getNextSiblingElement(child);\r
 424                         continue;\r
 425                     }\r
 426                     handler=conf.HandlerManager.newPlugin(type.get(),child);\r
 427                 }\r
 428 \r
 429                 // Save off the objects after giving the property set to the handler for its use.\r
 430                 m_handlers.push_back(handler);\r
 431 \r
 432                 // Insert into location map.\r
 433                 pair<bool,const char*> location=handler->getString("Location");\r
 434                 if (location.first && *location.second == '/')\r
 435                     m_handlerMap[location.second]=handler;\r
 436                 else if (location.first)\r
 437                     m_handlerMap[string("/") + location.second]=handler;\r
 438 \r
 439             }\r
 440             catch (exception& ex) {\r
 441                 log.error("caught exception processing handler element: %s", ex.what());\r
 442             }\r
 443             \r
 444             child = XMLHelper::getNextSiblingElement(child);\r
 445         }\r
 446 \r
 447         DOMNodeList* nlist=e->getElementsByTagNameNS(samlconstants::SAML20_NS,Audience::LOCAL_NAME);\r
 448         for (XMLSize_t i=0; nlist && i<nlist->getLength(); i++)\r
 449             if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())\r
 450                 m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());\r
 451 \r
 452         // Always include our own providerId as an audience.\r
 453         m_audiences.push_back(getXMLString("providerId").second);\r
 454 \r
 455         if (conf.isEnabled(SPConfig::AttributeResolver)) {\r
 456             // TODO\r
 457         }\r
 458 \r
 459         if (conf.isEnabled(SPConfig::Metadata)) {\r
 460             child = XMLHelper::getFirstChildElement(e,_MetadataProvider);\r
 461             if (child) {\r
 462                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 463                 log.info("building metadata provider of type %s...",type.get());\r
 464                 try {\r
 465                     auto_ptr<MetadataProvider> mp(samlConf.MetadataProviderManager.newPlugin(type.get(),child));\r
 466                     mp->init();\r
 467                     m_metadata = mp.release();\r
 468                 }\r
 469                 catch (exception& ex) {\r
 470                     log.crit("error building/initializing metadata provider: %s", ex.what());\r
 471                 }\r
 472             }\r
 473         }\r
 474 \r
 475         if (conf.isEnabled(SPConfig::Trust)) {\r
 476             child = XMLHelper::getFirstChildElement(e,_TrustEngine);\r
 477             if (child) {\r
 478                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 479                 log.info("building trust engine of type %s...",type.get());\r
 480                 try {\r
 481                     m_trust = xmlConf.TrustEngineManager.newPlugin(type.get(),child);\r
 482                 }\r
 483                 catch (exception& ex) {\r
 484                     log.crit("error building trust engine: %s",ex.what());\r
 485                 }\r
 486             }\r
 487         }\r
 488         \r
 489         // Finally, load credential mappings.\r
 490         child = XMLHelper::getFirstChildElement(e,CredentialUse);\r
 491         if (child) {\r
 492             m_credDefault=new DOMPropertySet();\r
 493             m_credDefault->load(child,log,this);\r
 494             child = XMLHelper::getFirstChildElement(child,RelyingParty);\r
 495             while (child) {\r
 496                 DOMPropertySet* rp=new DOMPropertySet();\r
 497                 rp->load(child,log,this);\r
 498                 m_credMap[child->getAttributeNS(NULL,opensaml::saml2::Attribute::NAME_ATTRIB_NAME)]=rp;\r
 499                 child = XMLHelper::getNextSiblingElement(child,RelyingParty);\r
 500             }\r
 501         }\r
 502         \r
 503         if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
 504             // Really finally, build local browser profile and binding objects.\r
 505             // TODO: may need some bits here...\r
 506         }\r
 507     }\r
 508     catch (exception&) {\r
 509         cleanup();\r
 510         throw;\r
 511     }\r
 512 #ifndef _DEBUG\r
 513     catch (...) {\r
 514         cleanup();\r
 515         throw;\r
 516     }\r
 517 #endif\r
 518 }\r
 519 \r
 520 void XMLApplication::cleanup()\r
 521 {\r
 522     for_each(m_handlers.begin(),m_handlers.end(),xmltooling::cleanup<Handler>());\r
 523     \r
 524     delete m_credDefault;\r
 525 #ifdef HAVE_GOOD_STL\r
 526     for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<xstring,PropertySet>());\r
 527 #else\r
 528     for_each(m_credMap.begin(),m_credMap.end(),cleanup_pair<const XMLCh*,PropertySet>());\r
 529 #endif\r
 530 \r
 531     delete m_trust;\r
 532     delete m_metadata;\r
 533 }\r
 534 \r
 535 short XMLApplication::acceptNode(const DOMNode* node) const\r
 536 {\r
 537     if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,opensaml::saml2::Attribute::LOCAL_NAME))\r
 538         return FILTER_REJECT;\r
 539     else if (XMLHelper::isNodeNamed(node,samlconstants::SAML20_NS,Audience::LOCAL_NAME))\r
 540         return FILTER_REJECT;\r
 541     const XMLCh* name=node->getLocalName();\r
 542     if (XMLString::equals(name,_Application) ||\r
 543         XMLString::equals(name,AssertionConsumerService::LOCAL_NAME) ||\r
 544         XMLString::equals(name,SingleLogoutService::LOCAL_NAME) ||\r
 545         XMLString::equals(name,ManageNameIDService::LOCAL_NAME) ||\r
 546         XMLString::equals(name,SessionInitiator) ||\r
 547         XMLString::equals(name,CredentialUse) ||\r
 548         XMLString::equals(name,RelyingParty) ||\r
 549         XMLString::equals(name,_MetadataProvider) ||\r
 550         XMLString::equals(name,_TrustEngine))\r
 551         return FILTER_REJECT;\r
 552 \r
 553     return FILTER_ACCEPT;\r
 554 }\r
 555 \r
 556 pair<bool,bool> XMLApplication::getBool(const char* name, const char* ns) const\r
 557 {\r
 558     pair<bool,bool> ret=DOMPropertySet::getBool(name,ns);\r
 559     if (ret.first)\r
 560         return ret;\r
 561     return m_base ? m_base->getBool(name,ns) : ret;\r
 562 }\r
 563 \r
 564 pair<bool,const char*> XMLApplication::getString(const char* name, const char* ns) const\r
 565 {\r
 566     pair<bool,const char*> ret=DOMPropertySet::getString(name,ns);\r
 567     if (ret.first)\r
 568         return ret;\r
 569     return m_base ? m_base->getString(name,ns) : ret;\r
 570 }\r
 571 \r
 572 pair<bool,const XMLCh*> XMLApplication::getXMLString(const char* name, const char* ns) const\r
 573 {\r
 574     pair<bool,const XMLCh*> ret=DOMPropertySet::getXMLString(name,ns);\r
 575     if (ret.first)\r
 576         return ret;\r
 577     return m_base ? m_base->getXMLString(name,ns) : ret;\r
 578 }\r
 579 \r
 580 pair<bool,unsigned int> XMLApplication::getUnsignedInt(const char* name, const char* ns) const\r
 581 {\r
 582     pair<bool,unsigned int> ret=DOMPropertySet::getUnsignedInt(name,ns);\r
 583     if (ret.first)\r
 584         return ret;\r
 585     return m_base ? m_base->getUnsignedInt(name,ns) : ret;\r
 586 }\r
 587 \r
 588 pair<bool,int> XMLApplication::getInt(const char* name, const char* ns) const\r
 589 {\r
 590     pair<bool,int> ret=DOMPropertySet::getInt(name,ns);\r
 591     if (ret.first)\r
 592         return ret;\r
 593     return m_base ? m_base->getInt(name,ns) : ret;\r
 594 }\r
 595 \r
 596 const PropertySet* XMLApplication::getPropertySet(const char* name, const char* ns) const\r
 597 {\r
 598     const PropertySet* ret=DOMPropertySet::getPropertySet(name,ns);\r
 599     if (ret || !m_base)\r
 600         return ret;\r
 601     return m_base->getPropertySet(name,ns);\r
 602 }\r
 603 \r
 604 MetadataProvider* XMLApplication::getMetadataProvider() const\r
 605 {\r
 606     return (!m_metadata && m_base) ? m_base->getMetadataProvider() : m_metadata;\r
 607 }\r
 608 \r
 609 TrustEngine* XMLApplication::getTrustEngine() const\r
 610 {\r
 611     return (!m_trust && m_base) ? m_base->getTrustEngine() : m_trust;\r
 612 }\r
 613 \r
 614 const vector<const XMLCh*>& XMLApplication::getAudiences() const\r
 615 {\r
 616     return (m_audiences.empty() && m_base) ? m_base->getAudiences() : m_audiences;\r
 617 }\r
 618 \r
 619 const PropertySet* XMLApplication::getCredentialUse(const EntityDescriptor* provider) const\r
 620 {\r
 621     if (!m_credDefault && m_base)\r
 622         return m_base->getCredentialUse(provider);\r
 623         \r
 624 #ifdef HAVE_GOOD_STL\r
 625     map<xstring,PropertySet*>::const_iterator i=m_credMap.find(provider->getEntityID());\r
 626     if (i!=m_credMap.end())\r
 627         return i->second;\r
 628     const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
 629     while (group) {\r
 630         if (group->getName()) {\r
 631             i=m_credMap.find(group->getName());\r
 632             if (i!=m_credMap.end())\r
 633                 return i->second;\r
 634         }\r
 635         group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());\r
 636     }\r
 637 #else\r
 638     map<const XMLCh*,PropertySet*>::const_iterator i=m_credMap.begin();\r
 639     for (; i!=m_credMap.end(); i++) {\r
 640         if (XMLString::equals(i->first,provider->getId()))\r
 641             return i->second;\r
 642         const EntitiesDescriptor* group=dynamic_cast<const EntitiesDescriptor*>(provider->getParent());\r
 643         while (group) {\r
 644             if (XMLString::equals(i->first,group->getName()))\r
 645                 return i->second;\r
 646             group=dynamic_cast<const EntitiesDescriptor*>(group->getParent());\r
 647         }\r
 648     }\r
 649 #endif\r
 650     return m_credDefault;\r
 651 }\r
 652 \r
 653 const Handler* XMLApplication::getDefaultSessionInitiator() const\r
 654 {\r
 655     if (m_sessionInitDefault) return m_sessionInitDefault;\r
 656     return m_base ? m_base->getDefaultSessionInitiator() : NULL;\r
 657 }\r
 658 \r
 659 const Handler* XMLApplication::getSessionInitiatorById(const char* id) const\r
 660 {\r
 661     map<string,const Handler*>::const_iterator i=m_sessionInitMap.find(id);\r
 662     if (i!=m_sessionInitMap.end()) return i->second;\r
 663     return m_base ? m_base->getSessionInitiatorById(id) : NULL;\r
 664 }\r
 665 \r
 666 const Handler* XMLApplication::getDefaultAssertionConsumerService() const\r
 667 {\r
 668     if (m_acsDefault) return m_acsDefault;\r
 669     return m_base ? m_base->getDefaultAssertionConsumerService() : NULL;\r
 670 }\r
 671 \r
 672 const Handler* XMLApplication::getAssertionConsumerServiceByIndex(unsigned short index) const\r
 673 {\r
 674     map<unsigned int,const Handler*>::const_iterator i=m_acsIndexMap.find(index);\r
 675     if (i!=m_acsIndexMap.end()) return i->second;\r
 676     return m_base ? m_base->getAssertionConsumerServiceByIndex(index) : NULL;\r
 677 }\r
 678 \r
 679 const vector<const Handler*>& XMLApplication::getAssertionConsumerServicesByBinding(const XMLCh* binding) const\r
 680 {\r
 681 #ifdef HAVE_GOOD_STL\r
 682     ACSBindingMap::const_iterator i=m_acsBindingMap.find(binding);\r
 683 #else\r
 684     auto_ptr_char temp(binding);\r
 685     ACSBindingMap::const_iterator i=m_acsBindingMap.find(temp.get());\r
 686 #endif\r
 687     if (i!=m_acsBindingMap.end())\r
 688         return i->second;\r
 689     return m_base ? m_base->getAssertionConsumerServicesByBinding(binding) : g_noHandlers;\r
 690 }\r
 691 \r
 692 const Handler* XMLApplication::getHandler(const char* path) const\r
 693 {\r
 694     string wrap(path);\r
 695     map<string,const Handler*>::const_iterator i=m_handlerMap.find(wrap.substr(0,wrap.find('?')));\r
 696     if (i!=m_handlerMap.end())\r
 697         return i->second;\r
 698     return m_base ? m_base->getHandler(path) : NULL;\r
 699 }\r
 700 \r
 701 short XMLConfigImpl::acceptNode(const DOMNode* node) const\r
 702 {\r
 703     if (!XMLString::equals(node->getNamespaceURI(),shibspconstants::SHIB2SPCONFIG_NS))\r
 704         return FILTER_ACCEPT;\r
 705     const XMLCh* name=node->getLocalName();\r
 706     if (XMLString::equals(name,Applications) ||\r
 707         XMLString::equals(name,Credentials) ||\r
 708         XMLString::equals(name,Extensions::LOCAL_NAME) ||\r
 709         XMLString::equals(name,Implementation) ||\r
 710         XMLString::equals(name,Listener) ||\r
 711         XMLString::equals(name,MemoryListener) ||\r
 712         XMLString::equals(name,Policy) ||\r
 713         XMLString::equals(name,_RequestMapper) ||\r
 714         XMLString::equals(name,_ReplayCache) ||\r
 715         XMLString::equals(name,_SessionCache) ||\r
 716         XMLString::equals(name,_StorageService) ||\r
 717         XMLString::equals(name,TCPListener) ||\r
 718         XMLString::equals(name,UnixListener))\r
 719         return FILTER_REJECT;\r
 720 \r
 721     return FILTER_ACCEPT;\r
 722 }\r
 723 \r
 724 void XMLConfigImpl::doExtensions(const DOMElement* e, const char* label, Category& log)\r
 725 {\r
 726     const DOMElement* exts=XMLHelper::getFirstChildElement(e,Extensions::LOCAL_NAME);\r
 727     if (exts) {\r
 728         exts=XMLHelper::getFirstChildElement(exts,Library);\r
 729         while (exts) {\r
 730             auto_ptr_char path(exts->getAttributeNS(NULL,_path));\r
 731             try {\r
 732                 if (path.get()) {\r
 733                     XMLToolingConfig::getConfig().load_library(path.get(),(void*)exts);\r
 734                     log.debug("loaded %s extension library (%s)", label, path.get());\r
 735                 }\r
 736             }\r
 737             catch (exception& e) {\r
 738                 const XMLCh* fatal=exts->getAttributeNS(NULL,fatal);\r
 739                 if (fatal && (*fatal==chLatin_t || *fatal==chDigit_1)) {\r
 740                     log.fatal("unable to load mandatory %s extension library %s: %s", label, path.get(), e.what());\r
 741                     throw;\r
 742                 }\r
 743                 else {\r
 744                     log.crit("unable to load optional %s extension library %s: %s", label, path.get(), e.what());\r
 745                 }\r
 746             }\r
 747             exts=XMLHelper::getNextSiblingElement(exts,Library);\r
 748         }\r
 749     }\r
 750 }\r
 751 \r
 752 XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* outer) : m_requestMapper(NULL), m_outer(outer), m_document(NULL)\r
 753 {\r
 754 #ifdef _DEBUG\r
 755     xmltooling::NDC ndc("XMLConfigImpl");\r
 756 #endif\r
 757     Category& log=Category::getInstance(SHIBSP_LOGCAT".Config");\r
 758 \r
 759     try {\r
 760         SPConfig& conf=SPConfig::getConfig();\r
 761         SAMLConfig& samlConf=SAMLConfig::getConfig();\r
 762         XMLToolingConfig& xmlConf=XMLToolingConfig::getConfig();\r
 763         const DOMElement* SHAR=XMLHelper::getFirstChildElement(e,OutOfProcess);\r
 764         const DOMElement* SHIRE=XMLHelper::getFirstChildElement(e,InProcess);\r
 765 \r
 766         // Initialize log4cpp manually in order to redirect log messages as soon as possible.\r
 767         if (conf.isEnabled(SPConfig::Logging)) {\r
 768             const XMLCh* logconf=NULL;\r
 769             if (conf.isEnabled(SPConfig::OutOfProcess))\r
 770                 logconf=SHAR->getAttributeNS(NULL,logger);\r
 771             else if (conf.isEnabled(SPConfig::InProcess))\r
 772                 logconf=SHIRE->getAttributeNS(NULL,logger);\r
 773             if (!logconf || !*logconf)\r
 774                 logconf=e->getAttributeNS(NULL,logger);\r
 775             if (logconf && *logconf) {\r
 776                 auto_ptr_char logpath(logconf);\r
 777                 log.debug("loading new logging configuration from (%s), check log destination for status of configuration",logpath.get());\r
 778                 XMLToolingConfig::getConfig().log_config(logpath.get());\r
 779             }\r
 780             \r
 781             if (first)\r
 782                 m_outer->m_tranLog = new TransactionLog();\r
 783         }\r
 784         \r
 785         // First load any property sets.\r
 786         load(e,log,this);\r
 787 \r
 788         const DOMElement* child;\r
 789         string plugtype;\r
 790 \r
 791         // Much of the processing can only occur on the first instantiation.\r
 792         if (first) {\r
 793             // Set clock skew.\r
 794             pair<bool,unsigned int> skew=getUnsignedInt("clockSkew");\r
 795             if (skew.first)\r
 796                 xmlConf.clock_skew_secs=skew.second;\r
 797 \r
 798             // Extensions\r
 799             doExtensions(e, "global", log);\r
 800             if (conf.isEnabled(SPConfig::OutOfProcess))\r
 801                 doExtensions(SHAR, "out of process", log);\r
 802 \r
 803             if (conf.isEnabled(SPConfig::InProcess))\r
 804                 doExtensions(SHIRE, "in process", log);\r
 805             \r
 806             // Instantiate the ListenerService and SessionCache objects.\r
 807             if (conf.isEnabled(SPConfig::Listener)) {\r
 808                 child=XMLHelper::getFirstChildElement(SHAR,UnixListener);\r
 809                 if (child)\r
 810                     plugtype=UNIX_LISTENER_SERVICE;\r
 811                 else {\r
 812                     child=XMLHelper::getFirstChildElement(SHAR,TCPListener);\r
 813                     if (child)\r
 814                         plugtype=TCP_LISTENER_SERVICE;\r
 815                     else {\r
 816                         child=XMLHelper::getFirstChildElement(SHAR,MemoryListener);\r
 817                         if (child)\r
 818                             plugtype=MEMORY_LISTENER_SERVICE;\r
 819                         else {\r
 820                             child=XMLHelper::getFirstChildElement(SHAR,Listener);\r
 821                             if (child) {\r
 822                                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 823                                 if (type.get())\r
 824                                     plugtype=type.get();\r
 825                             }\r
 826                         }\r
 827                     }\r
 828                 }\r
 829                 if (child) {\r
 830                     log.info("building ListenerService of type %s...", plugtype.c_str());\r
 831                     m_outer->m_listener = conf.ListenerServiceManager.newPlugin(plugtype.c_str(),child);\r
 832                 }\r
 833                 else {\r
 834                     log.fatal("can't build ListenerService, missing conf:Listener element?");\r
 835                     throw ConfigurationException("Can't build ListenerService, missing conf:Listener element?");\r
 836                 }\r
 837             }\r
 838 \r
 839             if (conf.isEnabled(SPConfig::Caching)) {\r
 840                 if (conf.isEnabled(SPConfig::OutOfProcess)) {\r
 841                     // First build any StorageServices.\r
 842                     string inmemID;\r
 843                     child=XMLHelper::getFirstChildElement(SHAR,_StorageService);\r
 844                     while (child) {\r
 845                         auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 846                         auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 847                         try {\r
 848                             log.info("building StorageService (%s) of type %s...", id.get(), type.get());\r
 849                             m_outer->m_storage[id.get()] = xmlConf.StorageServiceManager.newPlugin(type.get(),child);\r
 850                             if (!strcmp(type.get(),MEMORY_STORAGE_SERVICE))\r
 851                                 inmemID = id.get();\r
 852                         }\r
 853                         catch (exception& ex) {\r
 854                             log.crit("failed to instantiate StorageService (%s): %s", id.get(), ex.what());\r
 855                         }\r
 856                         child=XMLHelper::getNextSiblingElement(child,_StorageService);\r
 857                     }\r
 858                 \r
 859                     child=XMLHelper::getFirstChildElement(SHAR,_SessionCache);\r
 860                     if (child) {\r
 861                         auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 862                         log.info("building SessionCache of type %s...",type.get());\r
 863                         m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(type.get(),child);\r
 864                     }\r
 865                     else {\r
 866                         log.warn("SessionCache unspecified, building SessionCache of type %s...",STORAGESERVICE_SESSION_CACHE);\r
 867                         if (inmemID.empty()) {\r
 868                             inmemID = "memory";\r
 869                             log.info("no StorageServices configured, providing in-memory version for session cache");\r
 870                             m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
 871                         }\r
 872                         child = e->getOwnerDocument()->createElementNS(NULL,_SessionCache);\r
 873                         auto_ptr_XMLCh ssid(inmemID.c_str());\r
 874                         const_cast<DOMElement*>(child)->setAttributeNS(NULL,_StorageService,ssid.get());\r
 875                         m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(STORAGESERVICE_SESSION_CACHE,child);\r
 876                     }\r
 877 \r
 878                     // Replay cache.\r
 879                     StorageService* replaySS=NULL;\r
 880                     child=XMLHelper::getFirstChildElement(SHAR,_ReplayCache);\r
 881                     if (child) {\r
 882                         auto_ptr_char ssid(child->getAttributeNS(NULL,_StorageService));\r
 883                         if (ssid.get() && *ssid.get()) {\r
 884                             if (m_outer->m_storage.count(ssid.get()))\r
 885                                 replaySS = m_outer->m_storage[ssid.get()];\r
 886                             if (replaySS)\r
 887                                 log.info("building ReplayCache on top of StorageService (%s)...", ssid.get());\r
 888                             else\r
 889                                 log.crit("unable to locate StorageService (%s) in configuration", ssid.get());\r
 890                         }\r
 891                     }\r
 892                     if (!replaySS) {\r
 893                         log.info("building ReplayCache using in-memory StorageService...");\r
 894                         if (inmemID.empty()) {\r
 895                             inmemID = "memory";\r
 896                             log.info("no StorageServices configured, providing in-memory version for legacy config");\r
 897                             m_outer->m_storage[inmemID] = xmlConf.StorageServiceManager.newPlugin(MEMORY_STORAGE_SERVICE,NULL);\r
 898                         }\r
 899                         replaySS = m_outer->m_storage[inmemID];\r
 900                     }\r
 901                     xmlConf.setReplayCache(new ReplayCache(replaySS));\r
 902                 }\r
 903                 else {\r
 904                     log.info("building in-process SessionCache of type %s...",REMOTED_SESSION_CACHE);\r
 905                     m_outer->m_sessionCache=conf.SessionCacheManager.newPlugin(REMOTED_SESSION_CACHE,NULL);\r
 906                 }\r
 907             }\r
 908         } // end of first-time-only stuff\r
 909         \r
 910         // Back to the fully dynamic stuff...next up is the RequestMapper.\r
 911         if (conf.isEnabled(SPConfig::RequestMapping)) {\r
 912             child=XMLHelper::getFirstChildElement(SHIRE,_RequestMapper);\r
 913             if (child) {\r
 914                 auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 915                 log.info("building RequestMapper of type %s...",type.get());\r
 916                 m_requestMapper=conf.RequestMapperManager.newPlugin(type.get(),child);\r
 917             }\r
 918         }\r
 919         \r
 920         // Now we load the credentials map.\r
 921         if (conf.isEnabled(SPConfig::Credentials)) {\r
 922             child = XMLHelper::getLastChildElement(e,Credentials);\r
 923             if (child) {\r
 924                 // Step down and process resolvers.\r
 925                 child=XMLHelper::getFirstChildElement(child);\r
 926                 while (child) {\r
 927                     auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 928                     auto_ptr_char type(child->getAttributeNS(NULL,_type));\r
 929                     try {\r
 930                         CredentialResolver* cr=xmlConf.CredentialResolverManager.newPlugin(type.get(),child);\r
 931                         m_credResolverMap[id.get()] = cr;\r
 932                     }\r
 933                     catch (exception& ex) {\r
 934                         log.crit("failed to instantiate CredentialResolver (%s): %s", id.get(), ex.what());\r
 935                     }\r
 936                     child = XMLHelper::getNextSiblingElement(child);\r
 937                 }\r
 938             }\r
 939         }\r
 940 \r
 941         // Load the default application. This actually has a fixed ID of "default". ;-)\r
 942         child=XMLHelper::getLastChildElement(e,Applications);\r
 943         if (!child) {\r
 944             log.fatal("can't build default Application object, missing conf:Applications element?");\r
 945             throw ConfigurationException("can't build default Application object, missing conf:Applications element?");\r
 946         }\r
 947         XMLApplication* defapp=new XMLApplication(m_outer,child);\r
 948         m_appmap[defapp->getId()]=defapp;\r
 949         \r
 950         // Load any overrides.\r
 951         child = XMLHelper::getFirstChildElement(child,_Application);\r
 952         while (child) {\r
 953             auto_ptr<XMLApplication> iapp(new XMLApplication(m_outer,child,defapp));\r
 954             if (m_appmap.count(iapp->getId()))\r
 955                 log.crit("found conf:Application element with duplicate id attribute (%s), skipping it", iapp->getId());\r
 956             else\r
 957                 m_appmap[iapp->getId()]=iapp.release();\r
 958 \r
 959             child = XMLHelper::getNextSiblingElement(child,_Application);\r
 960         }\r
 961 \r
 962         // Load security policies.\r
 963         child = XMLHelper::getLastChildElement(e,SecurityPolicies);\r
 964         if (child) {\r
 965             auto_ptr_char def(child->getAttributeNS(NULL,_default));\r
 966             m_policyDefault = def.get();\r
 967             child = XMLHelper::getFirstChildElement(child,Policy);\r
 968             while (child) {\r
 969                 auto_ptr_char id(child->getAttributeNS(NULL,_id));\r
 970                 vector<const SecurityPolicyRule*>& rules = m_policyMap[id.get()];\r
 971                 const DOMElement* rule = XMLHelper::getFirstChildElement(child,Rule);\r
 972                 while (rule) {\r
 973                     auto_ptr_char type(rule->getAttributeNS(NULL,_type));\r
 974                     try {\r
 975                         rules.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(type.get(),rule));\r
 976                     }\r
 977                     catch (exception& ex) {\r
 978                         log.crit("error instantiating policy rule (%s) in policy (%s): %s", type.get(), id.get(), ex.what());\r
 979                     }\r
 980                     rule = XMLHelper::getNextSiblingElement(rule,Rule);\r
 981                 }\r
 982                 child = XMLHelper::getNextSiblingElement(child,Policy);\r
 983             }\r
 984             if (!m_policyMap.count(m_policyDefault))\r
 985                 throw ConfigurationException("Default security policy ($1) not found in conf:SecurityPolicies element.", params(1,m_policyDefault.c_str()));\r
 986         }\r
 987     }\r
 988     catch (exception&) {\r
 989         this->~XMLConfigImpl();\r
 990         throw;\r
 991     }\r
 992 #ifndef _DEBUG\r
 993     catch (...) {\r
 994         this->~XMLConfigImpl();\r
 995         throw;\r
 996     }\r
 997 #endif\r
 998 }\r
 999 \r
1000 XMLConfigImpl::~XMLConfigImpl()\r
1001 {\r
1002     for_each(m_appmap.begin(),m_appmap.end(),cleanup_pair<string,Application>());\r
1003     for_each(m_credResolverMap.begin(),m_credResolverMap.end(),cleanup_pair<string,CredentialResolver>());\r
1004     for (map< string,vector<const SecurityPolicyRule*> >::iterator i=m_policyMap.begin(); i!=m_policyMap.end(); ++i)\r
1005         for_each(i->second.begin(), i->second.end(), xmltooling::cleanup<SecurityPolicyRule>());\r
1006     delete m_requestMapper;\r
1007     if (m_document)\r
1008         m_document->release();\r
1009 }\r
1010 \r
1011 pair<bool,DOMElement*> XMLConfig::load()\r
1012 {\r
1013     // Load from source using base class.\r
1014     pair<bool,DOMElement*> raw = ReloadableXMLFile::load();\r
1015     \r
1016     // If we own it, wrap it.\r
1017     XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : NULL);\r
1018 \r
1019     XMLConfigImpl* impl = new XMLConfigImpl(raw.second,(m_impl==NULL),this);\r
1020     \r
1021     // If we held the document, transfer it to the impl. If we didn't, it's a no-op.\r
1022     impl->setDocument(docjanitor.release());\r
1023 \r
1024     delete m_impl;\r
1025     m_impl = impl;\r
1026 \r
1027     return make_pair(false,(DOMElement*)NULL);\r
1028 }\r