/*
+ * Copyright 2001-2005 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
* mod_apache.cpp -- the core Apache Module code
*
* Created by: Derek Atkins <derek@ihtfp.com>
extern "C" const char* shib_set_server_string_slot(cmd_parms* parms, void*, const char* arg)
{
char* base=(char*)ap_get_module_config(parms->server->module_config,&mod_shib);
- int offset=(int)parms->info;
+ size_t offset=(size_t)parms->info;
*((char**)(base + offset))=ap_pstrdup(parms->pool,arg);
return NULL;
}
threadid << "[" << getpid() << "] shib_check_user" << '\0';
saml::NDC ndc(threadid.str().c_str());
-#ifndef _DEBUG
try {
-#endif
ShibTargetApache sta(r);
- // Check user authentication, the set the handler bypass
+ // Check user authentication and export information, then set the handler bypass
pair<bool,void*> res = sta.doCheckAuthN(true);
apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
if (res.first) return (int)res.second;
// export happened successfully.. this user is ok.
return OK;
-
+ }
+ catch (SAMLException& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
#ifndef _DEBUG
- } catch (...) {
+ catch (...) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_check_user threw an uncaught exception!");
return SERVER_ERROR;
}
ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r),"shib_handler(%d): ENTER: %s", (int)getpid(), r->handler);
-#ifndef _DEBUG
try {
-#endif
ShibTargetApache sta(r);
pair<bool,void*> res = sta.doHandler();
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "doHandler() did not do anything.");
return SERVER_ERROR;
-
+ }
+ catch (SAMLException& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
#ifndef _DEBUG
- } catch (...) {
+ catch (...) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_handler threw an uncaught exception!");
return SERVER_ERROR;
}
threadid << "[" << getpid() << "] shib_auth_checker" << '\0';
saml::NDC ndc(threadid.str().c_str());
-#ifndef _DEBUG
try {
-#endif
ShibTargetApache sta(r);
pair<bool,void*> res = sta.doCheckAuthZ();
// We're all okay.
return OK;
-
+ }
+ catch (SAMLException& e) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an exception: %s", e.what());
+ return SERVER_ERROR;
+ }
#ifndef _DEBUG
- } catch (...) {
+ catch (...) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, SH_AP_R(r), "shib_auth_checker threw an uncaught exception!");
return SERVER_ERROR;
}
}
}
else if (name && !strcmp(name,"applicationId") && sta->m_dc->szApplicationId)
- return make_pair(true,sta->m_dc->szApplicationId);
+ return pair<bool,const char*>(true,sta->m_dc->szApplicationId);
else if (name && !strcmp(name,"requireSessionWith") && sta->m_dc->szRequireWith)
- return make_pair(true,sta->m_dc->szRequireWith);
+ return pair<bool,const char*>(true,sta->m_dc->szRequireWith);
}
return s ? s->getString(name,ns) : pair<bool,const char*>(false,NULL);
}
t = reqs[x].requirement;
w = ap_getword_white(sta->m_req->pool, &t);
- if (!strcasecmp(w,"Shibboleth")) {
+ if (!strcasecmp(w,"shibboleth")) {
// This is a dummy rule needed because Apache conflates authn and authz.
// Without some require rule, AuthType is ignored and no check_user hooks run.
SHIB_AP_CHECK_IS_OK;
}
- else if (!strcmp(w,"valid-user")) {
- st->log(ShibTarget::LogLevelDebug,"htAccessControl plugin accepting valid-user");
+ else if (!strcmp(w,"valid-user") && entry) {
+ st->log(ShibTarget::LogLevelDebug,"htAccessControl plugin accepting valid-user based on active session");
SHIB_AP_CHECK_IS_OK;
}
else if (!strcmp(w,"user") && !remote_user.empty()) {
string vals_str(vals);
int j = 0;
- for (int i = 0; i < vals_str.length(); i++) {
+ for (unsigned int i = 0; i < vals_str.length(); i++) {
if (vals_str.at(i) == ';') {
if (i == 0) {
st->log(ShibTarget::LogLevelError, string("htAccessControl plugin found invalid header encoding (") +
AP_INIT_FLAG("ShibDisable", (config_fn_t)ap_set_flag_slot,
(void *) offsetof (shib_dir_config, bOff),
OR_AUTHCFG, "Disable all Shib module activity here to save processing effort"),
- AP_INIT_FLAG("ShibApplicationId", (config_fn_t)ap_set_string_slot,
+ AP_INIT_TAKE1("ShibApplicationId", (config_fn_t)ap_set_string_slot,
(void *) offsetof (shib_dir_config, szApplicationId),
OR_AUTHCFG, "Set Shibboleth applicationId property for content"),
AP_INIT_FLAG("ShibBasicHijack", (config_fn_t)ap_set_flag_slot,
AP_INIT_FLAG("ShibRequireSession", (config_fn_t)ap_set_flag_slot,
(void *) offsetof (shib_dir_config, bRequireSession),
OR_AUTHCFG, "Initiates a new session if one does not exist."),
- AP_INIT_FLAG("ShibRequireSessionWith", (config_fn_t)ap_set_string_slot,
+ AP_INIT_TAKE1("ShibRequireSessionWith", (config_fn_t)ap_set_string_slot,
(void *) offsetof (shib_dir_config, szRequireWith),
OR_AUTHCFG, "Initiates a new session if one does not exist using a specific SessionInitiator"),
AP_INIT_FLAG("ShibExportAssertion", (config_fn_t)ap_set_flag_slot,