/*
+ * Copyright 2001-2005 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
* mod_apache.cpp -- the core Apache Module code
*
* Created by: Derek Atkins <derek@ihtfp.com>
#endif
ShibTargetApache sta(r);
- // Check user authentication, the set the handler bypass
+ // Check user authentication and export information, then set the handler bypass
pair<bool,void*> res = sta.doCheckAuthN(true);
apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
if (res.first) return (int)res.second;
void unlock() {}
bool authorized(
ShibTarget* st,
- const char* providerId,
- const saml::SAMLAuthenticationStatement* authn,
- const saml::SAMLResponse* attrs
+ ISessionCacheEntry* entry
) const;
};
}
}
else if (name && !strcmp(name,"applicationId") && sta->m_dc->szApplicationId)
- return make_pair(true,sta->m_dc->szApplicationId);
+ return pair<bool,const char*>(true,sta->m_dc->szApplicationId);
else if (name && !strcmp(name,"requireSessionWith") && sta->m_dc->szRequireWith)
- return make_pair(true,sta->m_dc->szRequireWith);
+ return pair<bool,const char*>(true,sta->m_dc->szRequireWith);
}
return s ? s->getString(name,ns) : pair<bool,const char*>(false,NULL);
}
pair<bool,unsigned int> ApacheRequestMapper::getUnsignedInt(const char* name, const char* ns) const
{
const IPropertySet* s=reinterpret_cast<const IPropertySet*>(m_propsKey->getData());
- return s ? s->getUnsignedInt(name,ns) : make_pair(false,0);
+ return s ? s->getUnsignedInt(name,ns) : pair<bool,unsigned int>(false,0);
}
pair<bool,int> ApacheRequestMapper::getInt(const char* name, const char* ns) const
{
const IPropertySet* s=reinterpret_cast<const IPropertySet*>(m_propsKey->getData());
- return s ? s->getInt(name,ns) : make_pair(false,0);
+ return s ? s->getInt(name,ns) : pair<bool,int>(false,0);
}
const IPropertySet* ApacheRequestMapper::getPropertySet(const char* name, const char* ns) const
bool htAccessControl::authorized(
ShibTarget* st,
- const char* providerId,
- const saml::SAMLAuthenticationStatement* authn,
- const saml::SAMLResponse* attrs
+ ISessionCacheEntry* entry
) const
{
// Make sure the object is our type.
t = reqs[x].requirement;
w = ap_getword_white(sta->m_req->pool, &t);
- if (!strcasecmp(w,"Shibboleth")) {
+ if (!strcasecmp(w,"shibboleth")) {
// This is a dummy rule needed because Apache conflates authn and authz.
// Without some require rule, AuthType is ignored and no check_user hooks run.
SHIB_AP_CHECK_IS_OK;
}
- else if (!strcmp(w,"valid-user")) {
- st->log(ShibTarget::LogLevelDebug,"htAccessControl plugin accepting valid-user");
+ else if (!strcmp(w,"valid-user") && entry) {
+ st->log(ShibTarget::LogLevelDebug,"htAccessControl plugin accepting valid-user based on active session");
SHIB_AP_CHECK_IS_OK;
}
else if (!strcmp(w,"user") && !remote_user.empty()) {
string vals_str(vals);
int j = 0;
- for (int i = 0; i < vals_str.length(); i++) {
+ for (unsigned int i = 0; i < vals_str.length(); i++) {
if (vals_str.at(i) == ';') {
if (i == 0) {
st->log(ShibTarget::LogLevelError, string("htAccessControl plugin found invalid header encoding (") +
AP_INIT_FLAG("ShibDisable", (config_fn_t)ap_set_flag_slot,
(void *) offsetof (shib_dir_config, bOff),
OR_AUTHCFG, "Disable all Shib module activity here to save processing effort"),
- AP_INIT_FLAG("ShibApplicationId", (config_fn_t)ap_set_string_slot,
+ AP_INIT_TAKE1("ShibApplicationId", (config_fn_t)ap_set_string_slot,
(void *) offsetof (shib_dir_config, szApplicationId),
OR_AUTHCFG, "Set Shibboleth applicationId property for content"),
AP_INIT_FLAG("ShibBasicHijack", (config_fn_t)ap_set_flag_slot,
AP_INIT_FLAG("ShibRequireSession", (config_fn_t)ap_set_flag_slot,
(void *) offsetof (shib_dir_config, bRequireSession),
OR_AUTHCFG, "Initiates a new session if one does not exist."),
- AP_INIT_FLAG("ShibRequireSessionWith", (config_fn_t)ap_set_string_slot,
+ AP_INIT_TAKE1("ShibRequireSessionWith", (config_fn_t)ap_set_string_slot,
(void *) offsetof (shib_dir_config, szRequireWith),
OR_AUTHCFG, "Initiates a new session if one does not exist using a specific SessionInitiator"),
AP_INIT_FLAG("ShibExportAssertion", (config_fn_t)ap_set_flag_slot,