#endif
ShibTargetApache sta(r);
- // Check user authentication, the set the handler bypass
+ // Check user authentication and export information, then set the handler bypass
pair<bool,void*> res = sta.doCheckAuthN(true);
apr_pool_userdata_setn((const void*)42,g_UserDataKey,NULL,r->pool);
if (res.first) return (int)res.second;
void unlock() {}
bool authorized(
ShibTarget* st,
- const char* providerId,
- const saml::SAMLAuthenticationStatement* authn,
- const saml::SAMLResponse* attrs
+ ISessionCacheEntry* entry
) const;
};
}
}
else if (name && !strcmp(name,"applicationId") && sta->m_dc->szApplicationId)
- return make_pair(true,sta->m_dc->szApplicationId);
+ return pair<bool,const char*>(true,sta->m_dc->szApplicationId);
else if (name && !strcmp(name,"requireSessionWith") && sta->m_dc->szRequireWith)
- return make_pair(true,sta->m_dc->szRequireWith);
+ return pair<bool,const char*>(true,sta->m_dc->szRequireWith);
}
return s ? s->getString(name,ns) : pair<bool,const char*>(false,NULL);
}
bool htAccessControl::authorized(
ShibTarget* st,
- const char* providerId,
- const saml::SAMLAuthenticationStatement* authn,
- const saml::SAMLResponse* attrs
+ ISessionCacheEntry* entry
) const
{
// Make sure the object is our type.
t = reqs[x].requirement;
w = ap_getword_white(sta->m_req->pool, &t);
- if (!strcasecmp(w,"Shibboleth")) {
+ if (!strcasecmp(w,"shibboleth")) {
// This is a dummy rule needed because Apache conflates authn and authz.
// Without some require rule, AuthType is ignored and no check_user hooks run.
SHIB_AP_CHECK_IS_OK;
}
- else if (!strcmp(w,"valid-user")) {
- st->log(ShibTarget::LogLevelDebug,"htAccessControl plugin accepting valid-user");
+ else if (!strcmp(w,"valid-user") && entry) {
+ st->log(ShibTarget::LogLevelDebug,"htAccessControl plugin accepting valid-user based on active session");
SHIB_AP_CHECK_IS_OK;
}
else if (!strcmp(w,"user") && !remote_user.empty()) {