/*
- * The Shibboleth License, Version 1.
- * Copyright (c) 2002
- * University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
+ * Copyright 2001-2005 Internet2
*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
-
/* shib.h - Shibboleth header file
Scott Cantor
#ifndef __shib_h__
#define __shib_h__
+#include <xmltooling/util/Threads.h>
+
#include <saml/saml.h>
-#include <shib/shib-threads.h>
#include <xsec/xenc/XENCEncryptionMethod.hpp>
#ifdef WIN32
namespace shibboleth
{
- #define DECLARE_SHIB_EXCEPTION(name,base) \
- class SHIB_EXPORTS name : public saml::base \
- { \
- public: \
- name(const char* msg) : saml::base(msg) {RTTI(name);} \
- name(const std::string& msg) : saml::base(msg) {RTTI(name);} \
- name(const saml::Iterator<saml::QName>& codes, const char* msg) : saml::base(codes,msg) {RTTI(name);} \
- name(const saml::Iterator<saml::QName>& codes, const std::string& msg) : saml::base(codes, msg) {RTTI(name);} \
- name(const saml::QName& code, const char* msg) : saml::base(code,msg) {RTTI(name);} \
- name(const saml::QName& code, const std::string& msg) : saml::base(code, msg) {RTTI(name);} \
- name(DOMElement* e) : saml::base(e) {RTTI(name);} \
- name(std::istream& in) : saml::base(in) {RTTI(name);} \
- virtual ~name() throw () {} \
- }
-
- DECLARE_SHIB_EXCEPTION(MetadataException,SAMLException);
- DECLARE_SHIB_EXCEPTION(CredentialException,SAMLException);
- DECLARE_SHIB_EXCEPTION(InvalidHandleException,RetryableProfileException);
-
- // Manages pluggable implementations of interfaces
- // Would prefer this to be a template, but the Windows STL isn't DLL-safe.
-
- struct SHIB_EXPORTS IPlugIn
- {
- virtual ~IPlugIn() {}
- };
-
- class SHIB_EXPORTS PlugManager
- {
- public:
- PlugManager() {}
- ~PlugManager() {}
-
- typedef IPlugIn* Factory(const DOMElement* source);
- void regFactory(const char* type, Factory* factory);
- void unregFactory(const char* type);
- IPlugIn* newPlugin(const char* type, const DOMElement* source);
-
- private:
- typedef std::map<std::string, Factory*> FactoryMap;
- FactoryMap m_map;
- };
-
- // Various interfaces inherit from this to support locking
- struct SHIB_EXPORTS ILockable
- {
- virtual void lock()=0;
- virtual void unlock()=0;
- virtual ~ILockable() {}
- };
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,ResourceAccessException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,MetadataException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,CredentialException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,InvalidHandleException,SAMLException);
+ DECLARE_SAML_EXCEPTION(SHIB_EXPORTS,InvalidSessionException,RetryableProfileException);
// Metadata abstract interfaces, based on SAML 2.0
enum KeyUse { unspecified, encryption, signing };
virtual KeyUse getUse() const=0;
virtual DSIGKeyInfoList* getKeyInfo() const=0;
- virtual saml::Iterator<const XENCEncryptionMethod*> getEncryptionMethod() const=0;
+ virtual saml::Iterator<const XENCEncryptionMethod*> getEncryptionMethods() const=0;
virtual ~IKeyDescriptor() {}
};
virtual const IEntityDescriptor* getEntityDescriptor() const=0;
virtual saml::Iterator<const XMLCh*> getProtocolSupportEnumeration() const=0;
virtual bool hasSupport(const XMLCh* protocol) const=0;
+ virtual bool isValid() const=0;
virtual const char* getErrorURL() const=0;
virtual saml::Iterator<const IKeyDescriptor*> getKeyDescriptors() const=0;
virtual const IOrganization* getOrganization() const=0;
struct SHIB_EXPORTS IAttributeAuthorityDescriptor : public virtual IRoleDescriptor
{
- virtual const IEndpointManager* getAttributeServices() const=0;
+ virtual const IEndpointManager* getAttributeServiceManager() const=0;
virtual const IEndpointManager* getAssertionIDRequestServiceManager() const=0;
virtual saml::Iterator<const XMLCh*> getNameIDFormats() const=0;
virtual saml::Iterator<const XMLCh*> getAttributeProfiles() const=0;
{
virtual const IEntityDescriptor* getEntityDescriptor() const=0;
virtual const XMLCh* getOwnerID() const=0;
+ virtual bool isValid() const=0;
virtual saml::Iterator<const XMLCh*> getMembers() const=0;
virtual bool isMember(const XMLCh* id) const=0;
virtual saml::Iterator<const IKeyDescriptor*> getKeyDescriptors() const=0;
struct SHIB_EXPORTS IEntityDescriptor
{
virtual const XMLCh* getId() const=0;
+ virtual bool isValid() const=0;
virtual saml::Iterator<const IRoleDescriptor*> getRoleDescriptors() const=0;
virtual const IIDPSSODescriptor* getIDPSSODescriptor(const XMLCh* protocol) const=0;
virtual const ISPSSODescriptor* getSPSSODescriptor(const XMLCh* protocol) const=0;
struct SHIB_EXPORTS IEntitiesDescriptor
{
virtual const XMLCh* getName() const=0;
+ virtual bool isValid() const=0;
virtual const IEntitiesDescriptor* getEntitiesDescriptor() const=0;
virtual saml::Iterator<const IEntitiesDescriptor*> getEntitiesDescriptors() const=0;
virtual saml::Iterator<const IEntityDescriptor*> getEntityDescriptors() const=0;
virtual ~IEntitiesDescriptor() {}
};
- // Supports Shib role extension describing attribute scoping rules
- struct SHIB_EXPORTS IScopedRoleDescriptor : public virtual IRoleDescriptor
+ // Shib extension interfaces
+ struct SHIB_EXPORTS IKeyAuthority
{
- virtual saml::Iterator<std::pair<const XMLCh*,bool> > getScopes() const=0;
- virtual ~IScopedRoleDescriptor() {}
+ virtual int getVerifyDepth() const=0;
+ virtual saml::Iterator<DSIGKeyInfoList*> getKeyInfos() const=0;
+ virtual ~IKeyAuthority() {}
};
-
- struct SHIB_EXPORTS IMetadata : public virtual ILockable, public virtual IPlugIn
+
+ struct SHIB_EXPORTS IExtendedEntityDescriptor : public virtual IEntityDescriptor
{
- virtual const IEntityDescriptor* lookup(const XMLCh* id) const=0;
- virtual ~IMetadata() {}
+ virtual saml::Iterator<const IKeyAuthority*> getKeyAuthorities() const=0;
+ virtual saml::Iterator<std::pair<const XMLCh*,bool> > getScopes() const=0;
+ virtual ~IExtendedEntityDescriptor() {}
};
- struct SHIB_EXPORTS IRevocation : public virtual ILockable, public virtual IPlugIn
+ struct SHIB_EXPORTS IExtendedEntitiesDescriptor : public virtual IEntitiesDescriptor
{
- virtual saml::Iterator<void*> getRevocationLists(const IEntityDescriptor* provider, const IRoleDescriptor* role=NULL) const=0;
- virtual ~IRevocation() {}
+ virtual saml::Iterator<const IKeyAuthority*> getKeyAuthorities() const=0;
+ virtual ~IExtendedEntitiesDescriptor() {}
+ };
+
+ struct SHIB_EXPORTS IMetadata : public virtual saml::ILockable, public virtual saml::IPlugIn
+ {
+ virtual const IEntityDescriptor* lookup(const char* id, bool strict=true) const=0;
+ virtual const IEntityDescriptor* lookup(const XMLCh* id, bool strict=true) const=0;
+ virtual const IEntityDescriptor* lookup(const saml::SAMLArtifact* artifact) const=0;
+ virtual const IEntitiesDescriptor* lookupGroup(const char* name, bool strict=true) const=0;
+ virtual const IEntitiesDescriptor* lookupGroup(const XMLCh* name, bool strict=true) const=0;
+ virtual std::pair<const IEntitiesDescriptor*,const IEntityDescriptor*> getRoot() const=0;
+ virtual ~IMetadata() {}
};
// Trust interface hides *all* details of signature and SSL validation.
// Pluggable providers can fully override the Shibboleth trust model here.
- struct SHIB_EXPORTS ITrust : public virtual IPlugIn
+ struct SHIB_EXPORTS ITrust : public virtual saml::IPlugIn
{
+ // Performs certificate validation processing of an untrusted certificates
+ // using a library-specific representation, in this case an OpenSSL X509*
+ virtual bool validate(
+ void* certEE,
+ const saml::Iterator<void*>& certChain,
+ const IRoleDescriptor* role,
+ bool checkName=true
+ )=0;
+
+ // Validates signed SAML messages and assertions sent by an entity acting in a specific role.
+ // If certificate validation is required, the trust provider used can be overridden using
+ // the last parameter, or left null and the provider will rely on itself.
virtual bool validate(
- const saml::Iterator<IRevocation*>& revocations,
- const IRoleDescriptor* role, const saml::SAMLSignedObject& token,
- const saml::Iterator<IMetadata*>& metadatas=EMPTY(IMetadata*)
+ const saml::SAMLSignedObject& token,
+ const IRoleDescriptor* role,
+ ITrust* certValidator=NULL
)=0;
- virtual bool attach(const saml::Iterator<IRevocation*>& revocations, const IRoleDescriptor* role, void* ctx)=0;
+
virtual ~ITrust() {}
};
// Credentials interface abstracts access to "owned" keys and certificates.
- struct SHIB_EXPORTS ICredResolver : public virtual IPlugIn
+ struct SHIB_EXPORTS ICredResolver : public virtual saml::IPlugIn
{
virtual void attach(void* ctx) const=0;
virtual XSECCryptoKey* getKey() const=0;
virtual ~ICredResolver() {}
};
- struct SHIB_EXPORTS ICredentials : public virtual ILockable, public virtual IPlugIn
+ struct SHIB_EXPORTS ICredentials : public virtual saml::ILockable, public virtual saml::IPlugIn
{
virtual const ICredResolver* lookup(const char* id) const=0;
virtual ~ICredentials() {}
{
virtual const XMLCh* getName() const=0;
virtual const XMLCh* getNamespace() const=0;
- virtual const char* getFactory() const=0;
virtual const char* getAlias() const=0;
virtual const char* getHeader() const=0;
virtual bool getCaseSensitive() const=0;
- virtual void apply(saml::SAMLAttribute& attribute, const IRoleDescriptor* role=NULL) const=0;
+ virtual void apply(saml::SAMLAttribute& attribute, const IEntityDescriptor* source=NULL) const=0;
virtual ~IAttributeRule() {}
};
- struct SHIB_EXPORTS IAAP : public virtual ILockable, public virtual IPlugIn
+ struct SHIB_EXPORTS IAAP : public virtual saml::ILockable, public virtual saml::IPlugIn
{
virtual bool anyAttribute() const=0;
virtual const IAttributeRule* lookup(const XMLCh* attrName, const XMLCh* attrNamespace=NULL) const=0;
virtual saml::Iterator<const IAttributeRule*> getAttributeRules() const=0;
virtual ~IAAP() {}
};
+
+ struct SHIB_EXPORTS IAttributeFactory : public virtual saml::IPlugIn
+ {
+ virtual saml::SAMLAttribute* build(DOMElement* e) const=0;
+ virtual ~IAttributeFactory() {}
+ };
#ifdef SHIB_INSTANTIATE
template class SHIB_EXPORTS saml::Iterator<const IContactPerson*>;
template class SHIB_EXPORTS saml::Iterator<const IEntitiesDescriptor*>;
template class SHIB_EXPORTS saml::Iterator<const IEndpoint*>;
template class SHIB_EXPORTS saml::Iterator<const IAttributeRule*>;
+ template class SHIB_EXPORTS saml::Iterator<const IKeyAuthority*>;
+ template class SHIB_EXPORTS saml::Iterator<DSIGKeyInfoList*>;
template class SHIB_EXPORTS saml::Iterator<IMetadata*>;
template class SHIB_EXPORTS saml::ArrayIterator<IMetadata*>;
template class SHIB_EXPORTS saml::Iterator<ITrust*>;
template class SHIB_EXPORTS saml::ArrayIterator<ITrust*>;
- template class SHIB_EXPORTS saml::Iterator<IRevocation*>;
- template class SHIB_EXPORTS saml::ArrayIterator<IRevocation*>;
template class SHIB_EXPORTS saml::Iterator<ICredentials*>;
template class SHIB_EXPORTS saml::ArrayIterator<ICredentials*>;
template class SHIB_EXPORTS saml::Iterator<IAAP*>;
template class SHIB_EXPORTS saml::ArrayIterator<IAAP*>;
#endif
- struct SHIB_EXPORTS Constants
- {
- static const XMLCh SHIB_ATTRIBUTE_NAMESPACE_URI[];
- static const XMLCh SHIB_NAMEID_FORMAT_URI[];
- static const XMLCh SHIB_AUTHNREQUEST_PROFILE_URI[];
- static const XMLCh SHIB_NS[];
- static const XMLCh InvalidHandle[];
- };
-
// Glue classes between abstract metadata and concrete providers
- class SHIB_EXPORTS Locker
- {
- public:
- Locker(ILockable* lockee) : m_lockee(lockee) {m_lockee->lock();}
- ~Locker() {if (m_lockee) m_lockee->unlock();}
-
- private:
- Locker(const Locker&);
- void operator=(const Locker&);
- ILockable* m_lockee;
- };
-
class SHIB_EXPORTS Metadata
{
public:
Metadata(const saml::Iterator<IMetadata*>& metadatas) : m_metadatas(metadatas), m_mapper(NULL) {}
~Metadata();
- const IEntityDescriptor* lookup(const XMLCh* providerId);
+ const IEntityDescriptor* lookup(const char* id, bool strict=true);
+ const IEntityDescriptor* lookup(const XMLCh* id, bool strict=true);
+ const IEntityDescriptor* lookup(const saml::SAMLArtifact* artifact);
private:
Metadata(const Metadata&);
void operator=(const Metadata&);
IMetadata* m_mapper;
- const saml::Iterator<IMetadata*>& m_metadatas;
- };
-
- class SHIB_EXPORTS Revocation
- {
- public:
- Revocation(const saml::Iterator<IRevocation*>& revocations) : m_revocations(revocations), m_mapper(NULL) {}
- ~Revocation();
-
- saml::Iterator<void*> getRevocationLists(const IEntityDescriptor* provider, const IRoleDescriptor* role=NULL);
-
- private:
- Revocation(const Revocation&);
- void operator=(const Revocation&);
- IRevocation* m_mapper;
- const saml::Iterator<IRevocation*>& m_revocations;
+ saml::Iterator<IMetadata*> m_metadatas;
};
class SHIB_EXPORTS Trust
~Trust() {}
bool validate(
- const saml::Iterator<IRevocation*>& revocations,
- const IRoleDescriptor* role, const saml::SAMLSignedObject& token,
- const saml::Iterator<IMetadata*>& metadatas=EMPTY(IMetadata*)
+ void* certEE,
+ const saml::Iterator<void*>& certChain,
+ const IRoleDescriptor* role,
+ bool checkName=true
) const;
- bool attach(const saml::Iterator<IRevocation*>& revocations, const IRoleDescriptor* role, void* ctx) const;
+ bool validate(const saml::SAMLSignedObject& token, const IRoleDescriptor* role) const;
private:
Trust(const Trust&);
void operator=(const Trust&);
- const saml::Iterator<ITrust*>& m_trusts;
+ saml::Iterator<ITrust*> m_trusts;
};
class SHIB_EXPORTS Credentials
Credentials(const Credentials&);
void operator=(const Credentials&);
ICredentials* m_mapper;
- const saml::Iterator<ICredentials*>& m_creds;
+ saml::Iterator<ICredentials*> m_creds;
};
class SHIB_EXPORTS AAP
const IAttributeRule* operator->() const {return m_rule;}
operator const IAttributeRule*() const {return m_rule;}
- static void apply(const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const IRoleDescriptor* role=NULL);
+ static void apply(const saml::Iterator<IAAP*>& aaps, saml::SAMLAssertion& assertion, const IEntityDescriptor* source=NULL);
private:
AAP(const AAP&);
const IAttributeRule* m_rule;
};
- // Wrapper classes around the POST profile and SAML binding
-
- class SHIB_EXPORTS ShibPOSTProfile
+ // Subclass around the OpenSAML browser profile interface,
+ // incoporates additional functionality using Shib-defined APIs.
+ class SHIB_EXPORTS ShibBrowserProfile : virtual public saml::SAMLBrowserProfile
{
public:
- ShibPOSTProfile(
+ struct SHIB_EXPORTS ITokenValidator {
+ virtual void validateToken(
+ saml::SAMLAssertion* token,
+ time_t=0,
+ const IRoleDescriptor* role=NULL,
+ const saml::Iterator<ITrust*>& trusts=EMPTY(ITrust*)
+ ) const=0;
+ virtual ~ITokenValidator() {}
+ };
+
+ ShibBrowserProfile(
+ const ITokenValidator* validator,
const saml::Iterator<IMetadata*>& metadatas=EMPTY(IMetadata*),
- const saml::Iterator<IRevocation*>& revocations=EMPTY(IRevocation*),
- const saml::Iterator<ITrust*>& trusts=EMPTY(ITrust*),
- const saml::Iterator<ICredentials*>& creds=EMPTY(ICredentials*)
+ const saml::Iterator<ITrust*>& trusts=EMPTY(ITrust*)
);
- virtual ~ShibPOSTProfile() {}
+ virtual ~ShibBrowserProfile();
- virtual const saml::SAMLAssertion* getSSOAssertion(
- const saml::SAMLResponse& r, const saml::Iterator<const XMLCh*>& audiences=EMPTY(const XMLCh*)
- );
- virtual const saml::SAMLAuthenticationStatement* getSSOStatement(const saml::SAMLAssertion& a);
- virtual saml::SAMLResponse* accept(
- const XMLByte* buf,
+ virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
+ const char* samlResponse,
const XMLCh* recipient,
- int ttlSeconds,
- const saml::Iterator<const XMLCh*>& audiences=EMPTY(const XMLCh*),
- XMLCh** pproviderId=NULL
- );
- virtual saml::SAMLResponse* prepare(
- const IIDPSSODescriptor* role,
- const char* credResolverId,
+ saml::IReplayCache* replayCache,
+ int minorVersion=1
+ ) const;
+ virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
+ saml::Iterator<const char*> artifacts,
const XMLCh* recipient,
- const XMLCh* authMethod,
- const saml::SAMLDateTime& authInstant,
- const XMLCh* name,
- const XMLCh* format=Constants::SHIB_NAMEID_FORMAT_URI,
- const XMLCh* nameQualifier=NULL,
- const XMLCh* subjectIP=NULL,
- const saml::Iterator<const XMLCh*>& audiences=EMPTY(const XMLCh*),
- const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings=EMPTY(saml::SAMLAuthorityBinding*)
- );
- virtual bool checkReplayCache(const saml::SAMLAssertion& a);
- virtual const XMLCh* getProviderId(const saml::SAMLResponse& r);
-
- protected:
- const saml::Iterator<IMetadata*>& m_metadatas;
- const saml::Iterator<IRevocation*>& m_revocations;
- const saml::Iterator<ITrust*>& m_trusts;
- const saml::Iterator<ICredentials*>& m_creds;
- };
-
- class SHIB_EXPORTS ShibBinding
- {
- public:
- ShibBinding(
- const saml::Iterator<IRevocation*>& revocations,
- const saml::Iterator<ITrust*>& trusts,
- const saml::Iterator<ICredentials*>& creds
- ) : m_revocations(revocations), m_trusts(trusts), m_creds(creds),
- m_credResolverId(NULL), m_AA(NULL), m_binding(NULL) {}
- virtual ~ShibBinding() {delete m_binding;}
-
- saml::SAMLResponse* send(
- saml::SAMLRequest& req,
- const IRoleDescriptor* AA,
- const char* credResolverId=NULL,
- const saml::Iterator<const XMLCh*>& audiences=EMPTY(const XMLCh*),
- const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings=EMPTY(saml::SAMLAuthorityBinding*),
- saml::SAMLConfig::SAMLBindingConfig& conf=saml::SAMLConfig::getConfig().binding_defaults
- );
+ saml::SAMLBrowserProfile::ArtifactMapper* artifactMapper,
+ saml::IReplayCache* replayCache,
+ int minorVersion=1
+ ) const;
private:
- friend bool ssl_ctx_callback(void* ssl_ctx, void* userptr);
- const saml::Iterator<IRevocation*>& m_revocations;
- const saml::Iterator<ITrust*>& m_trusts;
- const saml::Iterator<ICredentials*>& m_creds;
- const char* m_credResolverId;
- const IRoleDescriptor* m_AA;
- saml::SAMLBinding* m_binding;
+ void postprocess(saml::SAMLBrowserProfile::BrowserProfileResponse& bpr, int minorVersion=1) const;
+
+ saml::SAMLBrowserProfile* m_profile;
+ saml::Iterator<IMetadata*> m_metadatas;
+ saml::Iterator<ITrust*> m_trusts;
+ const ITokenValidator* m_validator;
};
class SHIB_EXPORTS ShibConfig
virtual bool init();
virtual void term();
+ // manages specific attribute name to factory mappings
+ void regAttributeMapping(const XMLCh* name, const IAttributeFactory* factory);
+ void unregAttributeMapping(const XMLCh* name);
+ void clearAttributeMappings();
+
// enables runtime and clients to access configuration
static ShibConfig& getConfig();
-
- // allows pluggable implementations of metadata and configuration data
- PlugManager m_plugMgr;
};
/* Helper classes for implementing reloadable XML-based config files
const DOMElement* m_root;
};
- class SHIB_EXPORTS ReloadableXMLFile : protected virtual ILockable
+ class SHIB_EXPORTS ReloadableXMLFile : protected virtual saml::ILockable
{
public:
ReloadableXMLFile(const DOMElement* e);
const DOMElement* m_root;
std::string m_source;
time_t m_filestamp;
- RWLock* m_lock;
+ xmltooling::RWLock* m_lock;
};
+
+ /* These helpers attach metadata-derived information as exception properties and then
+ * rethrow the object. The following properties are attached, when possible:
+ *
+ * providerId The unique ID of the entity
+ * errorURL The error support URL of the entity or role
+ * contactName A formatted support or technical contact name
+ * contactEmail A contact email address
+ */
+ SHIB_EXPORTS void annotateException(saml::SAMLException* e, const IEntityDescriptor* entity, bool rethrow=true);
+ SHIB_EXPORTS void annotateException(saml::SAMLException* e, const IRoleDescriptor* role, bool rethrow=true);
}
#endif