/*
- * Copyright 2001-2010 Internet2
+ * Copyright 2001-2011 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
using namespace std;
namespace shibsp {
+
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SAML1ConsumerFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SAML2ConsumerFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SAML2ArtifactResolutionFactory;
- SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory ChainingLogoutInitiatorFactory;
- SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory LocalLogoutInitiatorFactory;
- SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SAML2LogoutInitiatorFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SAML2LogoutFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SAML2NameIDMgmtFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory AssertionLookupFactory;
+ SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory DiscoveryFeedFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory MetadataGeneratorFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory StatusHandlerFactory;
SHIBSP_DLLLOCAL PluginManager< Handler,string,pair<const DOMElement*,const char*> >::Factory SessionHandlerFactory;
}
}
+ void SHIBSP_DLLLOCAL limitRelayState(
+ Category& log, const Application& application, const HTTPRequest& httpRequest, const char* relayState
+ ) {
+ const PropertySet* sessionProps = application.getPropertySet("Sessions");
+ if (sessionProps) {
+ pair<bool,const char*> relayStateLimit = sessionProps->getString("relayStateLimit");
+ if (relayStateLimit.first && strcmp(relayStateLimit.second, "none")) {
+ vector<string> whitelist;
+ if (!strcmp(relayStateLimit.second, "exact")) {
+ // Scheme and hostname have to match.
+ if (!strcmp(httpRequest.getScheme(), "https") && httpRequest.getPort() == 443) {
+ whitelist.push_back(string("https://") + httpRequest.getHostname() + '/');
+ }
+ else if (!strcmp(httpRequest.getScheme(), "http") && httpRequest.getPort() == 80) {
+ whitelist.push_back(string("http://") + httpRequest.getHostname() + '/');
+ }
+ ostringstream portstr;
+ portstr << httpRequest.getPort();
+ whitelist.push_back(string(httpRequest.getScheme()) + "://" + httpRequest.getHostname() + ':' + portstr.str() + '/');
+ }
+ else if (!strcmp(relayStateLimit.second, "host")) {
+ // Allow any scheme or port.
+ whitelist.push_back(string("https://") + httpRequest.getHostname() + '/');
+ whitelist.push_back(string("http://") + httpRequest.getHostname() + '/');
+ whitelist.push_back(string("https://") + httpRequest.getHostname() + ':');
+ whitelist.push_back(string("http://") + httpRequest.getHostname() + ':');
+ }
+ else if (!strcmp(relayStateLimit.second, "whitelist")) {
+ // Literal set of comparisons to use.
+ pair<bool,const char*> whitelistval = sessionProps->getString("relayStateWhitelist");
+ if (whitelistval.first) {
+#ifdef HAVE_STRTOK_R
+ char* pos=nullptr;
+ const char* token = strtok_r(const_cast<char*>(whitelistval.second), " ", &pos);
+#else
+ const char* token = strtok(const_cast<char*>(whitelistval.second), " ");
+#endif
+ while (token) {
+ whitelist.push_back(token);
+#ifdef HAVE_STRTOK_R
+ token = strtok_r(nullptr, " ", &pos);
+#else
+ token = strtok(nullptr, " ");
+#endif
+ }
+ }
+ }
+ else {
+ log.warn("unrecognized relayStateLimit policy (%s), blocked redirect to (%s)", relayStateLimit.second, relayState);
+ throw opensaml::SecurityPolicyException("Unrecognized relayStateLimit setting.");
+ }
+
+ for (vector<string>::const_iterator w = whitelist.begin(); w != whitelist.end(); ++w) {
+ if (XMLString::startsWithI(relayState, w->c_str())) {
+ return;
+ }
+ }
+ log.warn("relayStateLimit policy (%s), blocked redirect to (%s)", relayStateLimit.second, relayState);
+ throw opensaml::SecurityPolicyException("Blocked unacceptable redirect location.");
+ }
+ }
+ }
};
void SHIBSP_API shibsp::registerHandlers()
{
SPConfig& conf=SPConfig::getConfig();
+ conf.AssertionConsumerServiceManager.registerFactory(SAML1_ASSERTION_CONSUMER_SERVICE, SAML1ConsumerFactory);
conf.AssertionConsumerServiceManager.registerFactory(SAML1_PROFILE_BROWSER_ARTIFACT, SAML1ConsumerFactory);
conf.AssertionConsumerServiceManager.registerFactory(SAML1_PROFILE_BROWSER_POST, SAML1ConsumerFactory);
+ conf.AssertionConsumerServiceManager.registerFactory(SAML20_ASSERTION_CONSUMER_SERVICE, SAML2ConsumerFactory);
conf.AssertionConsumerServiceManager.registerFactory(SAML20_BINDING_HTTP_POST, SAML2ConsumerFactory);
conf.AssertionConsumerServiceManager.registerFactory(SAML20_BINDING_HTTP_POST_SIMPLESIGN, SAML2ConsumerFactory);
conf.AssertionConsumerServiceManager.registerFactory(SAML20_BINDING_HTTP_ARTIFACT, SAML2ConsumerFactory);
conf.AssertionConsumerServiceManager.registerFactory(SAML20_BINDING_PAOS, SAML2ConsumerFactory);
+ conf.ArtifactResolutionServiceManager.registerFactory(SAML20_ARTIFACT_RESOLUTION_SERVICE, SAML2ArtifactResolutionFactory);
conf.ArtifactResolutionServiceManager.registerFactory(SAML20_BINDING_SOAP, SAML2ArtifactResolutionFactory);
conf.HandlerManager.registerFactory(SAML20_BINDING_URI, AssertionLookupFactory);
+ conf.HandlerManager.registerFactory(DISCOVERY_FEED_HANDLER, DiscoveryFeedFactory);
conf.HandlerManager.registerFactory(METADATA_GENERATOR_HANDLER, MetadataGeneratorFactory);
conf.HandlerManager.registerFactory(STATUS_HANDLER, StatusHandlerFactory);
conf.HandlerManager.registerFactory(SESSION_HANDLER, SessionHandlerFactory);
- conf.LogoutInitiatorManager.registerFactory(CHAINING_LOGOUT_INITIATOR, ChainingLogoutInitiatorFactory);
- conf.LogoutInitiatorManager.registerFactory(LOCAL_LOGOUT_INITIATOR, LocalLogoutInitiatorFactory);
- conf.LogoutInitiatorManager.registerFactory(SAML2_LOGOUT_INITIATOR, SAML2LogoutInitiatorFactory);
+ conf.SingleLogoutServiceManager.registerFactory(SAML20_LOGOUT_HANDLER, SAML2LogoutFactory);
conf.SingleLogoutServiceManager.registerFactory(SAML20_BINDING_SOAP, SAML2LogoutFactory);
conf.SingleLogoutServiceManager.registerFactory(SAML20_BINDING_HTTP_REDIRECT, SAML2LogoutFactory);
conf.SingleLogoutServiceManager.registerFactory(SAML20_BINDING_HTTP_POST, SAML2LogoutFactory);
conf.SingleLogoutServiceManager.registerFactory(SAML20_BINDING_HTTP_POST_SIMPLESIGN, SAML2LogoutFactory);
conf.SingleLogoutServiceManager.registerFactory(SAML20_BINDING_HTTP_ARTIFACT, SAML2LogoutFactory);
+ conf.ManageNameIDServiceManager.registerFactory(SAML20_NAMEID_MGMT_SERVICE, SAML2NameIDMgmtFactory);
conf.ManageNameIDServiceManager.registerFactory(SAML20_BINDING_SOAP, SAML2NameIDMgmtFactory);
conf.ManageNameIDServiceManager.registerFactory(SAML20_BINDING_HTTP_REDIRECT, SAML2NameIDMgmtFactory);
conf.ManageNameIDServiceManager.registerFactory(SAML20_BINDING_HTTP_POST, SAML2NameIDMgmtFactory);
{
}
+#ifndef SHIBSP_LITE
+
+void Handler::generateMetadata(SPSSODescriptor& role, const char* handlerURL) const
+{
+}
+
+#endif
+
const XMLCh* Handler::getProtocolFamily() const
{
return nullptr;
void Handler::preserveRelayState(const Application& application, HTTPResponse& response, string& relayState) const
{
+ // The empty string implies no state to deal with.
if (relayState.empty())
return;
- // No setting means just pass it by value.
- pair<bool,const char*> mech=getString("relayState");
+ // No setting means just pass state by value.
+ pair<bool,const char*> mech = getString("relayState");
+ if (!mech.first) {
+ // Check for setting on Sessions element.
+ const PropertySet* sessionprop = application.getPropertySet("Sessions");
+ if (sessionprop)
+ mech = sessionprop->getString("relayState");
+ }
if (!mech.first || !mech.second || !*mech.second)
return;
StorageService* storage = application.getServiceProvider().getStorageService(mech.second);
if (storage) {
string rsKey;
- generateRandomHex(rsKey,5);
+ generateRandomHex(rsKey,32);
if (!storage->createString("RelayState", rsKey.c_str(), relayState.c_str(), time(nullptr) + 600))
throw IOException("Attempted to insert duplicate storage key.");
relayState = string(mech.second-3) + ':' + rsKey;
mcc.setUsage(Credential::SIGNING_CREDENTIAL);
if (keyName.first)
mcc.getKeyNames().insert(keyName.second);
- if (sigalg.first)
+ if (sigalg.first) {
+ // Using an explicit algorithm, so resolve a credential directly.
mcc.setXMLAlgorithm(sigalg.second);
- cred = credResolver->resolve(&mcc);
+ cred = credResolver->resolve(&mcc);
+ }
+ else {
+ // Prefer credential based on peer's requirements.
+ pair<const SigningMethod*,const Credential*> p = role->getSigningMethod(*credResolver, mcc);
+ if (p.first)
+ sigalg = make_pair(true, p.first->getAlgorithm());
+ if (p.second)
+ cred = p.second;
+ }
}
else {
CredentialCriteria cc;
}
if (cred) {
// Signed request.
+ pair<bool,const XMLCh*> digalg = relyingParty->getXMLString("digestAlg");
+ if (!digalg.first && role) {
+ const DigestMethod* dm = role->getDigestMethod();
+ if (dm)
+ digalg = make_pair(true, dm->getAlgorithm());
+ }
return encoder.encode(
httpResponse,
msg,
&application,
cred,
sigalg.second,
- relyingParty->getXMLString("digestAlg").second
+ (digalg.first ? digalg.second : nullptr)
);
}
else {
// No specs mean no save.
const PropertySet* props=application.getPropertySet("Sessions");
- pair<bool,const char*> mech = props->getString("postData");
+ pair<bool,const char*> mech = props ? props->getString("postData") : pair<bool,const char*>(false,nullptr);
if (!mech.first) {
m_log.info("postData property not supplied, form data will not be preserved across SSO");
return;
if (storage) {
// Use a random key
string rsKey;
- SAMLConfig::getConfig().generateRandomBytes(rsKey,20);
+ SAMLConfig::getConfig().generateRandomBytes(rsKey,32);
rsKey = SAMLArtifact::toHex(rsKey);
ostringstream out;
out << postData;
HTTPResponse::sanitizeURL(url);
const PropertySet* props=application.getPropertySet("Sessions");
- pair<bool,const char*> postTemplate = props->getString("postTemplate");
+ pair<bool,const char*> postTemplate = props ? props->getString("postTemplate") : pair<bool,const char*>(true,nullptr);
if (!postTemplate.first)
- throw ConfigurationException("Missing postTemplate property, unable to recreate form post.");
+ postTemplate.second = "postTemplate.html";
string fname(postTemplate.second);
ifstream infile(XMLToolingConfig::getConfig().getPathResolver()->resolve(fname, PathResolver::XMLTOOLING_CFG_FILE).c_str());
stringstream str;
XMLToolingConfig::getConfig().getTemplateEngine()->run(infile, str, respParam);
- pair<bool,bool> postExpire = props->getBool("postExpire");
+ pair<bool,bool> postExpire = props ? props->getBool("postExpire") : make_pair(false,false);
httpResponse.setContentType("text/html");
if (!postExpire.first || postExpire.second) {
string contentType = request.getContentType();
if (contentType.compare("application/x-www-form-urlencoded") == 0) {
const PropertySet* props=application.getPropertySet("Sessions");
- pair<bool,unsigned int> plimit = props->getUnsignedInt("postLimit");
+ pair<bool,unsigned int> plimit = props ? props->getUnsignedInt("postLimit") : pair<bool,unsigned int>(false,0);
if (!plimit.first)
plimit.second = 1024 * 1024;
if (plimit.second == 0 || request.getContentLength() <= plimit.second) {