X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicy.h;h=1c02ab83eb16e785dea8b054c88ff4dcc9c76b95;hb=a66789863e59746d4215de44d9758c40d2b477c6;hp=1870595e73f94d78e436d84d7389099ee047032a;hpb=932cfaae2176c2eba1a9938dc420591a9551a7f3;p=shibboleth%2Fcpp-opensaml.git

diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h
index 1870595..1c02ab8 100644
--- a/saml/binding/SecurityPolicy.h
+++ b/saml/binding/SecurityPolicy.h
@@ -67,13 +67,16 @@ namespace opensaml {
          * @param metadataProvider  locked MetadataProvider instance
          * @param role              identifies the role (generally IdP or SP) of the policy peer 
          * @param trustEngine       TrustEngine to authenticate policy peer
+         * @param validate          true iff XML parsing should be done with validation
          */
         SecurityPolicy(
             const saml2md::MetadataProvider* metadataProvider=NULL,
             const xmltooling::QName* role=NULL,
-            const xmltooling::TrustEngine* trustEngine=NULL
-            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false),
-                m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) {
+            const xmltooling::TrustEngine* trustEngine=NULL,
+            bool validate=true
+            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
+                m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
+                m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
             if (role)
                 m_role = new xmltooling::QName(*role);
         }
@@ -86,14 +89,17 @@ namespace opensaml {
          * @param metadataProvider  locked MetadataProvider instance
          * @param role              identifies the role (generally IdP or SP) of the policy peer 
          * @param trustEngine       TrustEngine to authenticate policy peer
+         * @param validate          true iff XML parsing should be done with validation
          */
         SecurityPolicy(
             const std::vector<const SecurityPolicyRule*>& rules,
             const saml2md::MetadataProvider* metadataProvider=NULL,
             const xmltooling::QName* role=NULL,
-            const xmltooling::TrustEngine* trustEngine=NULL
-            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0), m_issuer(NULL), m_issuerRole(NULL), m_secure(false),
-                m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine) {
+            const xmltooling::TrustEngine* trustEngine=NULL,
+            bool validate=true
+            ) : m_messageQName(NULL), m_messageID(NULL), m_issueInstant(0),
+                m_issuer(NULL), m_issuerRole(NULL), m_secure(false), m_matchingPolicy(NULL),
+                m_rules(rules), m_metadata(metadataProvider), m_role(NULL), m_trust(trustEngine), m_validate(validate) {
             if (role)
                 m_role = new xmltooling::QName(*role);
         }
@@ -128,6 +134,15 @@ namespace opensaml {
         }
 
         /**
+         * Returns XML message validation setting.
+         * 
+         * @return validation flag
+         */
+        bool getValidating() const {
+            return m_validate;
+        } 
+
+        /**
          * Adds a SecurityPolicyRule to the policy. The lifetime of the policy rule
          * must be at least as long as the policy object.
          * 
@@ -166,6 +181,17 @@ namespace opensaml {
         }
 
         /**
+         * Controls schema validation of incoming XML messages.
+         * This is separate from other forms of programmatic validation of objects,
+         * but can detect a much wider range of syntax errors. 
+         * 
+         * @param validate  validation setting
+         */
+        void setValidating(bool validate=true) {
+            m_validate = validate;
+        }
+        
+        /**
          * Evaluates the policy against the given request and message,
          * possibly populating message information in the policy object.
          * 
@@ -266,11 +292,17 @@ namespace opensaml {
 
         /**
          * Sets the issuer of the message as determined by the registered policies.
-         * The policy object takes ownership of the Issuer object.
          * 
          * @param issuer issuer of the message
          */
-        void setIssuer(saml2::Issuer* issuer);
+        void setIssuer(const saml2::Issuer* issuer);
+
+        /**
+         * Sets the issuer of the message as determined by the registered policies.
+         * 
+         * @param issuer issuer of the message
+         */
+        void setIssuer(const XMLCh* issuer);
         
         /**
          * Sets the metadata for the role the issuer is operating in.
@@ -307,6 +339,19 @@ namespace opensaml {
              * @return  true iff the operands match
              */
             virtual bool issuerMatches(const saml2::Issuer* issuer1, const saml2::Issuer* issuer2) const;
+
+            /**
+             * Returns true iff the two operands "match". Applications can override this method to
+             * support non-standard issuer matching for complex policies. 
+             * 
+             * <p>The default implementation does a basic comparison of the XML content, treating
+             * an unsupplied Format as an "entityID".
+             * 
+             * @param issuer1   the first Issuer to match
+             * @param issuer2   the second Issuer to match
+             * @return  true iff the operands match
+             */
+            virtual bool issuerMatches(const saml2::Issuer* issuer1, const XMLCh* issuer2) const;
         };
 
         /**
@@ -350,6 +395,7 @@ namespace opensaml {
         const saml2md::MetadataProvider* m_metadata;
         xmltooling::QName* m_role;
         const xmltooling::TrustEngine* m_trust;
+        bool m_validate;
     };
 
 };