X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicyRule.h;h=9a324bb3a0cac20ae3176b2be3f54e7fd5723520;hb=6b5c75d27994ca1f9d450a81576a1bde4873edf3;hp=749c571e8b7537f03a54b482cd88b6fd9fb75a37;hpb=441141898ba4a43910f0185fee5f01de9ac78144;p=shibboleth%2Fcpp-opensaml.git

diff --git a/saml/binding/SecurityPolicyRule.h b/saml/binding/SecurityPolicyRule.h
index 749c571..9a324bb 100644
--- a/saml/binding/SecurityPolicyRule.h
+++ b/saml/binding/SecurityPolicyRule.h
@@ -23,19 +23,9 @@
 #ifndef __saml_secrule_h__
 #define __saml_secrule_h__
 
-#include <saml/binding/GenericRequest.h>
-#include <xmltooling/XMLObject.h>
+#include <saml/binding/SecurityPolicy.h>
 
 namespace opensaml {
-    class SAML_API TrustEngine;
-    
-    namespace saml2 {
-        class SAML_API Issuer;
-    };
-    namespace saml2md {
-        class SAML_API MetadataProvider;
-        class SAML_API RoleDescriptor;
-    };
     
     /**
      * A rule that a protocol request and message must meet in order to be valid and secure.
@@ -53,24 +43,16 @@ namespace opensaml {
         virtual ~SecurityPolicyRule() {}
 
         /**
-         * Evaluates the rule against the given request and message. If an Issuer is
-         * returned, the caller is responsible for freeing the Issuer object.
+         * Evaluates the rule against the given request and message.
          * 
-         * @param request           the protocol request
-         * @param message           the incoming message
-         * @param metadataProvider  locked MetadataProvider instance to authenticate the message
-         * @param role              identifies the role (generally IdP or SP) of the peer who issued the message 
-         * @param trustEngine       TrustEngine to authenticate the message
-         * @return the identity of the message issuer, in two forms, or NULL
-         * 
-         * @throws BindingException thrown if the request/message do not meet the requirements of this rule
+         * @param message   the incoming message
+         * @param request   the protocol request
+         * @param policy    SecurityPolicy to provide various components and track message data
+         *
+         * @throws BindingException raised if the message/request is not acceptable to the policy rule
          */
-        virtual std::pair<saml2::Issuer*,const saml2md::RoleDescriptor*> evaluate(
-            const GenericRequest& request,
-            const xmltooling::XMLObject& message,
-            const saml2md::MetadataProvider* metadataProvider,
-            const xmltooling::QName* role,
-            const TrustEngine* trustEngine
+        virtual void evaluate(
+            const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy
             ) const=0;
     };
 
@@ -80,6 +62,27 @@ namespace opensaml {
     void SAML_API registerSecurityPolicyRules();
 
     /**
+     * SecurityPolicyRule for processing SAML 1.x messages.
+     * 
+     * Extracts message ID, timestamp, and issuer information.
+     */
+    #define SAML1MESSAGE_POLICY_RULE  "org.opensaml.saml1.binding.SAML1MessageRule"
+
+    /**
+     * SecurityPolicyRule for processing SAML 2.0 messages.
+     * 
+     * Extracts message ID, timestamp, and issuer information.
+     */
+    #define SAML2MESSAGE_POLICY_RULE  "org.opensaml.saml2.binding.SAML2MessageRule"
+
+    /**
+     * SecurityPolicyRule for TLS client certificate authentication.
+     * 
+     * Evaluates client certificates against the issuer's metadata.
+     */
+    #define CLIENTCERTAUTH_POLICY_RULE  "org.opensaml.binding.ClientCertAuthRule"
+
+    /**
      * SecurityPolicyRule for replay detection and freshness checking.
      * 
      * <p>A ReplayCache instance must be available from the runtime, unless
@@ -93,21 +96,20 @@ namespace opensaml {
     #define MESSAGEFLOW_POLICY_RULE  "org.opensaml.binding.MessageFlowRule"
 
     /**
-     * SecurityPolicyRule for ensuring messages are delivered to the right place.
+     * SecurityPolicyRule for protocol message "blob" signing.
      * 
-     * <p>Enforcement is mandatory and the message must be explicitly addressed,
-     * unless a "mandatory" XML attribute is set to "0" or "false" when instantiating
-     * the policy rule.
+     * Allows the message issuer to be authenticated using a non-XML digital signature
+     * over the message body. The transport layer is not considered.
      */
-    #define MESSAGEROUTING_POLICY_RULE  "org.opensaml.binding.MessageRoutingRule"
+    #define SIMPLESIGNING_POLICY_RULE  "org.opensaml.binding.SimpleSigningRule"
 
     /**
-     * SecurityPolicyRule for protocol message signing.
+     * SecurityPolicyRule for protocol message XML signing.
      * 
-     * Allows the message issuer to be authenticated using an XML or binding-specific
-     * digital signature over the message. The transport layer is not considered.
+     * Allows the message issuer to be authenticated using an XML digital signature
+     * over the message. The transport layer is not considered.
      */
-    #define MESSAGESIGNING_POLICY_RULE  "org.opensaml.binding.MessageSigningRule"
+    #define XMLSIGNING_POLICY_RULE  "org.opensaml.binding.XMLSigningRule"
 };
 
 #endif /* __saml_secrule_h__ */