X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2FSecurityPolicyRule.h;h=f8d11e8eee29dbc10cfa53fbd7fc70a6c35126d4;hb=5d7bff8c9b4a048d34dda50c40ed355cf4dd84de;hp=427f5cc548478bb15f8a93ae10e5863a73cd3322;hpb=9f49fe116c808537d12c5452ba57d020342cb029;p=shibboleth%2Fopensaml2.git

diff --git a/saml/binding/SecurityPolicyRule.h b/saml/binding/SecurityPolicyRule.h
index 427f5cc..f8d11e8 100644
--- a/saml/binding/SecurityPolicyRule.h
+++ b/saml/binding/SecurityPolicyRule.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2006 Internet2
+ *  Copyright 2001-2007 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,19 +23,9 @@
 #ifndef __saml_secrule_h__
 #define __saml_secrule_h__
 
-#include <saml/binding/GenericRequest.h>
-#include <xmltooling/XMLObject.h>
+#include <saml/binding/SecurityPolicy.h>
 
 namespace opensaml {
-    class SAML_API TrustEngine;
-    
-    namespace saml2 {
-        class SAML_API Issuer;
-    };
-    namespace saml2md {
-        class SAML_API MetadataProvider;
-        class SAML_API RoleDescriptor;
-    };
     
     /**
      * A rule that a protocol request and message must meet in order to be valid and secure.
@@ -53,25 +43,26 @@ namespace opensaml {
         virtual ~SecurityPolicyRule() {}
 
         /**
-         * Evaluates the rule against the given request and message. If an Issuer is
-         * returned, the caller is responsible for freeing the Issuer object.
+         * Returns the rule's class/type.
+         *
+         * @return  the class/type of the object
+         */
+        virtual const char* getType() const=0;
+
+        /**
+         * Evaluates the rule against the given request and message.
          * 
-         * @param request           the protocol request
-         * @param message           the incoming message
-         * @param metadataProvider  locked MetadataProvider instance to authenticate the message
-         * @param role              identifies the role (generally IdP or SP) of the peer who issued the message 
-         * @param trustEngine       TrustEngine to authenticate the message
-         * @param extractor         MessageExtractor to use in examining message
-         * @return the identity of the message issuer, in two forms, or NULL
+         * <p>An exception will be raised if the message is invalid according to
+         * a policy rule.
          * 
-         * @throws BindingException thrown if the request/message do not meet the requirements of this rule
+         * @param message   the incoming message
+         * @param request   the protocol request
+         * @param policy    SecurityPolicy to provide various components and track message data
          */
-        virtual std::pair<saml2::Issuer*,const saml2md::RoleDescriptor*> evaluate(
-            const GenericRequest& request,
+        virtual void evaluate(
             const xmltooling::XMLObject& message,
-            const saml2md::MetadataProvider* metadataProvider,
-            const xmltooling::QName* role,
-            const TrustEngine* trustEngine
+            const xmltooling::GenericRequest* request,
+            SecurityPolicy& policy
             ) const=0;
     };
 
@@ -83,10 +74,9 @@ namespace opensaml {
     /**
      * SecurityPolicyRule for TLS client certificate authentication.
      * 
-     * Requires that messages carry information about the issuer, and then
-     * evaluates the claimed certificates against the issuer's metadata.
+     * Evaluates client certificates against the issuer's metadata.
      */
-    #define CLIENTCERTAUTH_POLICY_RULE  "org.opensaml.binding.ClientCertAuthRule"
+    #define CLIENTCERTAUTH_POLICY_RULE  "ClientCertAuth"
 
     /**
      * SecurityPolicyRule for replay detection and freshness checking.
@@ -99,7 +89,16 @@ namespace opensaml {
      * or up to a number of seconds set by an "expires" XML attribute when
      * instantiating the policy rule.
      */
-    #define MESSAGEFLOW_POLICY_RULE  "org.opensaml.binding.MessageFlowRule"
+    #define MESSAGEFLOW_POLICY_RULE  "MessageFlow"
+
+    /**
+     * SecurityPolicyRule for disabling security.
+     * 
+     * Allows the message issuer to be authenticated regardless of the message or
+     * transport. Used mainly for debugging or in situations that I wouldn't care to
+     * comment on.
+     */
+    #define NULLSECURITY_POLICY_RULE  "NullSecurity"
 
     /**
      * SecurityPolicyRule for protocol message "blob" signing.
@@ -107,7 +106,7 @@ namespace opensaml {
      * Allows the message issuer to be authenticated using a non-XML digital signature
      * over the message body. The transport layer is not considered.
      */
-    #define SIMPLESIGNING_POLICY_RULE  "org.opensaml.binding.SimpleSigningRule"
+    #define SIMPLESIGNING_POLICY_RULE  "SimpleSigning"
 
     /**
      * SecurityPolicyRule for protocol message XML signing.
@@ -115,7 +114,7 @@ namespace opensaml {
      * Allows the message issuer to be authenticated using an XML digital signature
      * over the message. The transport layer is not considered.
      */
-    #define XMLSIGNING_POLICY_RULE  "org.opensaml.binding.XMLSigningRule"
+    #define XMLSIGNING_POLICY_RULE  "XMLSigning"
 };
 
 #endif /* __saml_secrule_h__ */